Malware Analysis Report

2024-09-11 02:31

Sample ID 240106-lb4q3acdhk
Target 45de70c85ece8763c685808eea085df4
SHA256 d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532
Tags
medusalocker evasion ransomware trojan spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532

Threat Level: Known bad

The file 45de70c85ece8763c685808eea085df4 was found to be: Known bad.

Malicious Activity Summary

medusalocker evasion ransomware trojan spyware stealer

UAC bypass

MedusaLocker

Medusalocker family

MedusaLocker payload

Deletes shadow copies

Renames multiple (299) files with added filename extension

Reads user/profile data of web browsers

Executes dropped EXE

Drops desktop.ini file(s)

Checks whether UAC is enabled

Enumerates connected drives

Enumerates physical storage devices

Unsigned PE

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

System policy modification

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Interacts with shadow copies

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Modify Registry
T1112
Indicator Removal
T1070
File Deletion
T1070.004
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-01-06 09:22

Signatures

MedusaLocker payload

Description Indicator Process Target
N/A N/A N/A N/A

Medusalocker family

medusalocker

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-06 09:22

Reported

2024-01-06 09:25

Platform

win10v2004-20231222-en

Max time kernel

1s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe"

Signatures

MedusaLocker

ransomware medusalocker

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3512 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3512 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3512 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3512 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3512 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3512 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\Wbem\wmic.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe

"C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 16.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 93.184.221.240:80 tcp
US 204.79.197.200:443 tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-06 09:22

Reported

2024-01-06 09:26

Platform

win7-20231215-en

Max time kernel

157s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe"

Signatures

MedusaLocker

ransomware medusalocker

MedusaLocker payload

Description Indicator Process Target
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A

Deletes shadow copies

ransomware

Renames multiple (299) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-2444714103-3190537498-3629098939-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1684 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1684 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1684 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1684 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1684 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1684 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1684 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1684 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1684 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1684 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1684 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1684 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1684 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1684 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1684 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1684 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1684 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1684 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1684 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1684 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1684 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1684 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1684 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1684 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1512 wrote to memory of 3036 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svhost.exe
PID 1512 wrote to memory of 3036 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svhost.exe
PID 1512 wrote to memory of 3036 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svhost.exe
PID 1512 wrote to memory of 3036 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svhost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe

"C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe"

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\taskeng.exe

taskeng.exe {7E6EA69A-AA12-45D7-A95D-1500650A16EB} S-1-5-21-2444714103-3190537498-3629098939-1000:DJLAPDMX\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

Network

N/A

Files

\Device\HarddiskVolume1\Boot\HOW_TO_RECOVER_DATA.html

MD5 2f039ec07baada20089e7e8ba19b0abb
SHA1 f332390c98d1f5fe89076be8ffa8cc362e8904f1
SHA256 6d7abe503afd32ac69ffb94590289fd38c8981bc7ce1c6db528b7190dcf471d7
SHA512 5c04b3540f14c1b95d0f7dfb2bb29d131d02738d867d562d299504a64167c87621344e79ffb346565c9d5166d5b00951ee3b3f354f9dc47725dc7d3652f4062a

C:\Users\Default\NTUSER.DAT.LOG2

MD5 1fe8ea70da98ea4440af632dcfc3dd00
SHA1 54060a011c25f6b1a31f899656e96a0d7dcbf927
SHA256 f1365c9d9353c22f097ac48f0c01d9108a1159ab116a3e71692d680d0e91838c
SHA512 e748ad0241e032f52bd6ef110e51bb5f80223139c2eada54112c2e00c89863a9045cf32f99dbd30f99f79d6782bf88adf72c7fd3ae4dbc0f853e15473ecf9af3

C:\Users\Admin\AppData\Roaming\svhost.exe

MD5 45de70c85ece8763c685808eea085df4
SHA1 c9dd5313a661fd17b154ccb17a36e8399fc933a5
SHA256 d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532
SHA512 03a1d922711db1afc0a512151371c9a97a7478578c11591109537b1427aeac8b3ac44aa52c83439afe56e20134fd888bcaee1632f6046ce8edf0d99622fb362d