Malware Analysis Report

2024-11-16 12:20

Sample ID 230714-jaaeqacf43
Target 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c
SHA256 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c
Tags
phobos evasion persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c

Threat Level: Known bad

The file 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c was found to be: Known bad.

Malicious Activity Summary

phobos evasion persistence ransomware spyware stealer

Phobos

Deletes shadow copies

Modifies boot configuration data using bcdedit

Renames multiple (452) files with added filename extension

Deletes backup catalog

Modifies Windows Firewall

Drops startup file

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Adds Run key to start application

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Interacts with shadow copies

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-14 07:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-14 07:27

Reported

2023-07-14 07:30

Platform

win10-20230703-en

Max time kernel

150s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (452) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[AA0406F3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c = "C:\\Users\\Admin\\AppData\\Local\\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe" C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000\Software\Microsoft\Windows\CurrentVersion\Run\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c = "C:\\Users\\Admin\\AppData\\Local\\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe" C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu Places\desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1148472871-1113856141-1322182616-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-1148472871-1113856141-1322182616-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\3569_32x32x32.png C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-16_contrast-black.png C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\Assets\Images\Tiles\Wide310x150Logo.scale-200.png C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\4665_40x40x32.png C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\8498_32x32x32.png C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ul-oob.xrm-ms.id[AA0406F3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubSplashScreen.scale-100.png C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\WideTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DropboxStorage.api C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\pt_get.svg C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_profile.png.id[AA0406F3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Jumbo\jumbo_11d.png C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\LargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-progress-ui.jar.id[AA0406F3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-100.png C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[AA0406F3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Aquarium\aquarium_10h.png C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\AdobePDF417.pmp.id[AA0406F3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\outicon.exe.id[AA0406F3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-140_8wekyb3d8bbwe\Assets\Office\PlaneCutKeepBottom.scale-140.png C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5671_20x20x32.png C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-32.png C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_pl_135x40.svg.id[AA0406F3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adc_logo.png.id[AA0406F3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\x_2x.png C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailWideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\libcef.dll.id[AA0406F3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\SystemX86\msvcp140.dll.id[AA0406F3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\western_background.jpg C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\cs-cz\ui-strings.js.id[AA0406F3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\TestResults.ps1 C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaTypewriterRegular.ttf.id[AA0406F3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSOIDCLIL.DLL C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageWideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\MedTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\ui-strings.js.id[AA0406F3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files-select\js\plugin.js C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-fr_fr_2x.gif.id[AA0406F3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\arrow-up.png.id[AA0406F3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Content\mobile\en-GB\toc.xml C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\pt_16x11.png C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugin.js C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\about.html.id[AA0406F3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\EXP_XPS.DLL C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OPTINPS.DLL.id[AA0406F3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\meta\reader\filename.luac.id[AA0406F3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Catalog\shape_cube.png C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-left.png C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File created C:\Program Files\Java\jre1.8.0_66\bin\instrument.dll.id[AA0406F3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File created C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js.id[AA0406F3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libspeex_plugin.dll C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.3_1.3.23901.0_x86__8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\next-arrow-hover.svg.id[AA0406F3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5601_24x24x32.png C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-search_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-uisupport_ja.jar.id[AA0406F3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\PeopleWideTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\LAYERS.INF C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File created C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf.id[AA0406F3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-125_8wekyb3d8bbwe\Lumia.ViewerPlugin\Assets\IconOpenInRefocus.contrast-high_scale-125.png C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-ma\ui-strings.js.id[AA0406F3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application-views_zh_CN.jar.id[AA0406F3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3812 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe C:\Windows\system32\cmd.exe
PID 3812 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe C:\Windows\system32\cmd.exe
PID 3812 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe C:\Windows\system32\cmd.exe
PID 3812 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe C:\Windows\system32\cmd.exe
PID 4964 wrote to memory of 1716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4964 wrote to memory of 1716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1928 wrote to memory of 5072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1928 wrote to memory of 5072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1928 wrote to memory of 1316 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1928 wrote to memory of 1316 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4964 wrote to memory of 4476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4964 wrote to memory of 4476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1928 wrote to memory of 3840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1928 wrote to memory of 3840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1928 wrote to memory of 4972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1928 wrote to memory of 4972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1928 wrote to memory of 3024 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1928 wrote to memory of 3024 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3812 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe C:\Windows\SysWOW64\mshta.exe
PID 3812 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe C:\Windows\SysWOW64\mshta.exe
PID 3812 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe C:\Windows\SysWOW64\mshta.exe
PID 3812 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe C:\Windows\SysWOW64\mshta.exe
PID 3812 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe C:\Windows\SysWOW64\mshta.exe
PID 3812 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe C:\Windows\SysWOW64\mshta.exe
PID 3812 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe C:\Windows\SysWOW64\mshta.exe
PID 3812 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe C:\Windows\SysWOW64\mshta.exe
PID 3812 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe C:\Windows\SysWOW64\mshta.exe
PID 3812 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe C:\Windows\SysWOW64\mshta.exe
PID 3812 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe C:\Windows\SysWOW64\mshta.exe
PID 3812 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe C:\Windows\SysWOW64\mshta.exe
PID 3812 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe C:\Windows\system32\cmd.exe
PID 3812 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe C:\Windows\system32\cmd.exe
PID 4728 wrote to memory of 292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4728 wrote to memory of 292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4728 wrote to memory of 760 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4728 wrote to memory of 760 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4728 wrote to memory of 2632 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4728 wrote to memory of 2632 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4728 wrote to memory of 4456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4728 wrote to memory of 4456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4728 wrote to memory of 4156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 4728 wrote to memory of 4156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe

"C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe"

C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe

"C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.5.4.6.5.6.4.7.3.6.5.6.0.0.0.0.f.f.f.f.9.b.b.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
US 8.8.8.8:53 2.17.178.52.in-addr.arpa udp

Files

memory/3812-119-0x0000000000790000-0x0000000000890000-memory.dmp

memory/3812-120-0x00000000005D0000-0x00000000005DF000-memory.dmp

memory/3812-121-0x0000000000400000-0x000000000049A000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[AA0406F3-3483].[[email protected]].8base

MD5 25a114b2e24990bbe69e01a6707d52ae
SHA1 37aad27b127639ea17013ed62926dde845b89711
SHA256 ad086f743def099a44240b34a3179cd533387d5b8a6b3236f2eb4d9137e29091
SHA512 d786f8a604a3f87c8bb431cf2097faa8e8a1db9a5885e1642e3caee940183a52516c411bc71a00f44e40136d3cc419dede288bb413df690ab8738330daf509f9

memory/3812-550-0x0000000000790000-0x0000000000890000-memory.dmp

memory/3812-1331-0x00000000005D0000-0x00000000005DF000-memory.dmp

memory/3812-1831-0x0000000000400000-0x000000000049A000-memory.dmp

memory/4552-1961-0x0000000000550000-0x0000000000650000-memory.dmp

memory/4552-1962-0x0000000000400000-0x000000000049A000-memory.dmp

memory/3812-1969-0x0000000000400000-0x000000000049A000-memory.dmp

memory/3812-2496-0x0000000000400000-0x000000000049A000-memory.dmp

memory/3812-4980-0x0000000000400000-0x000000000049A000-memory.dmp

memory/3812-6291-0x0000000000400000-0x000000000049A000-memory.dmp

memory/3812-10164-0x0000000000400000-0x000000000049A000-memory.dmp

memory/3812-11975-0x0000000000400000-0x000000000049A000-memory.dmp

C:\info.hta

MD5 b0b9f3958d60df89ebea9f9e6540b8f8
SHA1 0e493d3a5450ba8cba67f990d17b1904065968fe
SHA256 57cd11dcf7fa319c3e4d064e85756718f9a5986d24fcfbf6d74f58a5434af366
SHA512 e88b77d14740c280110c237f791752dfb65be08e4118f27c1239a81d5bb6625349ccf677b83c21ec7b0d5b3dc8f1088ab19b56b1d423cce872992d4fad20a80c

C:\Users\Admin\Desktop\info.hta

MD5 b0b9f3958d60df89ebea9f9e6540b8f8
SHA1 0e493d3a5450ba8cba67f990d17b1904065968fe
SHA256 57cd11dcf7fa319c3e4d064e85756718f9a5986d24fcfbf6d74f58a5434af366
SHA512 e88b77d14740c280110c237f791752dfb65be08e4118f27c1239a81d5bb6625349ccf677b83c21ec7b0d5b3dc8f1088ab19b56b1d423cce872992d4fad20a80c

C:\users\public\desktop\info.hta

MD5 b0b9f3958d60df89ebea9f9e6540b8f8
SHA1 0e493d3a5450ba8cba67f990d17b1904065968fe
SHA256 57cd11dcf7fa319c3e4d064e85756718f9a5986d24fcfbf6d74f58a5434af366
SHA512 e88b77d14740c280110c237f791752dfb65be08e4118f27c1239a81d5bb6625349ccf677b83c21ec7b0d5b3dc8f1088ab19b56b1d423cce872992d4fad20a80c

C:\info.hta

MD5 b0b9f3958d60df89ebea9f9e6540b8f8
SHA1 0e493d3a5450ba8cba67f990d17b1904065968fe
SHA256 57cd11dcf7fa319c3e4d064e85756718f9a5986d24fcfbf6d74f58a5434af366
SHA512 e88b77d14740c280110c237f791752dfb65be08e4118f27c1239a81d5bb6625349ccf677b83c21ec7b0d5b3dc8f1088ab19b56b1d423cce872992d4fad20a80c

F:\info.hta

MD5 b0b9f3958d60df89ebea9f9e6540b8f8
SHA1 0e493d3a5450ba8cba67f990d17b1904065968fe
SHA256 57cd11dcf7fa319c3e4d064e85756718f9a5986d24fcfbf6d74f58a5434af366
SHA512 e88b77d14740c280110c237f791752dfb65be08e4118f27c1239a81d5bb6625349ccf677b83c21ec7b0d5b3dc8f1088ab19b56b1d423cce872992d4fad20a80c

memory/3812-12112-0x0000000000400000-0x000000000049A000-memory.dmp