Malware Analysis Report

2024-09-11 02:26

Sample ID 240112-hyg9ssbdhn
Target 1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f
SHA256 1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f
Tags
medusalocker evasion ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f

Threat Level: Known bad

The file 1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f was found to be: Known bad.

Malicious Activity Summary

medusalocker evasion ransomware spyware stealer trojan

UAC bypass

MedusaLocker

MedusaLocker payload

Medusalocker family

Renames multiple (293) files with added filename extension

Deletes shadow copies

Renames multiple (207) files with added filename extension

Executes dropped EXE

Reads user/profile data of web browsers

Checks whether UAC is enabled

Enumerates connected drives

Drops desktop.ini file(s)

Enumerates physical storage devices

Unsigned PE

Interacts with shadow copies

Suspicious behavior: EnumeratesProcesses

System policy modification

Uses Volume Shadow Copy service COM API

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Modify Registry
T1112
Indicator Removal
T1070
File Deletion
T1070.004
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-01-12 07:08

Signatures

MedusaLocker payload

Description Indicator Process Target
N/A N/A N/A N/A

Medusalocker family

medusalocker

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-12 07:08

Reported

2024-01-12 07:11

Platform

win7-20231129-en

Max time kernel

129s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe"

Signatures

MedusaLocker

ransomware medusalocker

MedusaLocker payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A

Deletes shadow copies

ransomware

Renames multiple (293) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000033b2baa7c38bc34eb000abaaaac06d7800000000020000000000106600000001000020000000989be276681669091d6846f585f4db517bd29036876b6ba4d391a61a84961a7a000000000e800000000200002000000028c43235880d99ed45cc73ab5e0d3e4135fac226310a15c0ad1d1298ea7be1a49000000056cb459555f8521f192db1d3ee0a2e1e0e3b16c007ea20c11da3b997cb4e640de6b3969d017f8629172b2141e98a0a594c61a19d11644e7d89400061bb13fe4f0a622f12e411a92c22dd33e4f6bdfc3cfbc0f324f5b11b7a57e9bfe82ec305e73f09ae7765d4404748d8c6b054b5b401b72fb93f1b23cd1a9f9c1d293a2eb293136dcb07434c3efc852fe08ebd28b76940000000cafee53906cd091bcd14b45ca7a4f29738e213fe005598caf0607fed3d8f0af3a82e4408334ffc3e8e1681a65ff3fe551d6092aff139e0ca1aef3431627bf257 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0b722612645da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "411205255" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000033b2baa7c38bc34eb000abaaaac06d7800000000020000000000106600000001000020000000c6183aa2bdb6e8c724ef7724569e0ee6273c6b78846f6690b78e68b06684335f000000000e80000000020000200000000784a9a026b764a60e6c071c5f98f2be09d455fbb9b068e7128d9d2639414023200000000a9a5090b1b3802b1de51ca99a2dba3203395feb73fcb64477c16c3dbb4a7bbe40000000be09f4c282b0517c2086be895f0f0daf27a3e99c23d17034aaebb8a4d623d7a3e6d74c6d0304a6e86e459118a8d9921bfedaf6b35e6cd4447e5c00205e012ebd C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8C9A9601-B119-11EE-8221-D669B05BD432} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1848 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1848 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1848 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1848 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1848 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1848 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1848 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1848 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1848 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1848 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1848 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1848 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1848 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1848 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1848 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1848 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1848 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1848 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1848 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1848 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1848 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1848 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1848 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1848 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2788 wrote to memory of 1600 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2788 wrote to memory of 1600 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2788 wrote to memory of 1600 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2788 wrote to memory of 1600 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2144 wrote to memory of 2516 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svhost.exe
PID 2144 wrote to memory of 2516 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svhost.exe
PID 2144 wrote to memory of 2516 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svhost.exe
PID 2144 wrote to memory of 2516 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svhost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe

"C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe"

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\HOW_TO_RECOVER_DATA.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2788 CREDAT:275457 /prefetch:2

C:\Windows\system32\taskeng.exe

taskeng.exe {7C8A8792-F2F0-4FD4-908C-CDBA27F071DD} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.microsoft.com udp
US 92.123.128.167:80 www.bing.com tcp
US 92.123.128.167:80 www.bing.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

\Device\HarddiskVolume1\Boot\HOW_TO_RECOVER_DATA.html

MD5 eb379e23a2a8caed5caf54c875dbcb86
SHA1 9b37e276efd195f87d172222b9b374d80f501561
SHA256 63bcdd0da1e858c3a02cce9f76bb4bcd5ae9c4ef7b843a4083f2ecec5666da39
SHA512 82c293ed72f144eb3aa111fd707184f274feb80c113bbe43a637f7d5913021bfba769da1bd31ec7bfb4114816d611e8b63a227a1f9166121005860f908651916

C:\Users\Default\NTUSER.DAT.LOG2

MD5 fa5a3421b53ba7aef71d55a6ece71593
SHA1 40089df074e4d812668dbc6ee0b79a63b9ef7064
SHA256 308c21d94277760b6a5b48bf7add93a8885027a4c82bd8f339336fbb1f2ce460
SHA512 6f7941ea88f7d10c42574e2259dfa0286898e5b036419132fe50aa6694a6fb107146450c1faf9c38fb53065a3153eb13faef67c89450f1f9b82c6244707d345b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\TarDF6D.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 574adf11c0dbe16065c9669acd4b09db
SHA1 b4547cbcfe9423ea43743b577492bd0383cdd185
SHA256 87e3ded6ba8a7b656f007637e667e1af5a4ea725025f2db6e9f056dc2a9d7aa8
SHA512 8d85ced87634898ac0296d1619258fd344f8715cefb9467d312599a689bdcba161723e497399776eb22c433c956aead51a218a533ab99158c7a9f0b45f92d739

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1dae7c734b6745ba81366dbb73a88a33
SHA1 d182c1843e5b07655ee6a09c2fc923f6c1a42297
SHA256 8c27c7483b6c712d540fd639d849b5362bed53195182d1cc6c787bbf136a99bd
SHA512 41c0c306824abdc0f3ff044cda01b19411e36877f3e2518bab698194e3a8d1ad36751948fc2477d5cb6ddd124c7571705d8cb4460b76410380b4551a39191d3f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 3db5f9981961176f8cbb3fb431e7de89
SHA1 0dcd28199014c504d05c21db121d2a3a3ed1d2c4
SHA256 56b2ba0590b67d4a993ff23a14c56e9dfe938c2210a82b80fd3d2006a436a67a
SHA512 1b43c50da409637e9655361d43635b9c1cb66a64229146a2be884674a61e5a25f792b8ab502ff069cec80751623cb4d2a9465f2b90c9eb66e07d92164e74c2ac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f49eb1785fc1fa05c99fc8a5ad6fd2ca
SHA1 d0357c4fcfddeb0c80d314f50e83a7623f8a6683
SHA256 c3cdd628a0a12c618cd5d629cac90587c2d8789af20747b64b0368d065cdb292
SHA512 650d5abe06dd73fcd8326a017147ad0c79662aadd20d5a0a33f56b187233340929d9423fa45d4df057bba442e8106b7ac2abaaec550ddfb6238e20586c35de5e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fd97d5c84de6bbd633941d8088c8b557
SHA1 cb717ffd7e69bbeb754d2de8576fd1105f48f8e1
SHA256 73294af24fa642dc9979b153235fb4560ca33a05a1928fa5a89a3f0e6cbd9278
SHA512 2ace71ad88b7a3e68b37f58b54972cc77c6fd6ade035377c54938e35e792d76e2cd4789db55d10e7448380b771edb6b2ebd72cc9199b26d0b1e9a3e3417a68ee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 a38c9ac06eb0244149a769b0860a765f
SHA1 5e3a33a2c2689b8b755081847df86ee788baf1b5
SHA256 fcfefeb4009ef16d568d087140ae26014e8a77e766021d93ed9f9b5d40da71d9
SHA512 52fd00665a1b6d74e41c30364a8ef83d882a2d7d186d8403e7e3986097e868e2d014835e8a515230ccd4f75d7bdf879b168007070da727ab8235565ecfb49b4e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f2cc9047ae146ceaccc931e5d33da31c
SHA1 baafb06c38793ccfd616a07d217be8a289eab968
SHA256 56b2e0bd75d27b24cba3bd33faa6651e8a8d2affd0d55b80bead54b98041cb82
SHA512 85f14445401a77ec1a276c952bfefff2537ce60fc66004be1c7ef442d92e145a6bcafd180366191be9b569234bfe2d5dbce9e2c380af5d8f4f0bb7e53882d4db

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8e4796c3b9e2d946000ac49b469adef2
SHA1 584b3961c009f5ec21630536e0dbef19fbf4a63f
SHA256 f435da3b05415ab44b1a206800e20731b253478629587f3a6dc23b8b5ac15a4e
SHA512 ea293fbbaa03cc46f27cb61d7d7f263368cd9ff885b7f3682b2a83157245fa2de73aa8378da568061138cc598187490e82dab564bbc5e53adb2fc3150649b464

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4b981084cccf00b63fec7a62974f5793
SHA1 c9ab4b4ab132e0650ff69d933b5d7f8671340b8c
SHA256 306a27f01f1293517810f0f6a6f339dee6d4aafe7541d87063d71816f9a43def
SHA512 4cd485510cfe09e9787b5796f4cac7a38a5bb62db1bbc67672686ec008191d0b0ba23404053cab9537d6775a642403ceddb5acf17d054da322323ce1fc13bd9e

C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

MD5 da597791be3b6e732f0bc8b20e38ee62
SHA1 1125c45d285c360542027d7554a5c442288974de
SHA256 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
SHA512 d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

C:\Users\Admin\AppData\Roaming\svhost.exe

MD5 5926a64e926f876e3b056233645c6abc
SHA1 7adad94dbe5fda767bd9d6d4499e1e55f1e8f479
SHA256 1526768fbf795a0e446750c042f45274a14bba789373559c03c294f913611cdf
SHA512 d8c569fafa9d10b324441c965fbd8e2064a733068e1f5285d04c7d19940ddad93273a45bf442b2ef6e2add5bdec8ba873b07325ea9e8030783a5a0ef02c58fc7

C:\Users\Admin\AppData\Roaming\svhost.exe

MD5 c20b91e9254956b124a1b3f2a575b306
SHA1 c16dcbe6826d34c26bac2347b31ae41c0a77813a
SHA256 0baf76a06b85aeb9742f3be0efebd55c44518f2715df5206660906920e0b223b
SHA512 cf5747e0d453a70330997a24b62309e575db2ff68e862311cde8610d4b22bd1b7fb6e2dd6e6fcece0db3a9d0de63f4ffbb87ef3982b12753982ea78b7727bc1a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 72898ef7a52e503c932de6440bd7b20f
SHA1 6b42c3234f0a8f5c175a9ac46b711ffaadbec5f0
SHA256 579ab11e82d644b16eb728e08760c208eade032145d4cf9534ec0b6da3b14172
SHA512 fbd833dc62960288b87a054224a6e07e3593c25ca48311ab079e4a1c6d7c0f7ab18660f9fabe0b13e27f8cf83a22fc6ab8f96df6286c5e1049214eef624873b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a839fdc3b79c14167985eea593f5a0d9
SHA1 20c5126fb5b3a538b58d883efa6229affde16856
SHA256 999caf4f004df9ea91e9c4e11a43919369e2e634f1e8a0ed94e7dd2823276ca0
SHA512 0010a7b993864ef64ad45623439414f70163ec63e85d75cebce833b279800dee6fc12c88a0d139c050fc73f9e561fce3887c110ffd6e9e18cb0a1daf127bf87b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aa16b1fd8b91d028711e90a9b16bed3e
SHA1 c32bc1e0a98315ac6f8f2ba212a2cd52457db7fe
SHA256 5fad0e586e8cc4c367ba62e06bd5149f1a8e1eead2ad7b80f246ec28af5077b5
SHA512 02f3caf612ee443fea7127aad0599ffbecf704742d4ccf3050be835ab53f6b9c9cf2a8d1992b992e57d8e65605fa66d115000f8e4d51fc45a36293ba06d60028

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 59d81556bfcaa171aec4683e11de9ee1
SHA1 c1054af2f061c0faf762962e701394f30c6b0886
SHA256 f9db5e11fac50f7cb3748a19bdd91a77774a540802d91dc2e5501911473c3d70
SHA512 cddc37e5575d402260488a75eeb7cc1af759d7c77c3c290f6c3d053eab0f5a83b67a192d6c6b14578e59b820ec162b9c07bd91ce9d5efeb7e849cefd66078c80

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2d60ff0e22f1b4be6268c1627b0cfdef
SHA1 8301714092b2a92280cc2e0f71785d8104d157eb
SHA256 92ed826cf93cf65a10fff5e543c465bb9c6263cd9c81ee523d10165f185f1c5e
SHA512 358f74ed1441a94362f22530c28b1daa2063acef912fd63ba8e953b5aa444046902e56cf39a078d39f71ed7aa1a06d76292ae9fe6f1f9809483d15d4cdc0fb4f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e7818d39df87d4c31f0a43b1f7144d06
SHA1 65f9e1cd2818d2e7768fef37be378822fcc6377e
SHA256 07241f88d24f915bfbd2070dd047864f2f9fef415410b69fd43c51756fe7831a
SHA512 7e4ea693c0b46376af8b74da32231f54ee57a41cd7454629b115f6b2e98461294a565ec2ca89985e1a5f650a8b6c9ec952ba4117b5b5608c5d16479ebde7793b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1c03ffec3c765db3f1d3fe32b55ce57b
SHA1 78296a83f15cce7588a8132d6c3761d98e07bd75
SHA256 dfa8310dabfdfc56f00eabf6364d9b031c69d2f31333e715377fdb2ba638d4a3
SHA512 80818c2f2f1ad55abf711362e47a864b3f8ac9ea2e4b47c0679080d9deec83b547371942ad97f54c11dc1bbe3c18043a6e507d7e2f4ca7a2aa755f9291cd5170

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a1f9652971e3f564a77f751baf7ac6e8
SHA1 0309e32c3eb93fc7281ad867249ff625076d3269
SHA256 6cd73b39769d92c84b59a007695399f1a15df1fd5d35d153b1c1870ae3b87230
SHA512 c0517c1788bd63b6b5fe5bfa4c7e50f152d093ab1ae373abbb8e57fddeea4713beea6bae9aff30923e6925b9a994f1ad055672df911fdeb2ef6f3ebba628d9c5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aba06b844811302242c1c095df21ce78
SHA1 7fbbc20a0bfd02ad8abdf54b03607eb6f9e10426
SHA256 b49bc47df3b14e6816b13b1bbd21f7c0e3e401dc6b2ae948d44abbb75658584a
SHA512 a4bf235946f61d1f125881763674ca7bf3487380c68e68ed43cbccc5a9665d20dd0ba2d9edcc5d945c0ac77f0f38594ebd91d323cb8b3e1fb0136bea2afbd555

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b35e1ee5ad3fa51cb1f2471e726df27b
SHA1 9354d98316867574fb34341474f4a9492092ceca
SHA256 910ed9090298d3b227e863d67fa15302edf73ae5aace5f952b6d8a7b17446f15
SHA512 dfdc08eb094f6ac6acba27cfb9f2e0bfe7d68b8e918d07fd8cca4f97568453bd31a6f0f78ba59b41b3331eb1ee53e3bedf33eac4bd480ca1a0031ed32af28b20

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-12 07:08

Reported

2024-01-12 07:11

Platform

win10v2004-20231215-en

Max time kernel

20s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe"

Signatures

MedusaLocker

ransomware medusalocker

MedusaLocker payload

Description Indicator Process Target
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A

Renames multiple (207) files with added filename extension

ransomware

Reads user/profile data of web browsers

spyware stealer

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-1232405761-1209240240-3206092754-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2276 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2276 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2276 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2276 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2276 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2276 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2276 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2276 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2276 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe C:\Windows\SysWOW64\Wbem\wmic.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe

"C:\Users\Admin\AppData\Local\Temp\1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 148.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

\Device\HarddiskVolume1\Boot\HOW_TO_RECOVER_DATA.html

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Default\ntuser.dat.LOG2

MD5 49c027385824bdf648253ba0b222fdb1
SHA1 d43df9b6d393a458512f6e9fdeab1d109de2ef7c
SHA256 cb689592ebfdbc94a1dc21466898c2ee8895b059acd60f8c16d24cc29b342ea3
SHA512 7fa55c5ac2ddd49805b5d19abd5847ab9cb3dd0679973e0f831574616cf2899844aa2ef7b107aa42a2cdbd2416d658aeaf34deca676cf4cdbfcd15fe7f8136ef

C:\Users\Default\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms

MD5 486c374667dd7de0961ff0e195cb2f0c
SHA1 b56f2effab0c7eb1bec45da7b1fca24c33b075f9
SHA256 87b96fde79bda95fd404d3a8358b3a740d3457473820b45777db77912daf1b11
SHA512 d3a6aa912ee715f9935220ccb1b6d1a5a39641860a6c21b55b84a0d5cc48ba78ce8b1fe9316f93cf66aab6cb53ac6b8935c49edd76020f7e0d42843671fe32e7

C:\Users\Admin\AppData\Roaming\svhost.exe

MD5 3618b68d7db4614ec8d33b5052cc0e85
SHA1 15177fbb65d707b308bac50f612b795494314001
SHA256 1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f
SHA512 d6ab35314f9388cafc340edc4476f374faddf6b0905d736356be32fc3e77cb2baa09fedc13af5a43c10fb4631cc77e766b530e58fa47f98329e9e2371cdd7e8d