Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
12-10-2023 11:16
Static task
static1
Behavioral task
behavioral1
Sample
40a2a330dece024db63f275748eb3d7a.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
40a2a330dece024db63f275748eb3d7a.exe
Resource
win10v2004-20230915-en
General
-
Target
40a2a330dece024db63f275748eb3d7a.exe
-
Size
549KB
-
MD5
40a2a330dece024db63f275748eb3d7a
-
SHA1
97508bbbff47aa06a381ff80428b8578d4daafb5
-
SHA256
7e18ff461e3fc159c9b6634c9250600ea4c62da604885697c95d9bac794109b8
-
SHA512
dcec48482463a960d47ea93b655dfec3ca88561fab3648b5ab8a8e7253a59d282c7cd4392daec9d3c95ebe9fb5265961705433c2374f6ffe2348123e586ed0a4
-
SSDEEP
12288:yVthvdMSOXfbbOPFErVy0MRRp1o6tD5B:k3FMFXfXOPmRy0Wp1Ft
Malware Config
Extracted
C:\info.hta
class='mark'>[email protected]</span></div>
http://www.w3.org/TR/html4/strict.dtd'>
Extracted
C:\users\public\desktop\info.hta
Signatures
-
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
Processes:
bcdedit.exebcdedit.exebcdedit.exebcdedit.exepid process 2904 bcdedit.exe 1344 bcdedit.exe 668 bcdedit.exe 1556 bcdedit.exe -
Renames multiple (319) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Processes:
wbadmin.exewbadmin.exepid process 2340 wbadmin.exe 2004 wbadmin.exe -
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Drops startup file 3 IoCs
Processes:
40a2a330dece024db63f275748eb3d7a.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[039B1606-3483].[[email protected]].8base 40a2a330dece024db63f275748eb3d7a.exe File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\40a2a330dece024db63f275748eb3d7a.exe 40a2a330dece024db63f275748eb3d7a.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
40a2a330dece024db63f275748eb3d7a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\40a2a330dece024db63f275748eb3d7a = "C:\\Users\\Admin\\AppData\\Local\\40a2a330dece024db63f275748eb3d7a.exe" 40a2a330dece024db63f275748eb3d7a.exe Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\40a2a330dece024db63f275748eb3d7a = "C:\\Users\\Admin\\AppData\\Local\\40a2a330dece024db63f275748eb3d7a.exe" 40a2a330dece024db63f275748eb3d7a.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
40a2a330dece024db63f275748eb3d7a.exedescription ioc process File opened for modification C:\Users\Admin\Music\desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\02OOHV4D\desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0J2UEIB8\desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\2LXIJ0H1\desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-3849525425-30183055-657688904-1000\desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Users\Public\desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Users\Admin\Links\desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Program Files (x86)\desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\6469KX93\desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\NUF8MUR6\desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S5GU6AIX\desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Users\Public\Music\desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\2XJAS4BM\desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4DS4XC3A\desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini 40a2a330dece024db63f275748eb3d7a.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
40a2a330dece024db63f275748eb3d7a.exe40a2a330dece024db63f275748eb3d7a.exedescription pid process target process PID 2816 set thread context of 3064 2816 40a2a330dece024db63f275748eb3d7a.exe 40a2a330dece024db63f275748eb3d7a.exe PID 2788 set thread context of 2872 2788 40a2a330dece024db63f275748eb3d7a.exe 40a2a330dece024db63f275748eb3d7a.exe -
Drops file in Program Files directory 64 IoCs
Processes:
40a2a330dece024db63f275748eb3d7a.exedescription ioc process File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.metadata.repository.prefs.id[039B1606-3483].[[email protected]].8base 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Web.Entity.Resources.dll 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-hot.png 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Waveform.eftx 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN082.XML 40a2a330dece024db63f275748eb3d7a.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.util_8.1.14.v20131031.jar.id[039B1606-3483].[[email protected]].8base 40a2a330dece024db63f275748eb3d7a.exe File created C:\Program Files\Java\jre7\lib\zi\Etc\GMT-8.id[039B1606-3483].[[email protected]].8base 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer 40a2a330dece024db63f275748eb3d7a.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382944.JPG.id[039B1606-3483].[[email protected]].8base 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18225_.WMF 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_SelectionSubpicture.png 40a2a330dece024db63f275748eb3d7a.exe File created C:\Program Files\Java\jre7\lib\zi\Asia\Samarkand.id[039B1606-3483].[[email protected]].8base 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107458.WMF 40a2a330dece024db63f275748eb3d7a.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02617_.WMF.id[039B1606-3483].[[email protected]].8base 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WEBEMAIL.POC 40a2a330dece024db63f275748eb3d7a.exe File created C:\Program Files\7-Zip\Lang\gu.txt.id[039B1606-3483].[[email protected]].8base 40a2a330dece024db63f275748eb3d7a.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.css.sac_1.3.1.v200903091627.jar.id[039B1606-3483].[[email protected]].8base 40a2a330dece024db63f275748eb3d7a.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-queries.xml.id[039B1606-3483].[[email protected]].8base 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\control\libdummy_plugin.dll 40a2a330dece024db63f275748eb3d7a.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Module.eftx.id[039B1606-3483].[[email protected]].8base 40a2a330dece024db63f275748eb3d7a.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK.DEV_COL.HXT.id[039B1606-3483].[[email protected]].8base 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\de-DE\MSTTSLoc.dll.mui 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libsap_plugin.dll 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\msdatt.dll 40a2a330dece024db63f275748eb3d7a.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099157.JPG.id[039B1606-3483].[[email protected]].8base 40a2a330dece024db63f275748eb3d7a.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107282.WMF.id[039B1606-3483].[[email protected]].8base 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02958_.WMF 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BS53BOXS.POC 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGHEADING.XML 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\drag.png 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10254_.GIF 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR34F.GIF 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\sqloledb.dll 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\librawvid_plugin.dll 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msdaremr.dll.mui 40a2a330dece024db63f275748eb3d7a.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00779_.WMF.id[039B1606-3483].[[email protected]].8base 40a2a330dece024db63f275748eb3d7a.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Equity.xml.id[039B1606-3483].[[email protected]].8base 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIconSubpi.png 40a2a330dece024db63f275748eb3d7a.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach_5.5.0.165303.jar.id[039B1606-3483].[[email protected]].8base 40a2a330dece024db63f275748eb3d7a.exe File created C:\Program Files\VideoLAN\VLC\skins\skin.dtd.id[039B1606-3483].[[email protected]].8base 40a2a330dece024db63f275748eb3d7a.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Apex.thmx.id[039B1606-3483].[[email protected]].8base 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\epl-v10.html 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\vlm_export.html 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AXE8SharedExpat.dll 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV.HXS.id[039B1606-3483].[[email protected]].8base 40a2a330dece024db63f275748eb3d7a.exe File created C:\Program Files (x86)\Microsoft Office\Office14\MYSL.ICO.id[039B1606-3483].[[email protected]].8base 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-2.png 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Anchorage 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\DigSig.api 40a2a330dece024db63f275748eb3d7a.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02262_.WMF.id[039B1606-3483].[[email protected]].8base 40a2a330dece024db63f275748eb3d7a.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02028_.WMF.id[039B1606-3483].[[email protected]].8base 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-new.png 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Program Files\Java\jre7\lib\deploy\splash.gif 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\en-US\msdaremr.dll.mui 40a2a330dece024db63f275748eb3d7a.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341557.JPG.id[039B1606-3483].[[email protected]].8base 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkClientCP 40a2a330dece024db63f275748eb3d7a.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaSansDemiBold.ttf.id[039B1606-3483].[[email protected]].8base 40a2a330dece024db63f275748eb3d7a.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Kwajalein.id[039B1606-3483].[[email protected]].8base 40a2a330dece024db63f275748eb3d7a.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.artifact.repository.prefs.id[039B1606-3483].[[email protected]].8base 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings_0.10.200.v20140424-2042.jar 40a2a330dece024db63f275748eb3d7a.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_zh_4.4.0.v20140623020002.jar.id[039B1606-3483].[[email protected]].8base 40a2a330dece024db63f275748eb3d7a.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\vlc.mo 40a2a330dece024db63f275748eb3d7a.exe File created C:\Program Files (x86)\Microsoft Office\Office14\MSAEXP30.DLL.id[039B1606-3483].[[email protected]].8base 40a2a330dece024db63f275748eb3d7a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 2440 vssadmin.exe 1956 vssadmin.exe -
Processes:
mshta.exemshta.exemshta.exemshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
40a2a330dece024db63f275748eb3d7a.exepid process 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe 3064 40a2a330dece024db63f275748eb3d7a.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
40a2a330dece024db63f275748eb3d7a.exe40a2a330dece024db63f275748eb3d7a.exe40a2a330dece024db63f275748eb3d7a.exevssvc.exeWMIC.exewbengine.exeWMIC.exedescription pid process Token: SeDebugPrivilege 2816 40a2a330dece024db63f275748eb3d7a.exe Token: SeDebugPrivilege 2788 40a2a330dece024db63f275748eb3d7a.exe Token: SeDebugPrivilege 3064 40a2a330dece024db63f275748eb3d7a.exe Token: SeBackupPrivilege 692 vssvc.exe Token: SeRestorePrivilege 692 vssvc.exe Token: SeAuditPrivilege 692 vssvc.exe Token: SeIncreaseQuotaPrivilege 960 WMIC.exe Token: SeSecurityPrivilege 960 WMIC.exe Token: SeTakeOwnershipPrivilege 960 WMIC.exe Token: SeLoadDriverPrivilege 960 WMIC.exe Token: SeSystemProfilePrivilege 960 WMIC.exe Token: SeSystemtimePrivilege 960 WMIC.exe Token: SeProfSingleProcessPrivilege 960 WMIC.exe Token: SeIncBasePriorityPrivilege 960 WMIC.exe Token: SeCreatePagefilePrivilege 960 WMIC.exe Token: SeBackupPrivilege 960 WMIC.exe Token: SeRestorePrivilege 960 WMIC.exe Token: SeShutdownPrivilege 960 WMIC.exe Token: SeDebugPrivilege 960 WMIC.exe Token: SeSystemEnvironmentPrivilege 960 WMIC.exe Token: SeRemoteShutdownPrivilege 960 WMIC.exe Token: SeUndockPrivilege 960 WMIC.exe Token: SeManageVolumePrivilege 960 WMIC.exe Token: 33 960 WMIC.exe Token: 34 960 WMIC.exe Token: 35 960 WMIC.exe Token: SeIncreaseQuotaPrivilege 960 WMIC.exe Token: SeSecurityPrivilege 960 WMIC.exe Token: SeTakeOwnershipPrivilege 960 WMIC.exe Token: SeLoadDriverPrivilege 960 WMIC.exe Token: SeSystemProfilePrivilege 960 WMIC.exe Token: SeSystemtimePrivilege 960 WMIC.exe Token: SeProfSingleProcessPrivilege 960 WMIC.exe Token: SeIncBasePriorityPrivilege 960 WMIC.exe Token: SeCreatePagefilePrivilege 960 WMIC.exe Token: SeBackupPrivilege 960 WMIC.exe Token: SeRestorePrivilege 960 WMIC.exe Token: SeShutdownPrivilege 960 WMIC.exe Token: SeDebugPrivilege 960 WMIC.exe Token: SeSystemEnvironmentPrivilege 960 WMIC.exe Token: SeRemoteShutdownPrivilege 960 WMIC.exe Token: SeUndockPrivilege 960 WMIC.exe Token: SeManageVolumePrivilege 960 WMIC.exe Token: 33 960 WMIC.exe Token: 34 960 WMIC.exe Token: 35 960 WMIC.exe Token: SeBackupPrivilege 2404 wbengine.exe Token: SeRestorePrivilege 2404 wbengine.exe Token: SeSecurityPrivilege 2404 wbengine.exe Token: SeIncreaseQuotaPrivilege 1260 WMIC.exe Token: SeSecurityPrivilege 1260 WMIC.exe Token: SeTakeOwnershipPrivilege 1260 WMIC.exe Token: SeLoadDriverPrivilege 1260 WMIC.exe Token: SeSystemProfilePrivilege 1260 WMIC.exe Token: SeSystemtimePrivilege 1260 WMIC.exe Token: SeProfSingleProcessPrivilege 1260 WMIC.exe Token: SeIncBasePriorityPrivilege 1260 WMIC.exe Token: SeCreatePagefilePrivilege 1260 WMIC.exe Token: SeBackupPrivilege 1260 WMIC.exe Token: SeRestorePrivilege 1260 WMIC.exe Token: SeShutdownPrivilege 1260 WMIC.exe Token: SeDebugPrivilege 1260 WMIC.exe Token: SeSystemEnvironmentPrivilege 1260 WMIC.exe Token: SeRemoteShutdownPrivilege 1260 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
40a2a330dece024db63f275748eb3d7a.exe40a2a330dece024db63f275748eb3d7a.exe40a2a330dece024db63f275748eb3d7a.execmd.execmd.exedescription pid process target process PID 2816 wrote to memory of 3064 2816 40a2a330dece024db63f275748eb3d7a.exe 40a2a330dece024db63f275748eb3d7a.exe PID 2816 wrote to memory of 3064 2816 40a2a330dece024db63f275748eb3d7a.exe 40a2a330dece024db63f275748eb3d7a.exe PID 2816 wrote to memory of 3064 2816 40a2a330dece024db63f275748eb3d7a.exe 40a2a330dece024db63f275748eb3d7a.exe PID 2816 wrote to memory of 3064 2816 40a2a330dece024db63f275748eb3d7a.exe 40a2a330dece024db63f275748eb3d7a.exe PID 2816 wrote to memory of 3064 2816 40a2a330dece024db63f275748eb3d7a.exe 40a2a330dece024db63f275748eb3d7a.exe PID 2816 wrote to memory of 3064 2816 40a2a330dece024db63f275748eb3d7a.exe 40a2a330dece024db63f275748eb3d7a.exe PID 2816 wrote to memory of 3064 2816 40a2a330dece024db63f275748eb3d7a.exe 40a2a330dece024db63f275748eb3d7a.exe PID 2816 wrote to memory of 3064 2816 40a2a330dece024db63f275748eb3d7a.exe 40a2a330dece024db63f275748eb3d7a.exe PID 2816 wrote to memory of 3064 2816 40a2a330dece024db63f275748eb3d7a.exe 40a2a330dece024db63f275748eb3d7a.exe PID 2816 wrote to memory of 3064 2816 40a2a330dece024db63f275748eb3d7a.exe 40a2a330dece024db63f275748eb3d7a.exe PID 2816 wrote to memory of 3064 2816 40a2a330dece024db63f275748eb3d7a.exe 40a2a330dece024db63f275748eb3d7a.exe PID 2788 wrote to memory of 2872 2788 40a2a330dece024db63f275748eb3d7a.exe 40a2a330dece024db63f275748eb3d7a.exe PID 2788 wrote to memory of 2872 2788 40a2a330dece024db63f275748eb3d7a.exe 40a2a330dece024db63f275748eb3d7a.exe PID 2788 wrote to memory of 2872 2788 40a2a330dece024db63f275748eb3d7a.exe 40a2a330dece024db63f275748eb3d7a.exe PID 2788 wrote to memory of 2872 2788 40a2a330dece024db63f275748eb3d7a.exe 40a2a330dece024db63f275748eb3d7a.exe PID 2788 wrote to memory of 2872 2788 40a2a330dece024db63f275748eb3d7a.exe 40a2a330dece024db63f275748eb3d7a.exe PID 2788 wrote to memory of 2872 2788 40a2a330dece024db63f275748eb3d7a.exe 40a2a330dece024db63f275748eb3d7a.exe PID 2788 wrote to memory of 2872 2788 40a2a330dece024db63f275748eb3d7a.exe 40a2a330dece024db63f275748eb3d7a.exe PID 2788 wrote to memory of 2872 2788 40a2a330dece024db63f275748eb3d7a.exe 40a2a330dece024db63f275748eb3d7a.exe PID 2788 wrote to memory of 2872 2788 40a2a330dece024db63f275748eb3d7a.exe 40a2a330dece024db63f275748eb3d7a.exe PID 2788 wrote to memory of 2872 2788 40a2a330dece024db63f275748eb3d7a.exe 40a2a330dece024db63f275748eb3d7a.exe PID 2788 wrote to memory of 2872 2788 40a2a330dece024db63f275748eb3d7a.exe 40a2a330dece024db63f275748eb3d7a.exe PID 3064 wrote to memory of 3040 3064 40a2a330dece024db63f275748eb3d7a.exe cmd.exe PID 3064 wrote to memory of 3040 3064 40a2a330dece024db63f275748eb3d7a.exe cmd.exe PID 3064 wrote to memory of 3040 3064 40a2a330dece024db63f275748eb3d7a.exe cmd.exe PID 3064 wrote to memory of 3040 3064 40a2a330dece024db63f275748eb3d7a.exe cmd.exe PID 3064 wrote to memory of 2036 3064 40a2a330dece024db63f275748eb3d7a.exe cmd.exe PID 3064 wrote to memory of 2036 3064 40a2a330dece024db63f275748eb3d7a.exe cmd.exe PID 3064 wrote to memory of 2036 3064 40a2a330dece024db63f275748eb3d7a.exe cmd.exe PID 3064 wrote to memory of 2036 3064 40a2a330dece024db63f275748eb3d7a.exe cmd.exe PID 2036 wrote to memory of 1832 2036 cmd.exe netsh.exe PID 2036 wrote to memory of 1832 2036 cmd.exe netsh.exe PID 2036 wrote to memory of 1832 2036 cmd.exe netsh.exe PID 3040 wrote to memory of 1956 3040 cmd.exe vssadmin.exe PID 3040 wrote to memory of 1956 3040 cmd.exe vssadmin.exe PID 3040 wrote to memory of 1956 3040 cmd.exe vssadmin.exe PID 2036 wrote to memory of 3052 2036 cmd.exe netsh.exe PID 2036 wrote to memory of 3052 2036 cmd.exe netsh.exe PID 2036 wrote to memory of 3052 2036 cmd.exe netsh.exe PID 3040 wrote to memory of 960 3040 cmd.exe WMIC.exe PID 3040 wrote to memory of 960 3040 cmd.exe WMIC.exe PID 3040 wrote to memory of 960 3040 cmd.exe WMIC.exe PID 3040 wrote to memory of 2904 3040 cmd.exe bcdedit.exe PID 3040 wrote to memory of 2904 3040 cmd.exe bcdedit.exe PID 3040 wrote to memory of 2904 3040 cmd.exe bcdedit.exe PID 3040 wrote to memory of 1344 3040 cmd.exe bcdedit.exe PID 3040 wrote to memory of 1344 3040 cmd.exe bcdedit.exe PID 3040 wrote to memory of 1344 3040 cmd.exe bcdedit.exe PID 3040 wrote to memory of 2340 3040 cmd.exe wbadmin.exe PID 3040 wrote to memory of 2340 3040 cmd.exe wbadmin.exe PID 3040 wrote to memory of 2340 3040 cmd.exe wbadmin.exe PID 3064 wrote to memory of 1812 3064 40a2a330dece024db63f275748eb3d7a.exe mshta.exe PID 3064 wrote to memory of 1812 3064 40a2a330dece024db63f275748eb3d7a.exe mshta.exe PID 3064 wrote to memory of 1812 3064 40a2a330dece024db63f275748eb3d7a.exe mshta.exe PID 3064 wrote to memory of 1812 3064 40a2a330dece024db63f275748eb3d7a.exe mshta.exe PID 3064 wrote to memory of 1984 3064 40a2a330dece024db63f275748eb3d7a.exe mshta.exe PID 3064 wrote to memory of 1984 3064 40a2a330dece024db63f275748eb3d7a.exe mshta.exe PID 3064 wrote to memory of 1984 3064 40a2a330dece024db63f275748eb3d7a.exe mshta.exe PID 3064 wrote to memory of 1984 3064 40a2a330dece024db63f275748eb3d7a.exe mshta.exe PID 3064 wrote to memory of 1624 3064 40a2a330dece024db63f275748eb3d7a.exe mshta.exe PID 3064 wrote to memory of 1624 3064 40a2a330dece024db63f275748eb3d7a.exe mshta.exe PID 3064 wrote to memory of 1624 3064 40a2a330dece024db63f275748eb3d7a.exe mshta.exe PID 3064 wrote to memory of 1624 3064 40a2a330dece024db63f275748eb3d7a.exe mshta.exe PID 3064 wrote to memory of 2448 3064 40a2a330dece024db63f275748eb3d7a.exe mshta.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\40a2a330dece024db63f275748eb3d7a.exe"C:\Users\Admin\AppData\Local\Temp\40a2a330dece024db63f275748eb3d7a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\40a2a330dece024db63f275748eb3d7a.exeC:\Users\Admin\AppData\Local\Temp\40a2a330dece024db63f275748eb3d7a.exe2⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\40a2a330dece024db63f275748eb3d7a.exe"C:\Users\Admin\AppData\Local\Temp\40a2a330dece024db63f275748eb3d7a.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\40a2a330dece024db63f275748eb3d7a.exeC:\Users\Admin\AppData\Local\Temp\40a2a330dece024db63f275748eb3d7a.exe4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off4⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"3⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"3⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"3⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"3⤵
- Modifies Internet Explorer settings
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.id[039B1606-3483].[[email protected]].8baseFilesize
24.4MB
MD55ec8c9d184422aa339ec419e43b518f5
SHA1888d0c9b1c67aa3915f93cb1a071fc08d770e2e5
SHA2569ed1a0dab6572b2b5b31f1f87a741b83984bca97f804313b2956aa00c5194a78
SHA5125d46ed993160ce61b134665bd2af8541e6d5c325b0ad3f86d16d9927be3bb57ef577a5a12ba725a62b360d165e8abe7c985f37cc65c07f9e0658a7200b854432
-
C:\Users\Admin\Desktop\info.htaFilesize
5KB
MD512d1157b2dc09d789acd4d088cff8ee4
SHA17bd918dc3d13a4fb912f0297cf878efbac2138ae
SHA25601123705a257192a7d36308b2229989fd0696488b1a1e046cd4b515eb31cf8af
SHA51275df99566633b32d3add8d25cd5718cb27cdf61b7a6135a3fc4486fafdfdc3d88d1a12fa1f99c0031ab42c87a9462423d26c076a705ba8e4e8398ba9f04b0199
-
C:\info.htaFilesize
5KB
MD512d1157b2dc09d789acd4d088cff8ee4
SHA17bd918dc3d13a4fb912f0297cf878efbac2138ae
SHA25601123705a257192a7d36308b2229989fd0696488b1a1e046cd4b515eb31cf8af
SHA51275df99566633b32d3add8d25cd5718cb27cdf61b7a6135a3fc4486fafdfdc3d88d1a12fa1f99c0031ab42c87a9462423d26c076a705ba8e4e8398ba9f04b0199
-
C:\info.htaFilesize
5KB
MD512d1157b2dc09d789acd4d088cff8ee4
SHA17bd918dc3d13a4fb912f0297cf878efbac2138ae
SHA25601123705a257192a7d36308b2229989fd0696488b1a1e046cd4b515eb31cf8af
SHA51275df99566633b32d3add8d25cd5718cb27cdf61b7a6135a3fc4486fafdfdc3d88d1a12fa1f99c0031ab42c87a9462423d26c076a705ba8e4e8398ba9f04b0199
-
C:\users\public\desktop\info.htaFilesize
5KB
MD512d1157b2dc09d789acd4d088cff8ee4
SHA17bd918dc3d13a4fb912f0297cf878efbac2138ae
SHA25601123705a257192a7d36308b2229989fd0696488b1a1e046cd4b515eb31cf8af
SHA51275df99566633b32d3add8d25cd5718cb27cdf61b7a6135a3fc4486fafdfdc3d88d1a12fa1f99c0031ab42c87a9462423d26c076a705ba8e4e8398ba9f04b0199
-
F:\info.htaFilesize
5KB
MD512d1157b2dc09d789acd4d088cff8ee4
SHA17bd918dc3d13a4fb912f0297cf878efbac2138ae
SHA25601123705a257192a7d36308b2229989fd0696488b1a1e046cd4b515eb31cf8af
SHA51275df99566633b32d3add8d25cd5718cb27cdf61b7a6135a3fc4486fafdfdc3d88d1a12fa1f99c0031ab42c87a9462423d26c076a705ba8e4e8398ba9f04b0199
-
memory/2788-21-0x0000000074A30000-0x000000007511E000-memory.dmpFilesize
6.9MB
-
memory/2788-20-0x0000000000940000-0x0000000000986000-memory.dmpFilesize
280KB
-
memory/2788-19-0x0000000000EB0000-0x0000000000F40000-memory.dmpFilesize
576KB
-
memory/2788-33-0x0000000074A30000-0x000000007511E000-memory.dmpFilesize
6.9MB
-
memory/2788-22-0x0000000004880000-0x00000000048C0000-memory.dmpFilesize
256KB
-
memory/2816-5-0x0000000004680000-0x00000000046CC000-memory.dmpFilesize
304KB
-
memory/2816-0-0x0000000000EB0000-0x0000000000F40000-memory.dmpFilesize
576KB
-
memory/2816-16-0x0000000074AF0000-0x00000000751DE000-memory.dmpFilesize
6.9MB
-
memory/2816-4-0x0000000000600000-0x0000000000634000-memory.dmpFilesize
208KB
-
memory/2816-3-0x0000000004990000-0x00000000049D0000-memory.dmpFilesize
256KB
-
memory/2816-2-0x00000000005C0000-0x0000000000606000-memory.dmpFilesize
280KB
-
memory/2816-1-0x0000000074AF0000-0x00000000751DE000-memory.dmpFilesize
6.9MB
-
memory/2872-35-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/2872-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/3064-10-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/3064-75-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/3064-17-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/3064-14-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/3064-45-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/3064-47-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/3064-48-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/3064-51-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/3064-53-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/3064-57-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/3064-65-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/3064-18-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/3064-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/3064-297-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/3064-2902-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/3064-3157-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/3064-3161-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/3064-11-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/3064-9-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/3064-8-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/3064-7-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/3064-6-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB