Malware Analysis Report

2024-09-11 01:09

Sample ID 240229-ecgvcscf5s
Target ad9b251b3d3d8a38fb99d90964109e65
SHA256 eb740005273c087baf42b0c3a49a7c5b7225256681106c72567db92fc2048ada
Tags
phobos evasion persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eb740005273c087baf42b0c3a49a7c5b7225256681106c72567db92fc2048ada

Threat Level: Known bad

The file ad9b251b3d3d8a38fb99d90964109e65 was found to be: Known bad.

Malicious Activity Summary

phobos evasion persistence ransomware spyware stealer

Phobos

Renames multiple (314) files with added filename extension

Modifies boot configuration data using bcdedit

Renames multiple (496) files with added filename extension

Deletes shadow copies

Modifies Windows Firewall

Deletes backup catalog

Drops startup file

Checks computer location settings

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Adds Run key to start application

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Interacts with shadow copies

Uses Volume Shadow Copy service COM API

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Indicator Removal
T1070
File Deletion
T1070.004
Impair Defenses
T1562
Disable or Modify System Firewall
T1562.004
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-02-29 03:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-29 03:47

Reported

2024-02-29 03:50

Platform

win7-20240221-en

Max time kernel

150s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (314) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[B9A47FC2-2700].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\ad9b251b3d3d8a38fb99d90964109e65.exe C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ad9b251b3d3d8a38fb99d90964109e65 = "C:\\Users\\Admin\\AppData\\Local\\ad9b251b3d3d8a38fb99d90964109e65.exe" C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Run\ad9b251b3d3d8a38fb99d90964109e65 = "C:\\Users\\Admin\\AppData\\Local\\ad9b251b3d3d8a38fb99d90964109e65.exe" C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\28B1FXQD\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T0AT35Q2\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2ZOR7ZBA\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\O9CU8I7E\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S270D3YO\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\EESAQ4EF\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JF3RETYF\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1650401615-1019878084-3673944445-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\1K3UA1EK\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_foggy.png C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\DVD Maker\it-IT\OmdProject.dll.mui C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02451_.WMF.id[B9A47FC2-2700].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CALNDR98.POC.id[B9A47FC2-2700].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-jvmstat.jar.id[B9A47FC2-2700].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libvobsub_plugin.dll C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_AutoMask.bmp.id[B9A47FC2-2700].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\javafx.properties C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-nodes.xml C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107446.WMF.id[B9A47FC2-2700].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\EMABLT32.DLL.id[B9A47FC2-2700].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00998_.WMF C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKDECS.ICO C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\library.js C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR1F.GIF C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImage.jpg.id[B9A47FC2-2700].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\clock.html C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\glib-lite.dll C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-lib-uihandler.jar.id[B9A47FC2-2700].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\PMAILEXT.ECF C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui.zh_CN_5.5.0.165303.jar.id[B9A47FC2-2700].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\gadget.xml C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SCHOL_02.MID.id[B9A47FC2-2700].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00454_.WMF C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\ReviewRouting_Review.xsn.id[B9A47FC2-2700].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\POSTL.ICO.id[B9A47FC2-2700].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\timeZones.js C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\106.0.5249.119.manifest C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT.id[B9A47FC2-2700].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\hxdsui.dll.id[B9A47FC2-2700].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195772.WMF.id[B9A47FC2-2700].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313896.JPG C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\QUERIES\MSN MoneyCentral Investor Major Indicies.iqy C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.nl_zh_4.4.0.v20140623020002.jar.id[B9A47FC2-2700].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\skins\fonts\FreeSansBold.ttf C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0183198.WMF.id[B9A47FC2-2700].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\VSTAClientPkg.dll.id[B9A47FC2-2700].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-spi-quicksearch.xml C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099177.WMF C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libsimple_channel_mixer_plugin.dll C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll.id[B9A47FC2-2700].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18248_.WMF.id[B9A47FC2-2700].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSRTEDIT.DLL C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonUp_Off.png C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\flavormap.properties.id[B9A47FC2-2700].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File created C:\Program Files\Mozilla Firefox\api-ms-win-core-localization-l1-2-0.dll.id[B9A47FC2-2700].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152608.WMF C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00166_.WMF C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00345_.WMF.id[B9A47FC2-2700].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115866.GIF C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21320_.GIF.id[B9A47FC2-2700].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html.id[B9A47FC2-2700].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\librv32_plugin.dll C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FLAP.WMF C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BLANK.ONE C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\VIEW.ICO C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Cambridge_Bay C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2992 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe C:\Windows\system32\cmd.exe
PID 2992 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe C:\Windows\system32\cmd.exe
PID 2992 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe C:\Windows\system32\cmd.exe
PID 2992 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe C:\Windows\system32\cmd.exe
PID 2992 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe C:\Windows\system32\cmd.exe
PID 2992 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe C:\Windows\system32\cmd.exe
PID 2992 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe C:\Windows\system32\cmd.exe
PID 2992 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe C:\Windows\system32\cmd.exe
PID 2488 wrote to memory of 2648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2488 wrote to memory of 2648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2488 wrote to memory of 2648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2128 wrote to memory of 2888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2128 wrote to memory of 2888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2128 wrote to memory of 2888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2488 wrote to memory of 2504 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2488 wrote to memory of 2504 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2488 wrote to memory of 2504 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2128 wrote to memory of 2424 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2128 wrote to memory of 2424 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2128 wrote to memory of 2424 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2128 wrote to memory of 2384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2128 wrote to memory of 2384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2128 wrote to memory of 2384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2128 wrote to memory of 1552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2128 wrote to memory of 1552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2128 wrote to memory of 1552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2128 wrote to memory of 2416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2128 wrote to memory of 2416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2128 wrote to memory of 2416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2992 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe C:\Windows\SysWOW64\mshta.exe
PID 2992 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe C:\Windows\SysWOW64\mshta.exe
PID 2992 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe C:\Windows\SysWOW64\mshta.exe
PID 2992 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe C:\Windows\SysWOW64\mshta.exe
PID 2992 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe C:\Windows\SysWOW64\mshta.exe
PID 2992 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe C:\Windows\SysWOW64\mshta.exe
PID 2992 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe C:\Windows\SysWOW64\mshta.exe
PID 2992 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe C:\Windows\SysWOW64\mshta.exe
PID 2992 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe C:\Windows\SysWOW64\mshta.exe
PID 2992 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe C:\Windows\SysWOW64\mshta.exe
PID 2992 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe C:\Windows\SysWOW64\mshta.exe
PID 2992 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe C:\Windows\SysWOW64\mshta.exe
PID 2992 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe C:\Windows\SysWOW64\mshta.exe
PID 2992 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe C:\Windows\SysWOW64\mshta.exe
PID 2992 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe C:\Windows\SysWOW64\mshta.exe
PID 2992 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe C:\Windows\SysWOW64\mshta.exe
PID 2992 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe C:\Windows\system32\cmd.exe
PID 2992 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe C:\Windows\system32\cmd.exe
PID 2992 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe C:\Windows\system32\cmd.exe
PID 2992 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe C:\Windows\system32\cmd.exe
PID 1176 wrote to memory of 1648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1176 wrote to memory of 1648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1176 wrote to memory of 1648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1176 wrote to memory of 2544 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1176 wrote to memory of 2544 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1176 wrote to memory of 2544 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1176 wrote to memory of 3048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1176 wrote to memory of 3048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1176 wrote to memory of 3048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1176 wrote to memory of 2316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1176 wrote to memory of 2316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1176 wrote to memory of 2316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1176 wrote to memory of 2760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1176 wrote to memory of 2760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1176 wrote to memory of 2760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe

"C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe"

C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe

"C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

N/A

Files

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.id[B9A47FC2-2700].[[email protected]].Devos

MD5 f1c6e64d01bc106cd57af2aabf619b7a
SHA1 773821d88694a4235ae17f28d8b3030c83929495
SHA256 a464423946c30625bb4245d05a4de1712d94b6fbfcd3f96a6c50b874fb31d192
SHA512 860862d2e1f4b79ac8f47a5754b49de065bfd6b5ca1958130444c7641f8c51ae22164d74ca4d71796b5ceea4ab3caa40113daa55bb3b60591d330bd59e95c322

C:\info.hta

MD5 8cf4d59ae0dc06e5d28e63e043f52c0e
SHA1 efc84b90535717bb2b77f7702fa0ae0514be35b4
SHA256 5329000f1adaaf03d38b1647ced0276cedd28519be591bcde22fe0a028c78bd9
SHA512 edeffb38afe06ab210daf82125d1a20e095be3a6675f04bbfda009d280a7d844fb0b2b0ca6aa93ca16ddc7a002c2f22a758047b8867a41271545f5014946472a

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-29 03:47

Reported

2024-02-29 03:50

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (496) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\ad9b251b3d3d8a38fb99d90964109e65.exe C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[96FD0230-2700].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ad9b251b3d3d8a38fb99d90964109e65 = "C:\\Users\\Admin\\AppData\\Local\\ad9b251b3d3d8a38fb99d90964109e65.exe" C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ad9b251b3d3d8a38fb99d90964109e65 = "C:\\Users\\Admin\\AppData\\Local\\ad9b251b3d3d8a38fb99d90964109e65.exe" C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-3045580317-3728985860-206385570-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3045580317-3728985860-206385570-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\mscorlib.dll.id[96FD0230-2700].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\tinytile.targetsize-24_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-24.png C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Exchange.scale-150.png C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\es-es\ui-strings.js C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-16.png C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\tr-tr\ui-strings.js C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-errorhandling-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hans\PresentationFramework.resources.dll C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hant\System.Windows.Controls.Ribbon.resources.dll C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Grace-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOInstallerUI.dll.id[96FD0230-2700].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\tr\WindowsBase.resources.dll.id[96FD0230-2700].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-pl.xrm-ms.id[96FD0230-2700].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected][96FD0230-2700].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\FileOneNote32x32.png C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fi_get.svg C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\LargeTile.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48_altform-unplated_devicefamily-colorfulunplated.png C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-180.png C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\librtpvideo_plugin.dll C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\Windows Defender\es-ES\MsMpRes.dll.mui C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarMediumTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\FFmpegInterop.winmd C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-60_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-60_altform-fullcolor.png C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ja-jp\ui-strings.js C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-400.png C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\Products.txt.id[96FD0230-2700].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Unlock.png C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\SlowMotionEditor\UserControls\SuperSlowMotionCheckbox.xbf C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\CardUIBkg.scale-150.png C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-60_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sl-si\ui-strings.js C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\javafx.properties.id[96FD0230-2700].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ul-oob.xrm-ms.id[96FD0230-2700].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.Themes.dll.id[96FD0230-2700].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.17\psmachine_64.dll C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Security.Cryptography.Encoding.dll C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\vlc.mo.id[96FD0230-2700].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Hedge.dxt C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\MedTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\s_checkbox_unselected_18.svg C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\Office.png C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Dark.pdf C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\decora_sse.dll.id[96FD0230-2700].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\powerpivot.x-none.msi.16.x-none.tree.dat C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Wide310x150\PaintWideTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-ae\ui-strings.js C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tabskb.dll.mui C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\Internet Explorer\de-DE\ieinstal.exe.mui C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Net.Resources.dll C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Light.scale-200.png C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\es-es\ui-strings.js.id[96FD0230-2700].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Microsoft.PowerShell.Operation.Validation.psd1 C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.ComponentModel.Primitives.dll.id[96FD0230-2700].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-errorhandling-l1-1-0.dll.id[96FD0230-2700].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4180 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe C:\Windows\system32\cmd.exe
PID 4180 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe C:\Windows\system32\cmd.exe
PID 4180 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe C:\Windows\system32\cmd.exe
PID 4180 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe C:\Windows\system32\cmd.exe
PID 2820 wrote to memory of 1616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2820 wrote to memory of 1616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 380 wrote to memory of 4152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 380 wrote to memory of 4152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2820 wrote to memory of 4744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2820 wrote to memory of 4744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 380 wrote to memory of 532 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 380 wrote to memory of 532 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 380 wrote to memory of 2368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 380 wrote to memory of 2368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 380 wrote to memory of 1244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 380 wrote to memory of 1244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 380 wrote to memory of 1996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 380 wrote to memory of 1996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 4180 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe C:\Windows\SysWOW64\mshta.exe
PID 4180 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe C:\Windows\SysWOW64\mshta.exe
PID 4180 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe C:\Windows\SysWOW64\mshta.exe
PID 4180 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe C:\Windows\SysWOW64\mshta.exe
PID 4180 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe C:\Windows\SysWOW64\mshta.exe
PID 4180 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe C:\Windows\SysWOW64\mshta.exe
PID 4180 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe C:\Windows\SysWOW64\mshta.exe
PID 4180 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe C:\Windows\SysWOW64\mshta.exe
PID 4180 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe C:\Windows\SysWOW64\mshta.exe
PID 4180 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe C:\Windows\SysWOW64\mshta.exe
PID 4180 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe C:\Windows\SysWOW64\mshta.exe
PID 4180 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe C:\Windows\SysWOW64\mshta.exe
PID 4180 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe C:\Windows\system32\cmd.exe
PID 4180 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe C:\Windows\system32\cmd.exe
PID 2808 wrote to memory of 4292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2808 wrote to memory of 4292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2808 wrote to memory of 1452 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2808 wrote to memory of 1452 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2808 wrote to memory of 4060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2808 wrote to memory of 4060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2808 wrote to memory of 1180 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2808 wrote to memory of 1180 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2808 wrote to memory of 4324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2808 wrote to memory of 4324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe

"C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe"

C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe

"C:\Users\Admin\AppData\Local\Temp\ad9b251b3d3d8a38fb99d90964109e65.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id[96FD0230-2700].[[email protected]].Devos

MD5 2504deb77bedd2c2fdcc34f51de03af7
SHA1 72e91bf32ab588ffb4f87cc5454fada8d390481a
SHA256 bc44c5927f2b93d9bf13a882d9b45a71cc861fb5454c48edd8eb91c92fe3a463
SHA512 ab0dba335a0fa57cb74fe2f66176810379a427bf032ed533ff96252f212e8e31a8fff8cca9f3eda5f993081991a686dbd077f57b7f7c84ed56e86b7bbbeb383f

C:\info.hta

MD5 d21a1b0e23c8111860138ed2ad8783f7
SHA1 f4ec81909518286eb84f17f4d3bd3e6108396375
SHA256 7ea555f4cfcff9e14a70667c307a64c071576f39f1d524b89d73b4aebbfba7f9
SHA512 1b88d1a98ae329b066364c09a729e90ac6c7af8d36d578a54cf3179d1e81b976e24d927a36aadbff04f08b7c01887c68e1953fa2b35a0be3e18885f4e8059e80