Malware Analysis Report

2024-11-16 12:15

Sample ID 230707-w5d3lsae94
Target 518544e56e8ccee401ffa1b0a.exe
SHA256 518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c
Tags
phobos evasion persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c

Threat Level: Known bad

The file 518544e56e8ccee401ffa1b0a.exe was found to be: Known bad.

Malicious Activity Summary

phobos evasion persistence ransomware spyware stealer

Phobos

Renames multiple (476) files with added filename extension

Renames multiple (312) files with added filename extension

Deletes shadow copies

Modifies boot configuration data using bcdedit

Deletes backup catalog

Modifies Windows Firewall

Checks computer location settings

Reads user/profile data of web browsers

Drops startup file

Drops desktop.ini file(s)

Adds Run key to start application

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

Unsigned PE

Modifies Internet Explorer settings

Uses Volume Shadow Copy service COM API

Interacts with shadow copies

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-07 18:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-07 18:29

Reported

2023-07-07 18:32

Platform

win7-20230703-en

Max time kernel

150s

Max time network

32s

Command Line

"C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (312) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\518544e56e8ccee401ffa1b0a.exe C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[884B5D99-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\518544e56e8ccee401ffa1b0a = "C:\\Users\\Admin\\AppData\\Local\\518544e56e8ccee401ffa1b0a.exe" C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Windows\CurrentVersion\Run\518544e56e8ccee401ffa1b0a = "C:\\Users\\Admin\\AppData\\Local\\518544e56e8ccee401ffa1b0a.exe" C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9HQG8YBY\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\EQBZZKRI\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\0U4L7UHT\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LOYER6OW\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8N3FTPS8\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-3891603265-141683679-4067940827-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152558.WMF C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01239_.GIF C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\rtscom.dll.mui C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libadaptive_plugin.dll.id[884B5D99-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\drag.png C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00306_.WMF C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0321179.JPG.id[884B5D99-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\WHOOSH.WAV.id[884B5D99-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\QP.DPV C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-full_partly-cloudy.png C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ia\LC_MESSAGES\vlc.mo.id[884B5D99-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libtransform_plugin.dll.id[884B5D99-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSPTLS.DLL.id[884B5D99-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\msadc\msdaprsr.dll C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200279.WMF.id[884B5D99-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00452_.WMF.id[884B5D99-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02082_.GIF.id[884B5D99-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface_3.10.1.v20140813-1009.jar.id[884B5D99-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-progress-ui.xml C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application-views_ja.jar C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\timeZones.js C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00052_.WMF.id[884B5D99-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLJRNLR.FAE.id[884B5D99-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.dom.events_3.0.0.draft20060413_v201105210656.jar C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Bahia.id[884B5D99-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\gadget.xml C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02269_.WMF C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\OFFOWCI.DLL.id[884B5D99-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\settings.html C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-loaders_ja.jar C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File created C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.lnk.id[884B5D99-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\acro20.lng C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107300.WMF C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\settings.ini.id[884B5D99-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Damascus.id[884B5D99-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\highDpiImageSwap.js C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Efate C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.attach_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application_5.5.0.165303.jar.id[884B5D99-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-io_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini.id[884B5D99-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0232797.WMF C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309598.JPG C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR39F.GIF C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02208U.BMP.id[884B5D99-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_SlateBlue.gif.id[884B5D99-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\NOTEL.ICO.id[884B5D99-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\QUIKPUBS.POC.id[884B5D99-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe.id[884B5D99-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-nodes.xml.id[884B5D99-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00333_.WMF.id[884B5D99-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14583_.GIF.id[884B5D99-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\TABOFF.JPG C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\Microsoft.Build.Utilities.v3.5.resources.dll C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\DVD Maker\Eurosti.TTF C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\v8_context_snapshot.bin.id[884B5D99-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkClientCP.id[884B5D99-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-sendopts.jar C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File created C:\Program Files\Microsoft Games\Minesweeper\fr-FR\Minesweeper.exe.mui.id[884B5D99-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_kn.dll.id[884B5D99-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\CLVWINTL.DLL C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared16x16ImagesMask.bmp.id[884B5D99-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 740 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe C:\Windows\system32\cmd.exe
PID 740 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe C:\Windows\system32\cmd.exe
PID 740 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe C:\Windows\system32\cmd.exe
PID 740 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe C:\Windows\system32\cmd.exe
PID 740 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe C:\Windows\system32\cmd.exe
PID 740 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe C:\Windows\system32\cmd.exe
PID 740 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe C:\Windows\system32\cmd.exe
PID 740 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe C:\Windows\system32\cmd.exe
PID 2184 wrote to memory of 2224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2184 wrote to memory of 2224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2184 wrote to memory of 2224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 752 wrote to memory of 1192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 752 wrote to memory of 1192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 752 wrote to memory of 1192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 752 wrote to memory of 360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 752 wrote to memory of 360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 752 wrote to memory of 360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2184 wrote to memory of 1736 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2184 wrote to memory of 1736 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2184 wrote to memory of 1736 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2184 wrote to memory of 2560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2184 wrote to memory of 2560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2184 wrote to memory of 2560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2184 wrote to memory of 596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2184 wrote to memory of 596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2184 wrote to memory of 596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2184 wrote to memory of 976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2184 wrote to memory of 976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2184 wrote to memory of 976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 740 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe C:\Windows\SysWOW64\mshta.exe
PID 740 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe C:\Windows\SysWOW64\mshta.exe
PID 740 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe C:\Windows\SysWOW64\mshta.exe
PID 740 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe C:\Windows\SysWOW64\mshta.exe
PID 740 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe C:\Windows\SysWOW64\mshta.exe
PID 740 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe C:\Windows\SysWOW64\mshta.exe
PID 740 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe C:\Windows\SysWOW64\mshta.exe
PID 740 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe C:\Windows\SysWOW64\mshta.exe
PID 740 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe C:\Windows\SysWOW64\mshta.exe
PID 740 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe C:\Windows\SysWOW64\mshta.exe
PID 740 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe C:\Windows\SysWOW64\mshta.exe
PID 740 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe C:\Windows\SysWOW64\mshta.exe
PID 740 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe C:\Windows\system32\cmd.exe
PID 740 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe C:\Windows\system32\cmd.exe
PID 740 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe C:\Windows\system32\cmd.exe
PID 740 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe C:\Windows\system32\cmd.exe
PID 2032 wrote to memory of 2388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2032 wrote to memory of 2388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2032 wrote to memory of 2388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2032 wrote to memory of 1916 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2032 wrote to memory of 1916 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2032 wrote to memory of 1916 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2032 wrote to memory of 3032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2032 wrote to memory of 3032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2032 wrote to memory of 3032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2032 wrote to memory of 2332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2032 wrote to memory of 2332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2032 wrote to memory of 2332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2032 wrote to memory of 2920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2032 wrote to memory of 2920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2032 wrote to memory of 2920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe

"C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe"

C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe

"C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

N/A

Files

memory/740-54-0x0000000000220000-0x0000000000235000-memory.dmp

memory/2304-56-0x0000000000400000-0x000000000092B000-memory.dmp

memory/2304-57-0x0000000000240000-0x000000000024F000-memory.dmp

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.id[884B5D99-3483].[[email protected]].8base

MD5 a003bec0b26747e15d1c6811bafefa6c
SHA1 3173b16d4b7b4cb576f55bdba2404fedcdb2c356
SHA256 83dd3fcf385384058af53aee863d4305498ccb234858c9deb590f43f23c1f086
SHA512 7254623a76a99d79fe4880d357df1a5155713ccd70b73451b74a9937e3bc3e105064e37b2f7de641a934eee5778f762b0a2c3635b88e0d9e535bb5ffa971d0ba

memory/740-288-0x0000000000400000-0x000000000092B000-memory.dmp

memory/740-1458-0x0000000000400000-0x000000000092B000-memory.dmp

memory/740-2907-0x0000000000400000-0x000000000092B000-memory.dmp

memory/740-4322-0x0000000000400000-0x000000000092B000-memory.dmp

memory/740-8328-0x0000000000400000-0x000000000092B000-memory.dmp

memory/740-10243-0x0000000000400000-0x000000000092B000-memory.dmp

C:\info.hta

MD5 47673791acfa06fe63ecfd6ff0934504
SHA1 b855a0c6a62dbd0fb4183f94ce06b170d2e9b745
SHA256 8ca4f7bde89ecd36693eced0f12e2377d7dda55074e643c26d0cd106df7272db
SHA512 d2d69fabefa84ce2675f198b10b39f5cebb67b502c386b41d2e85726bf55ac27682dafb184d79a5e8da7a484962c7f884ae02c8028e8ae11d7c92e3138fc86c7

C:\info.hta

MD5 47673791acfa06fe63ecfd6ff0934504
SHA1 b855a0c6a62dbd0fb4183f94ce06b170d2e9b745
SHA256 8ca4f7bde89ecd36693eced0f12e2377d7dda55074e643c26d0cd106df7272db
SHA512 d2d69fabefa84ce2675f198b10b39f5cebb67b502c386b41d2e85726bf55ac27682dafb184d79a5e8da7a484962c7f884ae02c8028e8ae11d7c92e3138fc86c7

C:\users\public\desktop\info.hta

MD5 47673791acfa06fe63ecfd6ff0934504
SHA1 b855a0c6a62dbd0fb4183f94ce06b170d2e9b745
SHA256 8ca4f7bde89ecd36693eced0f12e2377d7dda55074e643c26d0cd106df7272db
SHA512 d2d69fabefa84ce2675f198b10b39f5cebb67b502c386b41d2e85726bf55ac27682dafb184d79a5e8da7a484962c7f884ae02c8028e8ae11d7c92e3138fc86c7

C:\Users\Admin\Desktop\info.hta

MD5 47673791acfa06fe63ecfd6ff0934504
SHA1 b855a0c6a62dbd0fb4183f94ce06b170d2e9b745
SHA256 8ca4f7bde89ecd36693eced0f12e2377d7dda55074e643c26d0cd106df7272db
SHA512 d2d69fabefa84ce2675f198b10b39f5cebb67b502c386b41d2e85726bf55ac27682dafb184d79a5e8da7a484962c7f884ae02c8028e8ae11d7c92e3138fc86c7

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-07 18:29

Reported

2023-07-07 18:32

Platform

win10v2004-20230703-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (476) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\518544e56e8ccee401ffa1b0a.exe C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[3AA0E9A8-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\518544e56e8ccee401ffa1b0a = "C:\\Users\\Admin\\AppData\\Local\\518544e56e8ccee401ffa1b0a.exe" C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\518544e56e8ccee401ffa1b0a = "C:\\Users\\Admin\\AppData\\Local\\518544e56e8ccee401ffa1b0a.exe" C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-4176143399-3250363947-192774652-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-4176143399-3250363947-192774652-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PIXEL\PREVIEW.GIF.id[3AA0E9A8-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-72_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\cacerts.id[3AA0E9A8-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-fr\ui-strings.js C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pl-pl\ui-strings.js.id[3AA0E9A8-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ca-es\ui-strings.js C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\da-dk\ui-strings.js.id[3AA0E9A8-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7TSFrame.png C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\de\msipc.dll.mui.id[3AA0E9A8-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8es.dub C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\[email protected][3AA0E9A8-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nl-nl\ui-strings.js.id[3AA0E9A8-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\security\javaws.policy C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\MSOINTL.DLL.id[3AA0E9A8-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\TIME.XML C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSmallTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\pstn\PSTN_cluster.png C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\es-es\ui-strings.js C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\blafdoc.css.id[3AA0E9A8-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\org-openide-util_zh_CN.jar.id[3AA0E9A8-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.xml C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Grace-ppd.xrm-ms.id[3AA0E9A8-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-36.png C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\msxactps.dll C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Mira.Core.Engine.winmd C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailWideTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\init.js C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeLogo.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-180.png C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Web.Entity.Design.Resources.dll C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\da-dk\ui-strings.js C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\System\ole db\xmlrw.dll.id[3AA0E9A8-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.FileUtils.dll C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-200.png C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeMediumTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DropboxStorage.api.id[3AA0E9A8-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\en-gb\ui-strings.js C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODDBS.DLL C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-white_targetsize-32.png C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe.id[3AA0E9A8-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-pl.xrm-ms.id[3AA0E9A8-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-100.png C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\pl-pl\ui-strings.js.id[3AA0E9A8-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\back-arrow-down.svg C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\orcl7.xsl C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\1851_32x32x32.png C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_9.m4a C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeAppList.targetsize-32_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon.png.id[3AA0E9A8-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_ko_135x40.svg C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\ne.pak.id[3AA0E9A8-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.zh_CN_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\199.png C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-36_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ko-kr\ui-strings.js C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\hr-hr\ui-strings.js C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\ReachFramework.resources.dll C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\dark\example_icons.png C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4152 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe C:\Windows\system32\cmd.exe
PID 4152 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe C:\Windows\system32\cmd.exe
PID 4152 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe C:\Windows\system32\cmd.exe
PID 4152 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe C:\Windows\system32\cmd.exe
PID 2148 wrote to memory of 3940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2148 wrote to memory of 3940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4664 wrote to memory of 3620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4664 wrote to memory of 3620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4664 wrote to memory of 2672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4664 wrote to memory of 2672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2148 wrote to memory of 2488 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2148 wrote to memory of 2488 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2148 wrote to memory of 4780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2148 wrote to memory of 4780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2148 wrote to memory of 1144 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2148 wrote to memory of 1144 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2148 wrote to memory of 4244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2148 wrote to memory of 4244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 4152 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe C:\Windows\SysWOW64\mshta.exe
PID 4152 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe C:\Windows\SysWOW64\mshta.exe
PID 4152 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe C:\Windows\SysWOW64\mshta.exe
PID 4152 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe C:\Windows\SysWOW64\mshta.exe
PID 4152 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe C:\Windows\SysWOW64\mshta.exe
PID 4152 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe C:\Windows\SysWOW64\mshta.exe
PID 4152 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe C:\Windows\SysWOW64\mshta.exe
PID 4152 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe C:\Windows\SysWOW64\mshta.exe
PID 4152 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe C:\Windows\SysWOW64\mshta.exe
PID 4152 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe C:\Windows\SysWOW64\mshta.exe
PID 4152 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe C:\Windows\SysWOW64\mshta.exe
PID 4152 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe C:\Windows\SysWOW64\mshta.exe
PID 4152 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe C:\Windows\system32\cmd.exe
PID 4152 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe C:\Windows\system32\cmd.exe
PID 4364 wrote to memory of 4444 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4364 wrote to memory of 4444 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4364 wrote to memory of 4584 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4364 wrote to memory of 4584 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4364 wrote to memory of 2532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4364 wrote to memory of 2532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4364 wrote to memory of 400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4364 wrote to memory of 400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4364 wrote to memory of 3640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 4364 wrote to memory of 3640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe

"C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe"

C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe

"C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4184 -ip 4184

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 468

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 140.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

memory/4152-133-0x0000000000AB0000-0x0000000000AC5000-memory.dmp

memory/4152-135-0x0000000000AD0000-0x0000000000ADF000-memory.dmp

memory/4184-136-0x0000000000400000-0x000000000092B000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[3AA0E9A8-3483].[[email protected]].8base

MD5 627e1c8f4674beadb7d6baf7a85d56ab
SHA1 8135dfb450d0743cfb10d502473737b9f4789130
SHA256 ecc16e2f54ece5a4c40325071840d968a77a8e163d9e4ec43dbf737426bf2377
SHA512 372a1e861f59cf2a34b3f6316e0411860fc777665cd34c567655c13f327def063eaad56ddc51f2ee5db75e51a181d9b559742efa2f640b928008c9b401a74256

memory/4152-725-0x0000000000400000-0x000000000092B000-memory.dmp

memory/4152-3718-0x0000000000400000-0x000000000092B000-memory.dmp

memory/4152-5000-0x0000000000400000-0x000000000092B000-memory.dmp

memory/4152-6432-0x0000000000400000-0x000000000092B000-memory.dmp

memory/4152-9288-0x0000000000400000-0x000000000092B000-memory.dmp

memory/4152-11905-0x0000000000400000-0x000000000092B000-memory.dmp

C:\info.hta

MD5 a93a1ea5016ffee4cfc012ae42ce8d36
SHA1 16155fb2fef21cdabbd07d0911b4b2c50693319c
SHA256 c484936ba26d03ecc6a20041ce39d8e326bf8a801f76a845c2e743429d9f9605
SHA512 64a57527ebc296291accc3650966614dd06d514e97af05d54bfbf4713a85e036a9a44ee713e982439525a31e107c11f0a31c883422f7031c57a05f02441e81a5

C:\Users\Admin\Desktop\info.hta

MD5 a93a1ea5016ffee4cfc012ae42ce8d36
SHA1 16155fb2fef21cdabbd07d0911b4b2c50693319c
SHA256 c484936ba26d03ecc6a20041ce39d8e326bf8a801f76a845c2e743429d9f9605
SHA512 64a57527ebc296291accc3650966614dd06d514e97af05d54bfbf4713a85e036a9a44ee713e982439525a31e107c11f0a31c883422f7031c57a05f02441e81a5

C:\users\public\desktop\info.hta

MD5 a93a1ea5016ffee4cfc012ae42ce8d36
SHA1 16155fb2fef21cdabbd07d0911b4b2c50693319c
SHA256 c484936ba26d03ecc6a20041ce39d8e326bf8a801f76a845c2e743429d9f9605
SHA512 64a57527ebc296291accc3650966614dd06d514e97af05d54bfbf4713a85e036a9a44ee713e982439525a31e107c11f0a31c883422f7031c57a05f02441e81a5

C:\info.hta

MD5 a93a1ea5016ffee4cfc012ae42ce8d36
SHA1 16155fb2fef21cdabbd07d0911b4b2c50693319c
SHA256 c484936ba26d03ecc6a20041ce39d8e326bf8a801f76a845c2e743429d9f9605
SHA512 64a57527ebc296291accc3650966614dd06d514e97af05d54bfbf4713a85e036a9a44ee713e982439525a31e107c11f0a31c883422f7031c57a05f02441e81a5

F:\info.hta

MD5 a93a1ea5016ffee4cfc012ae42ce8d36
SHA1 16155fb2fef21cdabbd07d0911b4b2c50693319c
SHA256 c484936ba26d03ecc6a20041ce39d8e326bf8a801f76a845c2e743429d9f9605
SHA512 64a57527ebc296291accc3650966614dd06d514e97af05d54bfbf4713a85e036a9a44ee713e982439525a31e107c11f0a31c883422f7031c57a05f02441e81a5

memory/4152-12036-0x0000000000400000-0x000000000092B000-memory.dmp