Malware Analysis Report

2024-09-11 02:18

Sample ID 240227-wh26xsfh6t
Target c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.sample
SHA256 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1
Tags
medusalocker evasion ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1

Threat Level: Known bad

The file c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.sample was found to be: Known bad.

Malicious Activity Summary

medusalocker evasion ransomware

Suspicious use of NtCreateUserProcessOtherParentProcess

MedusaLocker payload

Medusalocker family

Renames multiple (2916) files with added filename extension

Deletes shadow copies

Modifies boot configuration data using bcdedit

Renames multiple (343) files with added filename extension

Deletes system backups

Deletes System State backups

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Interacts with shadow copies

Kills process with taskkill

System policy modification

Suspicious use of WriteProcessMemory

Runs net.exe

Uses Volume Shadow Copy service COM API

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Indicator Removal
T1070
File Deletion
T1070.004
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-02-27 17:56

Signatures

MedusaLocker payload

Description Indicator Process Target
N/A N/A N/A N/A

Medusalocker family

medusalocker

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-27 17:56

Reported

2024-02-27 17:59

Platform

win7-20240221-en

Max time kernel

164s

Max time network

136s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2968 created 1212 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\Explorer.EXE

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (2916) files with added filename extension

ransomware

Deletes System State backups

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Deletes system backups

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\GreenBubbles.jpg C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui.zh_CN_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-attach.xml C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\tzmappings C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\EPSIMP32.FLT C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\ShapeCollector.exe.mui C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Colombo C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-print_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\js\cpu.js C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Casey C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\bookicon.gif C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Merida C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\Custom.propdesc C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-right.png C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\js\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\15.png C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_title.png C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\it-IT\sqlxmlx.rll.mui C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-execution.jar C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\com-sun-tools-visualvm-modules-startup.jar C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\mr\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Windows NT\Accessories\fr-FR\wordpad.exe.mui C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Tanspecks.jpg C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-keymap.xml C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Warsaw C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-foreground.png C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\settings.js C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\snmp.acl.template C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File created C:\Program Files\Internet Explorer\images\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyclient.jar C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Auckland C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\clock.js C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_WMC_LogoText.png C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_disabled.png C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_pressed.png C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\ja-JP\msadcer.dll.mui C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\16.png C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_window.html C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Juneau C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cancun C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Gaza C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Paramaribo C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\slideShow.html C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Subpicture1.png C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Nauru C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Minesweeper\fr-FR\Minesweeper.exe.mui C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\FlickLearningWizard.exe.mui C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\LICENSE C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\javaws.jar C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-crescent.png C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\gadget.xml C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\fonts\LucidaSansDemiBold.ttf C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\fy\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\RSSFeeds.html C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\settings.html C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl C:\Windows\system32\wbadmin.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2968 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe
PID 2708 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2708 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2708 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2708 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2968 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2564 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2564 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2564 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2464 wrote to memory of 2704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2464 wrote to memory of 2704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2464 wrote to memory of 2704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2968 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2628 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2628 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2628 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2512 wrote to memory of 2460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2512 wrote to memory of 2460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2512 wrote to memory of 2460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2968 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2472 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2472 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2472 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2532 wrote to memory of 2228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2532 wrote to memory of 2228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2532 wrote to memory of 2228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2968 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2756 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2756 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2756 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2684 wrote to memory of 2800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2684 wrote to memory of 2800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2684 wrote to memory of 2800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2968 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe
PID 2144 wrote to memory of 684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2144 wrote to memory of 684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2144 wrote to memory of 684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2144 wrote to memory of 684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 684 wrote to memory of 268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 684 wrote to memory of 268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 684 wrote to memory of 268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2968 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe

"C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe"

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c rem Kill "SQL"

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlbrowser.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sql writer.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlserv.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im msmdsrv.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im MsDtsSrvr.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlceip.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im fdlauncher.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im Ssms.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE

C:\Windows\system32\taskkill.exe

taskkill -f -im SQLAGENT.EXE

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im fdhost.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im ReportingServicesService.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im msftesql.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im pg_ctl.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe

C:\Windows\system32\taskkill.exe

taskkill -f -impostgres.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100

C:\Windows\system32\net.exe

net stop MSSQLServerADHelper100

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQLServerADHelper100

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS

C:\Windows\system32\net.exe

net stop MSSQL$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW

C:\Windows\system32\net.exe

net stop MSSQL$MSFW

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$MSFW

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS

C:\Windows\system32\net.exe

net stop SQLAgent$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW

C:\Windows\system32\net.exe

net stop SQLAgent$MSFW

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$MSFW

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser

C:\Windows\system32\net.exe

net stop SQLBrowser

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLBrowser

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS

C:\Windows\system32\net.exe

net stop REportServer$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop REportServer$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLWriter

C:\Windows\system32\net.exe

net stop SQLWriter

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLWriter

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP

C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe

\\?\C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe -network

C:\Windows\system32\wbadmin.exe

wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\System32\Wbem\WMIC.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} recoverynabled No

C:\Windows\system32\wbadmin.exe

wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\system32\wbadmin.exe

wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c pause

Network

N/A

Files

C:\MSOCache\How_to_back_files.html

MD5 02793d91189ad89069231555f0704586
SHA1 336dfce26023d781a1a9d6a746909971665ebcc3
SHA256 14c3a651e7b4baba28068d63612ba99e623751ba9d4f736e05dd91c27870f1b6
SHA512 5fd662c5f567a90ecb6bc52d9b43ed123a3fefda8174d501414b4f70f7fa4389f241968c928307d276b053c81947761fc1f24fcd1ffb533b8af86a687a002101

C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl

MD5 d1e491164acc23b0da7e377c1762d0ac
SHA1 1fa486de5cb437e72beec304fc3f8b90797acffc
SHA256 d09cc8ab1e00123640c4bb8553910386b3a1938634de290baec1f0239d699b77
SHA512 6dd9cee6b572d159e18a1a7a50b2e33b342a067138ad1695603513ebd89f1470305b68068c97f8ec2462090402e37a48d860b18b6290d397a316811f4d86623e

C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

MD5 b5312ff18523b00eceb7bfd0679bb9bf
SHA1 1dc467a36bea13f3d87ea1340920165dac8f7c2d
SHA256 55d6c97651ad25eeba77348581b8cd86af16ce30ea19c51794fe4bbe02a0a995
SHA512 3c5b3ce548b33588a6e54aa49d8149163dbe1a75d1e8b62b92db234e4e4e7987b3586ff6d18f7e21703e9cc21d9db3021f37299f2f2b741e3a17600760271f5a

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC

MD5 535a160f860ec52a31fa38b53c6ce65d
SHA1 7d40fad2c6b4dc6d222c1fe9b67ad3fc3b709c00
SHA256 c6fd0b5284e7f2cf097cb31b8423d77409c491f8b199d0f71f8df63d9d334d41
SHA512 71c8c6e881cb5ed09e79a4f8dd598a7e745315ae2002999fa89fe6804a2fa9bc1f03a858739cfa55fbe8567640b97655ba620d36151382f1c992a11dbe3d7a21

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5

MD5 b52d7104bae3f94b72abcd21eaa2f80b
SHA1 d36763773d1877faa8792820b1587526a84a168e
SHA256 b8a936a45fa3867c16a5b7bfc752067b1db986af77d1d85a5c63de3ae1607c18
SHA512 3804a5c5d3bf4231353babc84187fd6e96a01c0f40b1a786aae337b818f81970d6247f2ee58dcdeaf1a2e73794029fc7cba1cb951ce578b8e250a6ab6e41a5c9

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\HST10

MD5 c745905be7691c37ecc2385ca96e495a
SHA1 ab671e2a02c2eac573356249fd49e6fdb29a682e
SHA256 9220aa191bf90d9c9ea2e25f09ea031ee56eb82cc640d253ffa538f4ace786ae
SHA512 7a2ac7eca03499e2f96b8f95dd7edbf6b0bcbdd766c4d2485c468be8f923492debc7b0cb9ec3499f30df77c9a942ce03eb945a2f7c690da8237665665d3f5589

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7

MD5 7f7638e739d092b158ac3f31fbc2ddfb
SHA1 652cf54202637568871e5b80a7a600c5455ecbd9
SHA256 e9df9cc8907af154593d75a14288387130ddbf3d7f2ef3324386b7bf8783e1ba
SHA512 ca1091b3827e52094566ed71e1b1c86ba1fffe2386139731c3fe9f744a75afb417d27cb8629db16489bf9b7dec18b24f3e9ba0c41d7b69c52cca14c486714ad2

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

MD5 bb286892682b8860fb5f8cb39ed59d36
SHA1 7ec1d1656b635f65eec17150f2c3d875ec3ffa9b
SHA256 168aeda7d9ff25058443f47a71736a25e991577b78f3ec20a95835adbdbc682e
SHA512 c742dddc3fd9b45e40f98ab6a7d3d818b97da9f62c22d3e1d1675230a6c31ed102f29245fbae493de8f6c5c05ab5e99005a21b3770eb084de561caa1e6c5185a

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

MD5 def21d8dae52ffafe848a8ad1a2ab0fc
SHA1 20433e276a8db2175fe527f363046098a4334b0d
SHA256 d3043d375a2078fe814bf090c89fad7cbfca4188cfdd871068456e8177d005a1
SHA512 1d23b6f5a11e6088f68c35cb994d807c181614758eef05e4513201692ca033f20c83fdd616705119bb9d01a2e7ea1aa1253c5886740b925800f0065f3b99f152

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf

MD5 2e1b92ad6a298be1a0f30da7bfac5c58
SHA1 04f57158ccf2abc852c6bae8e3f70fa0836d8438
SHA256 b976ba7842f83fb8b237d4e2f960fbece7e31a1e59f5f9c9ee6c999dc40623c7
SHA512 f5951af15ce7cf4983b3af65f181c6fe3a94761e15d0c5cf02ed411a829d3ab52a445868a4e890003cabda8eb7b0074e5dfea414ef8da41a199bd970c88610cf

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

MD5 521bc1fd14d5d3e859498a991105fc78
SHA1 000f3f4dc3d974beb67cc37ca432415743e08443
SHA256 8c8012669eb0a4f5acb33a369a1317e1a593bc7d83e66366757ddc7579bf9248
SHA512 410e3a0b44d507fd521c37b76d92dd74e54b78d04753e084f9fe8383fd7d2b34947152065d5714f87f46167fccb1893d724f68b32089f1efd0093dc8b640bd6b

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html

MD5 48656ded1603e67c50a422bc4688f459
SHA1 afe64e8ba55e8233086629a664d482d478a65acd
SHA256 17a19e730804e45744fe364de606e1973225d9abef8b868c460c81861f468924
SHA512 bfc33e122478fd6f339f9885c48c1233b10d6d70e7ce9a457fbb0ec75d90cf03f28938f4c997926cf03b839ffe47cca8f781b5c7c1259baa4454029ec9c0d7e5

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf

MD5 8cdc8be2afaee8ca3e03c81edf8bef5b
SHA1 6eb36d7b6407dfade295c671d42e14c792b06fa7
SHA256 43bfd8b750ca444cf83171179d24a50dc7d5ce6d1aaa967c6fe4d98980b397ed
SHA512 79b66d72800c5cc2cd2dd100f733e84d4d213f6b70ac8d6f9139bce1ba18d799d3667ee3b3e6ba6d9a5e17bbfa35418bea1f20a48e33c105533d61654b8495cd

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA

MD5 ccec9d0a05fb881ddb73fcb2d0f1362a
SHA1 a470eb95a555f2b29c61f8c98fabe17090f6169e
SHA256 e2069c1fd135bdd734bd28ec8c12f32ce08b3920e9c5d3f7faed1e218e93d4c6
SHA512 fdd0b4c0d22eaee944ba232bf1c7ca4741015041348ecb4b41d13d62f63b5c60435f03db2e72c58a2750ae74ca1435956d2b2949c7b8f96b3ae680f533951759

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\ECLIPSE_.RSA

MD5 37e3575b2d34fb1da6ed43be688dac57
SHA1 384fcc31115b6e2539f257358ad9456d7960f4b9
SHA256 734a23c19ca2fe39a04147b43c094444be88daf16aeb2cdf65f419b59edbd684
SHA512 f793518dfa08cad19885f733bba609b880ee334bd8e8eb2e80a80ce5483e413d320b80949dc02355b18f91d344b95ed76b735f7e6b752419167efec15121e68a

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-execution.xml_hidden

MD5 dacebdca8c76cfb633b74536358a8582
SHA1 77b9ea973f100ccce7d09ae41b1c948d870e9d69
SHA256 08ca3aa6815ef656fce8975fd59fcf6c1514bcf2d39746343a2acd912c547ca6
SHA512 8dc043cf1db8a9def4617b02351c5feba78b8803b70dfed1370e646633dc611f21a2d4530f461002071edf869a810874da2ddc4573e18bd024c24f10010bf536

C:\Program Files\Java\jre7\lib\images\cursors\win32_LinkNoDrop32x32.gif

MD5 ded1663de119f6eedac4bc6bda8d5644
SHA1 bb59e9111181ed0c5c9363119461987dfe6de967
SHA256 08dc0099295e8559778564f831d1b35b49a1691d2e57763ed3ab2f8a948f3f2e
SHA512 5956e10d319ec5fba5474fc2908e7fbb98a0d2e9936f1e02b1c2fb42d3b8114d4eb6a0ada5089bb9c19bd47bac60982af411ae741a7280693933b03f95fcc471

C:\Program Files\Java\jre7\lib\zi\Etc\UTC

MD5 a1d2d5ee8b5230a5965e201873b8e05c
SHA1 b5b69420c21723137de899dbd353f09a4f4c81fe
SHA256 9fc1c33bd8fd8edede30587be00757f973da6d0676b8f8eab873f5bfa1d23018
SHA512 f8b2258d7c6a57b7b6d53364c26fe0658ce00bef554c005b511ad325c949d30b7693c1347187c889b20cdf92ea9bb5b1e8b97daa226d1abf71bc5224bf833362

C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo

MD5 82e4da1d5cb0a12e8fbb0add7c75c7cb
SHA1 89a0b7909e3045d09ed54773c9e3aeac82f306fb
SHA256 f4dc751d310f4be6be4f61efe6d9e889e96e65df3106ef034524f0efab935b78
SHA512 6385d6f789df71a8be4908987997777b1419fb73f33ddcbc8aff0917dfde26b9075dbdb664e0ca3cd9723a70da6d1b7352349214e7e67537c46fa50b5962ede1

C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\vlc.mo

MD5 1cbd87e7ed7fe14c27e3bba4da1b1f30
SHA1 8aef93a1b770704dd131a7ffd3d7cd9598c53cb5
SHA256 c0d68d0073761ebbe8914a05e67f84956dfbab76ed55ae20311e24363ca6d172
SHA512 89b744ce2b16e47c63dcee9ebd0783e0c86f4315017cafefb16e15b1a39172b606521175c4098e8c56c14a86082450dc5f6834c81e8c7fdd0f9137070f35a3d4

C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\vlc.mo

MD5 4c0376b3a6f12c6d1ae57de24ecee0d2
SHA1 8f82f1eda29b64e857eb9f04a284fcfa72f2eb1f
SHA256 ebb8465d1b8997577245fedfa974540ae39387e2e176c68e6793fdc1f9065c35
SHA512 d9f81424124e153a16b4bd5517b2a05655b2bfa8363bb2752612fa9a34322c98c95cea0b3e5ee27ebc3792cb0b2d1baec0cb5cc39b2f8b9b14a0009c5a415d0a

C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\vlc.mo

MD5 708befcc32649dc94cd7d355b4e470ee
SHA1 b9101e86e49e65357a922053b13748486e882e05
SHA256 c092d4f34053eaae5df122533ba34fd92b35cc6d881e2d6354fbc51634e0b3fc
SHA512 0e7f1defcd653089eefeecdbe90709ed500c19730044b041f83fa53fe09c455c4b5044bc81b54f67fdf0a8b98dec0ff48f1d848186ea86ea1d949ba49506496e

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-27 17:56

Reported

2024-02-27 17:58

Platform

win10v2004-20240226-en

Max time kernel

153s

Max time network

159s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 3376 created 3300 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\Explorer.EXE

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (343) files with added filename extension

ransomware

Deletes System State backups

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Deletes system backups

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bn.pak C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_HK.properties C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\it-IT\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\icu.md C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\ja-JP\msdasqlr.dll.mui C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sa.txt C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\TabTip.exe.mui C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\nl-NL\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\gu.pak C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mr.txt C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaTypewriterBold.ttf C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\colorimaging.md C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\cldr.md C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.cpl C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\[email protected] C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File created C:\Program Files\Common Files\System\msadc\fr-FR\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\ImportStart.MTS C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\pt-BR\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\tr-TR\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-CA\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_100_percent.pak C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\javafx\directshow.md C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sr-spl.txt C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-ES\mshwLatin.dll.mui C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File created C:\Program Files\Internet Explorer\uk-UA\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\micaut.dll.mui C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ku.txt C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sr.pak C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\hu.txt C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ja-JP\ShapeCollector.exe.mui C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bg.pak C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ta.txt C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\bg-BG\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\de-DE\msader15.dll.mui C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pt-BR.pak C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\server\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\javafx\icu_web.md C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\icudtl.dat C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\es.txt C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\lv-LV\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File created C:\Program Files\Common Files\System\en-US\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Internet Explorer\it-IT\ieinstal.exe.mui C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hu-HU\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sk.pak C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\javafx\webkit.md C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File created C:\Program Files\Common Files\DESIGNER\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
File created C:\Program Files\dotnet\swidtag\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl C:\Windows\system32\wbadmin.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3376 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe
PID 1096 wrote to memory of 4924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1096 wrote to memory of 4924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 3376 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 4796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1884 wrote to memory of 4796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 4796 wrote to memory of 3864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4796 wrote to memory of 3864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3376 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 3832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2688 wrote to memory of 3832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 3832 wrote to memory of 4404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3832 wrote to memory of 4404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3376 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe
PID 3624 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 3624 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2356 wrote to memory of 1472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2356 wrote to memory of 1472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3376 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe
PID 212 wrote to memory of 3088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 212 wrote to memory of 3088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 3088 wrote to memory of 1316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3088 wrote to memory of 1316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3376 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe
PID 1684 wrote to memory of 3400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1684 wrote to memory of 3400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 3400 wrote to memory of 996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3400 wrote to memory of 996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3376 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe
PID 3276 wrote to memory of 4292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 3276 wrote to memory of 4292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 4292 wrote to memory of 2816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4292 wrote to memory of 2816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3376 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe
PID 4524 wrote to memory of 3500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 4524 wrote to memory of 3500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 3500 wrote to memory of 1004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3500 wrote to memory of 1004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3376 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 4488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2420 wrote to memory of 4488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 4488 wrote to memory of 880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4488 wrote to memory of 880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3376 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe C:\Windows\SysWOW64\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe

"C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe"

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c rem Kill "SQL"

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlbrowser.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sql writer.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlserv.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im msmdsrv.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im MsDtsSrvr.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlceip.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im fdlauncher.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im Ssms.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE

C:\Windows\system32\taskkill.exe

taskkill -f -im SQLAGENT.EXE

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im fdhost.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im ReportingServicesService.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im msftesql.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im pg_ctl.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe

C:\Windows\system32\taskkill.exe

taskkill -f -impostgres.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100

C:\Windows\system32\net.exe

net stop MSSQLServerADHelper100

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQLServerADHelper100

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS

C:\Windows\system32\net.exe

net stop MSSQL$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW

C:\Windows\system32\net.exe

net stop MSSQL$MSFW

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$MSFW

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS

C:\Windows\system32\net.exe

net stop SQLAgent$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW

C:\Windows\system32\net.exe

net stop SQLAgent$MSFW

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$MSFW

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser

C:\Windows\system32\net.exe

net stop SQLBrowser

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLBrowser

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS

C:\Windows\system32\net.exe

net stop REportServer$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop REportServer$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLWriter

C:\Windows\system32\net.exe

net stop SQLWriter

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLWriter

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\System32\Wbem\WMIC.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\wbadmin.exe

wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No

C:\Windows\system32\wbadmin.exe

wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\system32\wbadmin.exe

wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} recoverynabled No

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe

\\?\C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe -network

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c pause

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

C:\odt\How_to_back_files.html

MD5 6fedb1c2ef1dde2da864bf98b271675b
SHA1 1393fd16b3c6468e6dbd009e90644d51eaff7ecb
SHA256 c2ec79ee0c21c94c4c68339e5e569ef2e8d2d716fe3b9ba22070699b6a2499ca
SHA512 5f3f2c1f4dc7a7761c70dd996a152616d8a948e577ff451330df6f8aa0349fad5c82b021f73fa3d880a647094a6fb217c14c11ffee925a11136af8bb139d8e64