Malware Analysis Report

2024-11-16 12:19

Sample ID 230714-1crkfsgb52
Target c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30
SHA256 c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30
Tags
phobos evasion persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30

Threat Level: Known bad

The file c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30 was found to be: Known bad.

Malicious Activity Summary

phobos evasion persistence ransomware spyware stealer

Phobos

Modifies boot configuration data using bcdedit

Renames multiple (471) files with added filename extension

Deletes shadow copies

Deletes backup catalog

Modifies Windows Firewall

Drops startup file

Reads user/profile data of web browsers

Checks computer location settings

Adds Run key to start application

Drops desktop.ini file(s)

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Program crash

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Interacts with shadow copies

Modifies registry class

Checks SCSI registry key(s)

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-14 21:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-14 21:30

Reported

2023-07-14 21:33

Platform

win10v2004-20230703-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (471) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[9213850F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30 = "C:\\Users\\Admin\\AppData\\Local\\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe" C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30 = "C:\\Users\\Admin\\AppData\\Local\\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe" C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1722984668-1829624581-3022101259-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-1722984668-1829624581-3022101259-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECHO\THMBNAIL.PNG.id[9213850F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptyView.scale-100.png C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_zh_CN.properties.id[9213850F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\msgrammar8.dll C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Gravel.jpg C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteReplayCrossHairIcon-1.png C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\hxoutlookintl.dll C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fullscreen-exit.svg.id[9213850F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\hprof-16.png.id[9213850F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL103.XML.id[9213850F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\uk-ua\ui-strings.js C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\preface.htm C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-48_contrast-white.png C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.scale-200.png C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File created C:\Program Files\Java\jre1.8.0_66\bin\splashscreen.dll.id[9213850F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\MSSRINTL.DLL C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\LargeTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\dark\help.svg C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File created C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_de.properties.id[9213850F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\resources.pri C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_contrast-black.png C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ru-ru\ui-strings.js.id[9213850F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_delay_plugin.dll C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\lt_get.svg.id[9213850F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_selected_18.svg.id[9213850F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreLogo.scale-100.png C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\vlc.mo.id[9213850F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_gridview.svg.id[9213850F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ppd.xrm-ms.id[9213850F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libdirect3d9_plugin.dll C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-tools_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-si\ui-strings.js C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-ja_jp.gif.id[9213850F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-60.png C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECHO\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxMediumTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\tr-tr\ui-strings.js C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\ui-strings.js.id[9213850F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.win32.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-256_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-24_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\illustration-UploadToOD.svg C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.scale-400.png C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\pl.pak.DATA C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\manifest.json.DATA.id[9213850F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\db\bin\stopNetworkServer.bat.id[9213850F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\leftnav.gif C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-24_contrast-black.png C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe\mfc140deu.dll C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarLogoExtensions.scale-256.png C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\core_icons.png.id[9213850F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ko-kr.dll.id[9213850F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\pl-pl\ui-strings.js.id[9213850F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner2x.gif.id[9213850F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\LargeTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHLTS.DAT.id[9213850F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-40.png C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_browser.gif C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4604 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe C:\Windows\system32\cmd.exe
PID 4604 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe C:\Windows\system32\cmd.exe
PID 4604 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe C:\Windows\system32\cmd.exe
PID 4604 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe C:\Windows\system32\cmd.exe
PID 4284 wrote to memory of 3012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4284 wrote to memory of 3012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2368 wrote to memory of 1428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2368 wrote to memory of 1428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4284 wrote to memory of 60 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4284 wrote to memory of 60 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2368 wrote to memory of 1448 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2368 wrote to memory of 1448 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2368 wrote to memory of 5116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2368 wrote to memory of 5116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2368 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2368 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2368 wrote to memory of 4252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2368 wrote to memory of 4252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 4604 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe C:\Windows\SysWOW64\mshta.exe
PID 4604 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe C:\Windows\SysWOW64\mshta.exe
PID 4604 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe C:\Windows\SysWOW64\mshta.exe
PID 4604 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe C:\Windows\SysWOW64\mshta.exe
PID 4604 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe C:\Windows\SysWOW64\mshta.exe
PID 4604 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe C:\Windows\SysWOW64\mshta.exe
PID 4604 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe C:\Windows\SysWOW64\mshta.exe
PID 4604 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe C:\Windows\SysWOW64\mshta.exe
PID 4604 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe C:\Windows\SysWOW64\mshta.exe
PID 4604 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe C:\Windows\SysWOW64\mshta.exe
PID 4604 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe C:\Windows\SysWOW64\mshta.exe
PID 4604 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe C:\Windows\SysWOW64\mshta.exe
PID 4604 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe C:\Windows\system32\cmd.exe
PID 4604 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe C:\Windows\system32\cmd.exe
PID 3896 wrote to memory of 4624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3896 wrote to memory of 4624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3896 wrote to memory of 4172 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3896 wrote to memory of 4172 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3896 wrote to memory of 2040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3896 wrote to memory of 2040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3896 wrote to memory of 3744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3896 wrote to memory of 3744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3896 wrote to memory of 2632 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3896 wrote to memory of 2632 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe

"C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe"

C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe

"C:\Users\Admin\AppData\Local\Temp\c447b9a04d36e1a1e8560fc380dec019ec3b63506d07d0116e1ec2c28a9b1c30.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3064 -ip 3064

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 500

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3064 -ip 3064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3064 -ip 3064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 536

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 10.73.50.20.in-addr.arpa udp

Files

memory/4604-134-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/4604-135-0x0000000002230000-0x000000000223F000-memory.dmp

memory/4604-136-0x0000000000400000-0x00000000004E3000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[9213850F-3483].[[email protected]].8base

MD5 0443bd9dfa2230910f732268e10bc690
SHA1 9f4bc38d8750db59081b40d8b7913693b8b0c5ea
SHA256 c0087914f6887edc81c7ca471c3bb47ce78ba6fd65a134832e8e98f623d85eb5
SHA512 f2047f36a6ff087c853288207e8207f0446258cc0829344dc1ec319378bdc969e51f9e6f50c51cb29e25c8c6e1acdda2cc475a578500528d88306c61fb329eee

memory/4604-348-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/4604-432-0x0000000002230000-0x000000000223F000-memory.dmp

memory/4604-762-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/4604-807-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/3064-808-0x0000000000740000-0x0000000000840000-memory.dmp

memory/3064-809-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/4604-3216-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/4604-4656-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/4604-5630-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/4604-8335-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/4604-11741-0x0000000000400000-0x00000000004E3000-memory.dmp

C:\info.hta

MD5 4d7c55de7e24e9eadc29271cea9430c4
SHA1 28deb7131aae2aa933bede3cc8c290ae6148e954
SHA256 4957660cc273aaec073884b3c7a550e8869f321fe5eb484a303650aec821aa79
SHA512 4ca8e1425894bef2b4966fc3c26bc065779cfa137e894d6e93b824469bb3e8c1d5e71ecb2208222bef6d1d08234a92f68d962f38b4ee1d8594bbb9f3619c3f50

C:\info.hta

MD5 4d7c55de7e24e9eadc29271cea9430c4
SHA1 28deb7131aae2aa933bede3cc8c290ae6148e954
SHA256 4957660cc273aaec073884b3c7a550e8869f321fe5eb484a303650aec821aa79
SHA512 4ca8e1425894bef2b4966fc3c26bc065779cfa137e894d6e93b824469bb3e8c1d5e71ecb2208222bef6d1d08234a92f68d962f38b4ee1d8594bbb9f3619c3f50

C:\Users\Admin\Desktop\info.hta

MD5 4d7c55de7e24e9eadc29271cea9430c4
SHA1 28deb7131aae2aa933bede3cc8c290ae6148e954
SHA256 4957660cc273aaec073884b3c7a550e8869f321fe5eb484a303650aec821aa79
SHA512 4ca8e1425894bef2b4966fc3c26bc065779cfa137e894d6e93b824469bb3e8c1d5e71ecb2208222bef6d1d08234a92f68d962f38b4ee1d8594bbb9f3619c3f50

C:\users\public\desktop\info.hta

MD5 4d7c55de7e24e9eadc29271cea9430c4
SHA1 28deb7131aae2aa933bede3cc8c290ae6148e954
SHA256 4957660cc273aaec073884b3c7a550e8869f321fe5eb484a303650aec821aa79
SHA512 4ca8e1425894bef2b4966fc3c26bc065779cfa137e894d6e93b824469bb3e8c1d5e71ecb2208222bef6d1d08234a92f68d962f38b4ee1d8594bbb9f3619c3f50

F:\info.hta

MD5 4d7c55de7e24e9eadc29271cea9430c4
SHA1 28deb7131aae2aa933bede3cc8c290ae6148e954
SHA256 4957660cc273aaec073884b3c7a550e8869f321fe5eb484a303650aec821aa79
SHA512 4ca8e1425894bef2b4966fc3c26bc065779cfa137e894d6e93b824469bb3e8c1d5e71ecb2208222bef6d1d08234a92f68d962f38b4ee1d8594bbb9f3619c3f50

memory/4604-12089-0x0000000000400000-0x00000000004E3000-memory.dmp