Malware Analysis Report

2024-09-11 01:09

Sample ID 240226-rl4rpsga64
Target tmp6xtsyg8c
SHA256 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f
Tags
phobos evasion persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f

Threat Level: Known bad

The file tmp6xtsyg8c was found to be: Known bad.

Malicious Activity Summary

phobos evasion persistence ransomware spyware stealer

Phobos

Renames multiple (495) files with added filename extension

Deletes shadow copies

Renames multiple (313) files with added filename extension

Modifies boot configuration data using bcdedit

Deletes backup catalog

Modifies Windows Firewall

Reads user/profile data of web browsers

Drops startup file

Checks computer location settings

Adds Run key to start application

Drops desktop.ini file(s)

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Uses Volume Shadow Copy service COM API

Interacts with shadow copies

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Modifies Internet Explorer settings

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Indicator Removal
T1070
File Deletion
T1070.004
Impair Defenses
T1562
Disable or Modify System Firewall
T1562.004
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-02-26 14:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-26 14:17

Reported

2024-02-26 14:20

Platform

win7-20240221-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (313) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\tmp6xtsyg8c.exe C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[232102E9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tmp6xtsyg8c = "C:\\Users\\Admin\\AppData\\Local\\tmp6xtsyg8c.exe" C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\tmp6xtsyg8c = "C:\\Users\\Admin\\AppData\\Local\\tmp6xtsyg8c.exe" C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\2Y0HPGOE\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1OEGTYQG\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WZPJ6IGS\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\266EQP1S\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BB0Z8TKM\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LS99WIMF\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JP38OXIN\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\ECLIPSE_.RSA C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.STP C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107358.WMF C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21421_.GIF.id[232102E9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutofSyncIconImages.jpg C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Vilnius.id[232102E9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\msdaprsr.dll C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Guayaquil.id[232102E9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_sv.dll C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00524_.WMF.id[232102E9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01368_.WMF.id[232102E9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21322_.GIF C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen.css.id[232102E9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\settings.html C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLLIBR.REST.IDX_DLL C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-heapwalker.xml.id[232102E9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\gadget.xml C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File created C:\Program Files\Microsoft Games\FreeCell\desktop.ini.id[232102E9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\[email protected] C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386764.JPG.id[232102E9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21375_.GIF.id[232102E9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.JP.XML.id[232102E9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Juneau C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sqlceer35EN.dll C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ExpenseReport.xltx.id[232102E9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\INDST_01.MID C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02862_.WMF C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Adjacency.thmx C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_LightSpirit.gif C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME54.CSS.id[232102E9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\init.js C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\LAYERS.INF C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-plaf_ja.jar C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpegaudio_plugin.dll.id[232102E9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\calendar.css C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\InkObj.dll.mui C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0182946.WMF C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImagesMask.bmp.id[232102E9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach_5.5.0.165303.jar.id[232102E9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01329_.WMF C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00512_.WMF C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB_COL.HXC C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\tab_off.gif C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_ja.dll.id[232102E9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00586_.WMF.id[232102E9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099194.GIF.id[232102E9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Oriel.xml C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.Infopath.dll.id[232102E9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL103.XML.id[232102E9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiling_zh_CN.jar.id[232102E9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\TaxonomyControl.dll.id[232102E9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OLKIRM.XML C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_fdf5ce_1x400.png C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01013_.WMF.id[232102E9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14871_.GIF.id[232102E9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR8F.GIF.id[232102E9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\settings.css C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\15x15dot.png C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Dawson C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_nv12_plugin.dll C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099159.WMF.id[232102E9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187819.WMF C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1932 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe C:\Windows\system32\cmd.exe
PID 1932 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe C:\Windows\system32\cmd.exe
PID 1932 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe C:\Windows\system32\cmd.exe
PID 1932 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe C:\Windows\system32\cmd.exe
PID 1932 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe C:\Windows\system32\cmd.exe
PID 1932 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe C:\Windows\system32\cmd.exe
PID 1932 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe C:\Windows\system32\cmd.exe
PID 1932 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe C:\Windows\system32\cmd.exe
PID 960 wrote to memory of 2596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 960 wrote to memory of 2596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 960 wrote to memory of 2596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1760 wrote to memory of 2500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1760 wrote to memory of 2500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1760 wrote to memory of 2500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 960 wrote to memory of 2084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 960 wrote to memory of 2084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 960 wrote to memory of 2084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1760 wrote to memory of 2440 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1760 wrote to memory of 2440 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1760 wrote to memory of 2440 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1760 wrote to memory of 2504 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1760 wrote to memory of 2504 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1760 wrote to memory of 2504 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1760 wrote to memory of 1608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1760 wrote to memory of 1608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1760 wrote to memory of 1608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1760 wrote to memory of 1936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1760 wrote to memory of 1936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1760 wrote to memory of 1936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1932 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe C:\Windows\SysWOW64\mshta.exe
PID 1932 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe C:\Windows\SysWOW64\mshta.exe
PID 1932 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe C:\Windows\SysWOW64\mshta.exe
PID 1932 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe C:\Windows\SysWOW64\mshta.exe
PID 1932 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe C:\Windows\SysWOW64\mshta.exe
PID 1932 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe C:\Windows\SysWOW64\mshta.exe
PID 1932 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe C:\Windows\SysWOW64\mshta.exe
PID 1932 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe C:\Windows\SysWOW64\mshta.exe
PID 1932 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe C:\Windows\SysWOW64\mshta.exe
PID 1932 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe C:\Windows\SysWOW64\mshta.exe
PID 1932 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe C:\Windows\SysWOW64\mshta.exe
PID 1932 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe C:\Windows\SysWOW64\mshta.exe
PID 1932 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe C:\Windows\SysWOW64\mshta.exe
PID 1932 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe C:\Windows\SysWOW64\mshta.exe
PID 1932 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe C:\Windows\SysWOW64\mshta.exe
PID 1932 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe C:\Windows\SysWOW64\mshta.exe
PID 1932 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe C:\Windows\system32\cmd.exe
PID 1932 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe C:\Windows\system32\cmd.exe
PID 1932 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe C:\Windows\system32\cmd.exe
PID 1932 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe C:\Windows\system32\cmd.exe
PID 2728 wrote to memory of 1628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2728 wrote to memory of 1628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2728 wrote to memory of 1628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2728 wrote to memory of 964 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2728 wrote to memory of 964 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2728 wrote to memory of 964 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2728 wrote to memory of 2396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2728 wrote to memory of 2396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2728 wrote to memory of 2396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2728 wrote to memory of 1880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2728 wrote to memory of 1880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2728 wrote to memory of 1880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2728 wrote to memory of 488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2728 wrote to memory of 488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2728 wrote to memory of 488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe

"C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe"

C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe

"C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

N/A

Files

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.id[232102E9-3483].[[email protected]].8base

MD5 6fbf5787ea04b283f00676c90addedcd
SHA1 53e062f9f9e608228d4703b540f7c2db655b0b17
SHA256 a33f825bf7d03d79d5928429863e82db9aab02a1d82354dac2cd15ab01060fe3
SHA512 d0b47e76a295e824e3ab57c1c378ad12803285ca93aed190ccc7ee812f5dc100fd62573f9b9bebecf30365e6f0f937e02e48f99d68e8dd14fe790324b58f2e1f

C:\info.hta

MD5 e5e37d436e6c574515fd13ab5344f450
SHA1 de1a58c6dba682a1c47ecf9570c30d50a1eae652
SHA256 3b7f254ceaf38b91df06739cc817c1995f942271277ea1cedadf754cea39c87a
SHA512 3f17274e990696bc7147f2192dda045b54369fc7e5c709f99b834e62d186455bb89adbcfdca91e01a95a2f4fa72f15761d13fefd7f21de7048ada4a9a17a947b

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-26 14:17

Reported

2024-02-26 14:20

Platform

win10v2004-20240221-en

Max time kernel

150s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (495) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\tmp6xtsyg8c.exe C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[92593FCB-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tmp6xtsyg8c = "C:\\Users\\Admin\\AppData\\Local\\tmp6xtsyg8c.exe" C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tmp6xtsyg8c = "C:\\Users\\Admin\\AppData\\Local\\tmp6xtsyg8c.exe" C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2200714112-3788720386-2559682836-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-2200714112-3788720386-2559682836-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\PREVIEW.GIF.id[92593FCB-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\fonts\NotebookIconAnimation.ttf C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\oneclient.dll C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\WindowsProxiesAndStubs.dll C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_checkbox_unselected_18.svg.id[92593FCB-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\fil_get.svg.id[92593FCB-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.Common.FrontEnd.dll.id[92593FCB-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-convert-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\ReadOutLoud.api C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\new_icons_retina.png.id[92593FCB-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ca-es\ui-strings.js C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\edit-pdf.png C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-GB\en-GB_female_TTS\skin_en-GB_female_TTS.lua C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-tool-view.js C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\de\Microsoft.PowerShell.PSReadline.Resources.dll C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\Toast.svg.id[92593FCB-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\classlist.id[92593FCB-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\175.png C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\exportpdf-selector.js.id[92593FCB-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File created C:\Program Files\7-Zip\Lang\tg.txt.id[92593FCB-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\Weather_TileLargeSquare.scale-100.png C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\SystemX86\mfc140.dll.id[92593FCB-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\uk-UA\View3d\3DViewerProductDescription-universal.xml C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailWideTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\large_trefoil_2x.png C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\eu-es\ui-strings.js C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_window.html.id[92593FCB-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sk-sk\ui-strings.js.id[92593FCB-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\it-IT\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\ja-JP\msdasqlr.dll.mui C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\lv\msipc.dll.mui.id[92593FCB-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\LargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\_Resources\2.rsrc C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\Microsoft.VisualBasic.Forms.dll C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-40_contrast-black.png C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\he-il\ui-strings.js.id[92593FCB-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ApothecaryNewsletter.dotx C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-utility-l1-1-0.dll.id[92593FCB-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-60_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-64_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyView-Dark.scale-200.png C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GameBar_LargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\organize.svg.id[92593FCB-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\[email protected][92593FCB-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\es-es\ui-strings.js C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe.id[92593FCB-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoev.exe C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\LibrarySquare71x71Logo.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-80_contrast-white.png C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-processthreads-l1-1-1.dll.id[92593FCB-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fr-fr\ui-strings.js C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\ar.pak.DATA C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-phn.xrm-ms.id[92593FCB-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\AppTiles\StoreLogo.scale-150.png C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-36.png C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ui-strings.js C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\StopwatchMedTile.contrast-white_scale-200.png C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Mu\TransparentAdvertisers.id[92593FCB-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\StoreLogo.scale-100.png C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\eu-es\ui-strings.js C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3932 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe C:\Windows\system32\cmd.exe
PID 3932 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe C:\Windows\system32\cmd.exe
PID 3932 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe C:\Windows\system32\cmd.exe
PID 3932 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe C:\Windows\system32\cmd.exe
PID 920 wrote to memory of 828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 920 wrote to memory of 828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4064 wrote to memory of 3312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4064 wrote to memory of 3312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 920 wrote to memory of 912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 920 wrote to memory of 912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4064 wrote to memory of 3680 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4064 wrote to memory of 3680 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4064 wrote to memory of 2376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4064 wrote to memory of 2376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4064 wrote to memory of 1068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4064 wrote to memory of 1068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4064 wrote to memory of 1232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 4064 wrote to memory of 1232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3932 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe C:\Windows\SysWOW64\mshta.exe
PID 3932 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe C:\Windows\SysWOW64\mshta.exe
PID 3932 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe C:\Windows\SysWOW64\mshta.exe
PID 3932 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe C:\Windows\SysWOW64\mshta.exe
PID 3932 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe C:\Windows\SysWOW64\mshta.exe
PID 3932 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe C:\Windows\SysWOW64\mshta.exe
PID 3932 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe C:\Windows\SysWOW64\mshta.exe
PID 3932 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe C:\Windows\SysWOW64\mshta.exe
PID 3932 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe C:\Windows\SysWOW64\mshta.exe
PID 3932 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe C:\Windows\SysWOW64\mshta.exe
PID 3932 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe C:\Windows\SysWOW64\mshta.exe
PID 3932 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe C:\Windows\SysWOW64\mshta.exe
PID 3932 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe C:\Windows\system32\cmd.exe
PID 3932 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 2448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3020 wrote to memory of 2448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3020 wrote to memory of 3892 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3020 wrote to memory of 3892 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3020 wrote to memory of 2960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3020 wrote to memory of 2960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3020 wrote to memory of 4112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3020 wrote to memory of 4112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3020 wrote to memory of 3648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3020 wrote to memory of 3648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe

"C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe"

C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe

"C:\Users\Admin\AppData\Local\Temp\tmp6xtsyg8c.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
GB 92.123.128.142:443 www.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 142.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp

Files

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[92593FCB-3483].[[email protected]].8base

MD5 9951a77ab8af8c9478db8f719a66583e
SHA1 2dfbf60e28aeec675a4bcdf33882109ac762cc88
SHA256 94364ef30e63ce849f6fe745750914d1bee9a16c89d874a16e9b83b3d701f6fa
SHA512 50bc8888aa178c86956d3049c0225ce4579fc9ca2a5c3306a7e43b38fe211fc97b79d432dacbe1ae9973075a2a6e514636d43372e008aca5f744cb41797607a6

C:\info.hta

MD5 c27ccc18354d08670448523e440e0128
SHA1 12b04381a954e5eaed91d5f64cd3fd0302c19290
SHA256 e111c106d901dc0bbc81ba74f6abb452f3981c7c055656906bb3856698773093
SHA512 fcfce947ee683339efd64ebd94e3c0c4b457a94a09a2db4d6f21db30f7c1fec03f405c166de6ba0b03db2abacc3edcc4604606f3eab098f1982b0c35ccc9ba2a