Malware Analysis Report

2024-11-15 07:21

Sample ID 240311-q2hczagc39
Target 230307-fppamsgd2w
SHA256 cea3e8a3e541ae4c928c3cd33f6772f1a69746393ac1a5c4575379a09a92d1e1
Tags
lockbit evasion persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cea3e8a3e541ae4c928c3cd33f6772f1a69746393ac1a5c4575379a09a92d1e1

Threat Level: Known bad

The file 230307-fppamsgd2w was found to be: Known bad.

Malicious Activity Summary

lockbit evasion persistence ransomware

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Lockbit

Detects executables containing commands for clearing Windows Event Logs

Detects command variations typically used by ransomware

Detects executables containing many references to VEEAM. Observed in ransomware

Detects executables containing anti-forensic artifacts of deleting USN change journal. Observed in ransomware

Renames multiple (9371) files with added filename extension

Modifies boot configuration data using bcdedit

Renames multiple (8023) files with added filename extension

Deletes shadow copies

Deletes backup catalog

Deletes itself

Checks computer location settings

Enumerates connected drives

Adds Run key to start application

Sets desktop wallpaper using registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Modifies Control Panel

Interacts with shadow copies

Uses Volume Shadow Copy service COM API

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-11 13:45

Signatures

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A

Detects command variations typically used by ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing anti-forensic artifacts of deleting USN change journal. Observed in ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing commands for clearing Windows Event Logs

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing many references to VEEAM. Observed in ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-11 13:45

Reported

2024-03-11 13:47

Platform

win7-20240221-en

Max time kernel

122s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe"

Signatures

Lockbit

ransomware lockbit

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (9371) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\230307-fppamsgd2w.exe\"" C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8F54.tmp.bmp" C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\js\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0188587.WMF.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0227558.JPG.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Oriel.thmx.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_up.png.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File created C:\Program Files (x86)\Windows Media Player\en-US\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\triangle.png.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_SelectionSubpicture.png.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.ecore.change_2.10.0.v20140901-1043.jar.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-heapdump.xml.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_foggy.png.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02287_.WMF.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02464_.WMF.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_specialocc_Thumbnail.bmp.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\Rio_Gallegos.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\vlc.mo.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\TextFile.zip.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\settings.css.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Oslo.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-io.xml.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD00146_.WMF.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02187_.GIF.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\HORN.WAV.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\system_settings.png.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FLYER98.POC.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\gadget.xml.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\DVD Maker\ja-JP\WMM2CLIP.dll.mui.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\fr-FR\PurblePlace.exe.mui.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\vlc.mo.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_bottom.png.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_mid_over.gif.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_pt_BR.jar.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-plaf.jar.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\vlc.mo.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Windows Defender\es-ES\MsMpRes.dll.mui.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Cambridge_Bay.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\extensions\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_spellcheck.gif.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.xml.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Dushanbe.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00352_.WMF.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\WSSFilesToolHomePageBackground.jpg.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\OliveGreen.css.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_top_left.png.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\license.html.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\shvlzm.exe.mui.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\settings.js.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonUp_On.png.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-tabcontrol.jar.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\divider-horizontal.png.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185798.WMF.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\ext\meta-index.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Scoresbysund.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\settings.css.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD19695_.WMF.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01058_.WMF.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Control Panel\Desktop\TileWallpaper = "0" C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2872 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe C:\Windows\System32\cmd.exe
PID 2628 wrote to memory of 3024 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2628 wrote to memory of 3024 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2628 wrote to memory of 3024 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2628 wrote to memory of 2876 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2628 wrote to memory of 2876 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2628 wrote to memory of 2876 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2628 wrote to memory of 1800 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2628 wrote to memory of 1800 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2628 wrote to memory of 1800 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2628 wrote to memory of 816 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2628 wrote to memory of 816 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2628 wrote to memory of 816 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2628 wrote to memory of 684 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2628 wrote to memory of 684 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2628 wrote to memory of 684 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2872 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe C:\Windows\SysWOW64\cmd.exe
PID 1908 wrote to memory of 936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1908 wrote to memory of 936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1908 wrote to memory of 936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1908 wrote to memory of 936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1908 wrote to memory of 1552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\fsutil.exe
PID 1908 wrote to memory of 1552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\fsutil.exe
PID 1908 wrote to memory of 1552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\fsutil.exe
PID 1908 wrote to memory of 1552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\fsutil.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe

"C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.7 -n 3

C:\Windows\SysWOW64\fsutil.exe

fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe"

Network

Country Destination Domain Proto
N/A 10.127.0.199:445 tcp
N/A 10.127.0.185:445 tcp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.193:445 tcp
N/A 10.127.0.248:445 tcp
N/A 10.127.0.234:445 tcp
N/A 10.127.0.195:445 tcp
N/A 10.127.0.187:445 tcp
N/A 10.127.0.225:445 tcp
N/A 10.127.0.239:445 tcp
N/A 10.127.0.253:445 tcp
N/A 10.127.0.218:445 tcp
N/A 10.127.0.251:445 tcp
N/A 10.127.0.217:445 tcp
N/A 10.127.0.216:445 tcp
N/A 10.127.0.250:445 tcp
N/A 10.127.0.215:445 tcp
N/A 10.127.0.249:445 tcp
N/A 10.127.0.214:445 tcp
N/A 10.127.0.247:445 tcp
N/A 10.127.0.213:445 tcp
N/A 10.127.0.246:445 tcp
N/A 10.127.0.245:445 tcp
N/A 10.127.0.212:445 tcp
N/A 10.127.0.240:445 tcp
N/A 10.127.0.244:445 tcp
N/A 10.127.0.210:445 tcp
N/A 10.127.0.209:445 tcp
N/A 10.127.0.238:445 tcp
N/A 10.127.0.208:445 tcp
N/A 10.127.0.237:445 tcp
N/A 10.127.0.207:445 tcp
N/A 10.127.0.211:445 tcp
N/A 10.127.0.243:445 tcp
N/A 10.127.0.206:445 tcp
N/A 10.127.0.236:445 tcp
N/A 10.127.0.205:445 tcp
N/A 10.127.0.242:445 tcp
N/A 10.127.0.204:445 tcp
N/A 10.127.0.241:445 tcp
N/A 10.127.0.203:445 tcp
N/A 10.127.0.235:445 tcp
N/A 10.127.0.202:445 tcp
N/A 10.127.0.201:445 tcp
N/A 10.127.0.233:445 tcp
N/A 10.127.0.232:445 tcp
N/A 10.127.0.200:445 tcp
N/A 10.127.0.198:445 tcp
N/A 10.127.0.252:445 tcp
N/A 10.127.0.197:445 tcp
N/A 10.127.0.196:445 tcp
N/A 10.127.0.194:445 tcp
N/A 10.127.0.192:445 tcp
N/A 10.127.0.254:445 tcp
N/A 10.127.0.231:445 tcp
N/A 10.127.0.191:445 tcp
N/A 10.127.0.189:445 tcp
N/A 10.127.0.230:445 tcp
N/A 10.127.0.229:445 tcp
N/A 10.127.0.188:445 tcp
N/A 10.127.0.228:445 tcp
N/A 10.127.0.227:445 tcp
N/A 10.127.0.226:445 tcp
N/A 10.127.0.184:445 tcp
N/A 10.127.0.186:445 tcp
N/A 10.127.0.183:445 tcp
N/A 10.127.0.224:445 tcp
N/A 10.127.0.182:445 tcp
N/A 10.127.0.181:445 tcp
N/A 10.127.0.223:445 tcp
N/A 10.127.0.222:445 tcp
N/A 10.127.0.180:445 tcp
N/A 10.127.0.221:445 tcp
N/A 10.127.0.179:445 tcp
N/A 10.127.0.178:445 tcp
N/A 10.127.0.220:445 tcp
N/A 10.127.0.177:445 tcp
N/A 10.127.0.176:445 tcp
N/A 10.127.0.175:445 tcp
N/A 10.127.0.219:445 tcp
N/A 10.127.0.174:445 tcp
N/A 10.127.0.173:445 tcp
N/A 10.127.0.171:445 tcp
N/A 10.127.0.172:445 tcp
N/A 10.127.0.170:445 tcp
N/A 10.127.0.169:445 tcp
N/A 10.127.0.168:445 tcp
N/A 10.127.0.166:445 tcp
N/A 10.127.0.167:445 tcp
N/A 10.127.0.165:445 tcp
N/A 10.127.0.164:445 tcp
N/A 10.127.0.163:445 tcp
N/A 10.127.0.161:445 tcp
N/A 10.127.0.162:445 tcp
N/A 10.127.0.160:445 tcp
N/A 10.127.0.159:445 tcp
N/A 10.127.0.158:445 tcp
N/A 10.127.0.156:445 tcp
N/A 10.127.0.157:445 tcp
N/A 10.127.0.155:445 tcp
N/A 10.127.0.154:445 tcp
N/A 10.127.0.152:445 tcp
N/A 10.127.0.153:445 tcp
N/A 10.127.0.150:445 tcp
N/A 10.127.0.151:445 tcp
N/A 10.127.0.149:445 tcp
N/A 10.127.0.148:445 tcp
N/A 10.127.0.147:445 tcp
N/A 10.127.0.146:445 tcp
N/A 10.127.0.145:445 tcp
N/A 10.127.0.143:445 tcp
N/A 10.127.0.142:445 tcp
N/A 10.127.0.144:445 tcp
N/A 10.127.0.141:445 tcp
N/A 10.127.0.136:445 tcp
N/A 10.127.0.140:445 tcp
N/A 10.127.0.139:445 tcp
N/A 10.127.0.135:445 tcp
N/A 10.127.0.138:445 tcp
N/A 10.127.0.134:445 tcp
N/A 10.127.0.133:445 tcp
N/A 10.127.0.137:445 tcp
N/A 10.127.0.132:445 tcp
N/A 10.127.0.131:445 tcp
N/A 10.127.0.130:445 tcp
N/A 10.127.0.129:445 tcp
N/A 10.127.0.128:445 tcp
N/A 10.127.0.127:445 tcp
N/A 10.127.0.126:445 tcp
N/A 10.127.0.125:445 tcp
N/A 10.127.0.124:445 tcp
N/A 10.127.0.122:445 tcp
N/A 10.127.0.123:445 tcp
N/A 10.127.0.120:445 tcp
N/A 10.127.0.121:445 tcp
N/A 10.127.0.119:445 tcp
N/A 10.127.0.118:445 tcp
N/A 10.127.0.117:445 tcp
N/A 10.127.0.116:445 tcp
N/A 10.127.0.115:445 tcp
N/A 10.127.0.114:445 tcp
N/A 10.127.0.113:445 tcp
N/A 10.127.0.112:445 tcp
N/A 10.127.0.111:445 tcp
N/A 10.127.0.110:445 tcp
N/A 10.127.0.109:445 tcp
N/A 10.127.0.108:445 tcp
N/A 10.127.0.107:445 tcp
N/A 10.127.0.106:445 tcp
N/A 10.127.0.105:445 tcp
N/A 10.127.0.104:445 tcp
N/A 10.127.0.103:445 tcp
N/A 10.127.0.101:445 tcp
N/A 10.127.0.102:445 tcp
N/A 10.127.0.99:445 tcp
N/A 10.127.0.100:445 tcp
N/A 10.127.0.98:445 tcp
N/A 10.127.0.97:445 tcp
N/A 10.127.0.96:445 tcp
N/A 10.127.0.95:445 tcp
N/A 10.127.0.93:445 tcp
N/A 10.127.0.94:445 tcp
N/A 10.127.0.92:445 tcp
N/A 10.127.0.90:445 tcp
N/A 10.127.0.91:445 tcp
N/A 10.127.0.89:445 tcp
N/A 10.127.0.88:445 tcp
N/A 10.127.0.87:445 tcp
N/A 10.127.0.85:445 tcp
N/A 10.127.0.86:445 tcp
N/A 10.127.0.84:445 tcp
N/A 10.127.0.82:445 tcp
N/A 10.127.0.83:445 tcp
N/A 10.127.0.81:445 tcp
N/A 10.127.0.80:445 tcp
N/A 10.127.0.75:445 tcp
N/A 10.127.0.76:445 tcp
N/A 10.127.0.78:445 tcp
N/A 10.127.0.79:445 tcp
N/A 10.127.0.77:445 tcp
N/A 10.127.0.73:445 tcp
N/A 10.127.0.74:445 tcp
N/A 10.127.0.71:445 tcp
N/A 10.127.0.72:445 tcp
N/A 10.127.0.69:445 tcp
N/A 10.127.0.68:445 tcp
N/A 10.127.0.70:445 tcp
N/A 10.127.0.67:445 tcp
N/A 10.127.0.66:445 tcp
N/A 10.127.0.65:445 tcp
N/A 10.127.0.64:445 tcp
N/A 10.127.0.63:445 tcp
N/A 10.127.0.61:445 tcp
N/A 10.127.0.62:445 tcp
N/A 10.127.0.60:445 tcp
N/A 10.127.0.59:445 tcp
N/A 10.127.0.58:445 tcp
N/A 10.127.0.56:445 tcp
N/A 10.127.0.57:445 tcp
N/A 10.127.0.54:445 tcp
N/A 10.127.0.55:445 tcp
N/A 10.127.0.53:445 tcp
N/A 10.127.0.52:445 tcp
N/A 10.127.0.50:445 tcp
N/A 10.127.0.51:445 tcp
N/A 10.127.0.49:445 tcp
N/A 10.127.0.48:445 tcp
N/A 10.127.0.47:445 tcp
N/A 10.127.0.45:445 tcp
N/A 10.127.0.46:445 tcp
N/A 10.127.0.42:445 tcp
N/A 10.127.0.44:445 tcp
N/A 10.127.0.43:445 tcp
N/A 10.127.0.40:445 tcp
N/A 10.127.0.41:445 tcp
N/A 10.127.0.38:445 tcp
N/A 10.127.0.39:445 tcp
N/A 10.127.0.37:445 tcp
N/A 10.127.0.35:445 tcp
N/A 10.127.0.36:445 tcp
N/A 10.127.0.34:445 tcp
N/A 10.127.0.32:445 tcp
N/A 10.127.0.31:445 tcp
N/A 10.127.0.30:445 tcp
N/A 10.127.0.33:445 tcp
N/A 10.127.0.29:445 tcp
N/A 10.127.0.28:445 tcp
N/A 10.127.0.27:445 tcp
N/A 10.127.0.26:445 tcp
N/A 10.127.0.24:445 tcp
N/A 10.127.0.25:445 tcp
N/A 10.127.0.23:445 tcp
N/A 10.127.0.22:445 tcp
N/A 10.127.0.21:445 tcp
N/A 10.127.0.20:445 tcp
N/A 10.127.0.19:445 tcp
N/A 10.127.0.18:445 tcp
N/A 10.127.0.17:445 tcp
N/A 10.127.0.16:445 tcp
N/A 10.127.0.14:445 tcp
N/A 10.127.0.15:445 tcp
N/A 10.127.0.12:445 tcp
N/A 10.127.0.13:445 tcp
N/A 10.127.0.11:445 tcp
N/A 10.127.0.10:445 tcp
N/A 10.127.0.9:445 tcp
N/A 10.127.0.8:445 tcp
N/A 10.127.0.7:445 tcp
N/A 10.127.0.5:445 tcp
N/A 10.127.0.6:445 tcp
N/A 10.127.0.4:445 tcp
N/A 10.127.0.3:445 tcp
N/A 10.127.0.2:445 tcp
N/A 10.127.0.0:445 tcp
N/A 10.127.0.224:135 tcp
N/A 10.127.0.183:135 tcp
N/A 10.127.0.186:135 tcp
N/A 10.127.0.225:135 tcp
N/A 10.127.0.185:135 tcp
N/A 10.127.0.184:135 tcp
N/A 10.127.0.226:135 tcp
N/A 10.127.0.187:135 tcp
N/A 10.127.0.227:135 tcp
N/A 10.127.0.228:135 tcp
N/A 10.127.0.189:135 tcp
N/A 10.127.0.188:135 tcp
N/A 10.127.0.229:135 tcp
N/A 10.127.0.192:135 tcp
N/A 10.127.0.230:135 tcp
N/A 10.127.0.191:135 tcp
N/A 10.127.0.231:135 tcp
N/A 10.127.0.194:135 tcp
N/A 10.127.0.193:135 tcp
N/A 10.127.0.195:135 tcp
N/A 10.127.0.196:135 tcp
N/A 10.127.0.197:135 tcp
N/A 10.127.0.198:135 tcp
N/A 10.127.0.199:135 tcp
N/A 10.127.0.252:135 tcp
N/A 10.127.0.201:135 tcp
N/A 10.127.0.204:135 tcp
N/A 10.127.0.206:135 tcp
N/A 10.127.0.200:135 tcp
N/A 10.127.0.208:135 tcp
N/A 10.127.0.210:135 tcp
N/A 10.127.0.212:135 tcp
N/A 10.127.0.232:135 tcp
N/A 10.127.0.213:135 tcp
N/A 10.127.0.215:135 tcp
N/A 10.127.0.233:135 tcp
N/A 10.127.0.217:135 tcp
N/A 10.127.0.234:135 tcp
N/A 10.127.0.202:135 tcp
N/A 10.127.0.203:135 tcp
N/A 10.127.0.235:135 tcp
N/A 10.127.0.241:135 tcp
N/A 10.127.0.242:135 tcp
N/A 10.127.0.236:135 tcp
N/A 10.127.0.205:135 tcp
N/A 10.127.0.243:135 tcp
N/A 10.127.0.207:135 tcp
N/A 10.127.0.211:135 tcp
N/A 10.127.0.237:135 tcp
N/A 10.127.0.238:135 tcp
N/A 10.127.0.209:135 tcp
N/A 10.127.0.244:135 tcp
N/A 10.127.0.239:135 tcp
N/A 10.127.0.240:135 tcp
N/A 10.127.0.245:135 tcp
N/A 10.127.0.246:135 tcp
N/A 10.127.0.247:135 tcp
N/A 10.127.0.214:135 tcp
N/A 10.127.0.248:135 tcp
N/A 10.127.0.88:135 tcp
N/A 10.127.0.249:135 tcp
N/A 10.127.0.90:135 tcp
N/A 10.127.0.216:135 tcp
N/A 10.127.0.92:135 tcp
N/A 10.127.0.94:135 tcp
N/A 10.127.0.250:135 tcp
N/A 10.127.0.93:135 tcp
N/A 10.127.0.95:135 tcp
N/A 10.127.0.251:135 tcp
N/A 10.127.0.96:135 tcp
N/A 10.127.0.182:135 tcp
N/A 10.127.0.223:135 tcp
N/A 10.127.0.222:135 tcp
N/A 10.127.0.221:135 tcp
N/A 10.127.0.178:135 tcp
N/A 10.127.0.220:135 tcp
N/A 10.127.0.176:135 tcp
N/A 10.127.0.219:135 tcp
N/A 10.127.0.174:135 tcp
N/A 10.127.0.172:135 tcp
N/A 10.127.0.170:135 tcp
N/A 10.127.0.167:135 tcp
N/A 10.127.0.166:135 tcp
N/A 10.127.0.163:135 tcp
N/A 10.127.0.160:135 tcp
N/A 10.127.0.159:135 tcp
N/A 10.127.0.157:135 tcp
N/A 10.127.0.155:135 tcp
N/A 10.127.0.153:135 tcp
N/A 10.127.0.151:135 tcp
N/A 10.127.0.147:135 tcp
N/A 10.127.0.136:135 tcp
N/A 10.127.0.135:135 tcp
N/A 10.127.0.134:135 tcp
N/A 10.127.0.137:135 tcp
N/A 10.127.0.132:135 tcp
N/A 10.127.0.130:135 tcp
N/A 10.127.0.127:135 tcp
N/A 10.127.0.125:135 tcp
N/A 10.127.0.124:135 tcp
N/A 10.127.0.120:135 tcp
N/A 10.127.0.119:135 tcp
N/A 10.127.0.116:135 tcp
N/A 10.127.0.114:135 tcp
N/A 10.127.0.112:135 tcp
N/A 10.127.0.110:135 tcp
N/A 10.127.0.109:135 tcp
N/A 10.127.0.107:135 tcp
N/A 10.127.0.105:135 tcp
N/A 10.127.0.104:135 tcp
N/A 10.127.0.103:135 tcp
N/A 10.127.0.102:135 tcp
N/A 10.127.0.101:135 tcp
N/A 10.127.0.253:135 tcp
N/A 10.127.0.218:135 tcp
N/A 10.127.0.181:135 tcp
N/A 10.127.0.180:135 tcp
N/A 10.127.0.179:135 tcp
N/A 10.127.0.177:135 tcp
N/A 10.127.0.175:135 tcp
N/A 10.127.0.173:135 tcp
N/A 10.127.0.171:135 tcp
N/A 10.127.0.169:135 tcp
N/A 10.127.0.168:135 tcp
N/A 10.127.0.165:135 tcp
N/A 10.127.0.164:135 tcp
N/A 10.127.0.162:135 tcp
N/A 10.127.0.161:135 tcp
N/A 10.127.0.158:135 tcp
N/A 10.127.0.156:135 tcp
N/A 10.127.0.154:135 tcp
N/A 10.127.0.152:135 tcp
N/A 10.127.0.150:135 tcp
N/A 10.127.0.149:135 tcp
N/A 10.127.0.148:135 tcp
N/A 10.127.0.146:135 tcp
N/A 10.127.0.145:135 tcp
N/A 10.127.0.143:135 tcp
N/A 10.127.0.144:135 tcp
N/A 10.127.0.142:135 tcp
N/A 10.127.0.141:135 tcp
N/A 10.127.0.140:135 tcp
N/A 10.127.0.139:135 tcp
N/A 10.127.0.138:135 tcp
N/A 10.127.0.133:135 tcp
N/A 10.127.0.131:135 tcp
N/A 10.127.0.129:135 tcp
N/A 10.127.0.128:135 tcp
N/A 10.127.0.126:135 tcp
N/A 10.127.0.123:135 tcp
N/A 10.127.0.122:135 tcp
N/A 10.127.0.121:135 tcp
N/A 10.127.0.118:135 tcp
N/A 10.127.0.117:135 tcp
N/A 10.127.0.115:135 tcp
N/A 10.127.0.113:135 tcp
N/A 10.127.0.111:135 tcp
N/A 10.127.0.108:135 tcp
N/A 10.127.0.106:135 tcp
N/A 10.127.0.100:135 tcp
N/A 10.127.0.99:135 tcp
N/A 10.127.0.98:135 tcp
N/A 10.127.0.97:135 tcp
N/A 10.127.0.91:135 tcp
N/A 10.127.0.89:135 tcp
N/A 10.127.0.87:135 tcp
N/A 10.127.0.85:135 tcp
N/A 10.127.0.84:135 tcp
N/A 10.127.0.82:135 tcp
N/A 10.127.0.81:135 tcp
N/A 10.127.0.80:135 tcp
N/A 10.127.0.75:135 tcp
N/A 10.127.0.78:135 tcp
N/A 10.127.0.77:135 tcp
N/A 10.127.0.73:135 tcp
N/A 10.127.0.71:135 tcp
N/A 10.127.0.69:135 tcp
N/A 10.127.0.68:135 tcp
N/A 10.127.0.67:135 tcp
N/A 10.127.0.65:135 tcp
N/A 10.127.0.63:135 tcp
N/A 10.127.0.61:135 tcp
N/A 10.127.0.60:135 tcp
N/A 10.127.0.58:135 tcp
N/A 10.127.0.56:135 tcp
N/A 10.127.0.54:135 tcp
N/A 10.127.0.53:135 tcp
N/A 10.127.0.50:135 tcp
N/A 10.127.0.47:135 tcp
N/A 10.127.0.48:135 tcp
N/A 10.127.0.45:135 tcp
N/A 10.127.0.42:135 tcp
N/A 10.127.0.43:135 tcp
N/A 10.127.0.40:135 tcp
N/A 10.127.0.38:135 tcp
N/A 10.127.0.37:135 tcp
N/A 10.127.0.35:135 tcp
N/A 10.127.0.34:135 tcp
N/A 10.127.0.32:135 tcp
N/A 10.127.0.30:135 tcp
N/A 10.127.0.28:135 tcp
N/A 10.127.0.86:135 tcp
N/A 10.127.0.254:135 tcp
N/A 10.127.0.83:135 tcp
N/A 10.127.0.76:135 tcp
N/A 10.127.0.79:135 tcp
N/A 10.127.0.74:135 tcp
N/A 10.127.0.72:135 tcp
N/A 10.127.0.70:135 tcp
N/A 10.127.0.66:135 tcp
N/A 10.127.0.64:135 tcp
N/A 10.127.0.62:135 tcp
N/A 10.127.0.59:135 tcp
N/A 10.127.0.57:135 tcp
N/A 10.127.0.55:135 tcp
N/A 10.127.0.52:135 tcp
N/A 10.127.0.51:135 tcp
N/A 10.127.0.49:135 tcp
N/A 10.127.0.46:135 tcp
N/A 10.127.0.44:135 tcp
N/A 10.127.0.41:135 tcp
N/A 10.127.0.39:135 tcp
N/A 10.127.0.36:135 tcp
N/A 10.127.0.31:135 tcp
N/A 10.127.0.33:135 tcp
N/A 10.127.0.29:135 tcp
N/A 10.127.0.27:135 tcp
N/A 10.127.0.26:135 tcp
N/A 10.127.0.24:135 tcp
N/A 10.127.0.25:135 tcp
N/A 10.127.0.23:135 tcp
N/A 10.127.0.22:135 tcp
N/A 10.127.0.21:135 tcp
N/A 10.127.0.20:135 tcp
N/A 10.127.0.18:135 tcp
N/A 10.127.0.19:135 tcp
N/A 10.127.0.17:135 tcp
N/A 10.127.0.16:135 tcp
N/A 10.127.0.14:135 tcp
N/A 10.127.0.15:135 tcp
N/A 10.127.0.12:135 tcp
N/A 10.127.0.13:135 tcp
N/A 10.127.0.11:135 tcp
N/A 10.127.0.10:135 tcp
N/A 10.127.0.9:135 tcp
N/A 10.127.0.8:135 tcp
N/A 10.127.0.7:135 tcp
N/A 10.127.0.5:135 tcp
N/A 10.127.0.6:135 tcp
N/A 10.127.0.4:135 tcp
N/A 10.127.0.3:135 tcp
N/A 10.127.0.1:135 tcp
N/A 10.127.0.2:135 tcp
N/A 10.127.0.0:135 tcp

Files

C:\Program Files\DVD Maker\Shared\Restore-My-Files.txt

MD5 11ca27f1ba201ab2b769f975b4d3f35a
SHA1 f86f31c4dbe033cce3c5fcce308a524d2e5cb782
SHA256 8162d29f779bfce7db7720ba22335db764e3becd404e301b24f3b0dfec22003a
SHA512 46b93fbfd08c92efd05b0c77ae15d8359297dc56015cc09f0f64a5d12380c23871cf6a8d77352f2b6f3e44e681d41b8c5f862ceb95bec3b578784f335845cd16

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-11 13:45

Reported

2024-03-11 13:47

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe"

Signatures

Lockbit

ransomware lockbit

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (8023) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\230307-fppamsgd2w.exe\"" C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\santuario.md.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ul-oob.xrm-ms.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ul-oob.xrm-ms.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProDemoR_BypassTrial180-ul-oob.xrm-ms.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\et\msipc.dll.mui.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ppd.xrm-ms.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-ppd.xrm-ms.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\DRUMROLL.WAV.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\local_policy.jar.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteFreeR_Bypass-ul-oob.xrm-ms.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-checkmark.png.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\office32mui.msi.16.en-us.boot.tree.dat.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-pl.xrm-ms.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.SPREADSHEETCOMPARE.16.1033.hxn.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\dynalink.md.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\Configuration\card_expiration_terms_dict.txt.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetCompare_f_col.hxk.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessVDI2019_eula.txt.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-140.png.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ru\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\Maple.gif.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\icu.md.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ul-oob.xrm-ms.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\vlc.mo.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\.version.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-pl.xrm-ms.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-pl.xrm-ms.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ppd.xrm-ms.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.dll.mui.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy.jar.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ppd.xrm-ms.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\vlc.mo.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\modules\host.luac.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Grace-ppd.xrm-ms.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-pl.xrm-ms.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe.manifest.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Inset.eftx.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GARABD.TTF.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\vlc.mo.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sq.txt.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Grace-ul-oob.xrm-ms.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\sk\msipc.dll.mui.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\lib\ct.sym.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-140.png.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Grunge Texture.eftx.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-oob.xrm-ms.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ul-oob.xrm-ms.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\vlc.mo.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Windows Defender\fr-FR\shellext.dll.mui.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vreg\office.x-none.msi.16.x-none.vreg.dat.lockbit C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe

"C:\Users\Admin\AppData\Local\Temp\230307-fppamsgd2w.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
N/A 10.127.0.248:445 tcp
N/A 10.127.0.249:445 tcp
N/A 10.127.0.252:445 tcp
N/A 10.127.0.251:445 tcp
N/A 10.127.0.246:445 tcp
N/A 10.127.0.247:445 tcp
N/A 10.127.0.245:445 tcp
N/A 10.127.0.244:445 tcp
N/A 10.127.0.243:445 tcp
N/A 10.127.0.242:445 tcp
N/A 10.127.0.241:445 tcp
N/A 10.127.0.240:445 tcp
N/A 10.127.0.239:445 tcp
N/A 10.127.0.238:445 tcp
N/A 10.127.0.237:445 tcp
N/A 10.127.0.236:445 tcp
N/A 10.127.0.235:445 tcp
N/A 10.127.0.234:445 tcp
N/A 10.127.0.233:445 tcp
N/A 10.127.0.232:445 tcp
N/A 10.127.0.231:445 tcp
N/A 10.127.0.230:445 tcp
N/A 10.127.0.229:445 tcp
N/A 10.127.0.228:445 tcp
N/A 10.127.0.227:445 tcp
N/A 10.127.0.226:445 tcp
N/A 10.127.0.225:445 tcp
N/A 10.127.0.224:445 tcp
N/A 10.127.0.223:445 tcp
N/A 10.127.0.222:445 tcp
N/A 10.127.0.221:445 tcp
N/A 10.127.0.220:445 tcp
N/A 10.127.0.219:445 tcp
N/A 10.127.0.218:445 tcp
N/A 10.127.0.217:445 tcp
N/A 10.127.0.216:445 tcp
N/A 10.127.0.215:445 tcp
N/A 10.127.0.214:445 tcp
N/A 10.127.0.213:445 tcp
N/A 10.127.0.212:445 tcp
N/A 10.127.0.211:445 tcp
N/A 10.127.0.210:445 tcp
N/A 10.127.0.209:445 tcp
N/A 10.127.0.208:445 tcp
N/A 10.127.0.207:445 tcp
N/A 10.127.0.206:445 tcp
N/A 10.127.0.205:445 tcp
N/A 10.127.0.204:445 tcp
N/A 10.127.0.203:445 tcp
N/A 10.127.0.202:445 tcp
N/A 10.127.0.201:445 tcp
N/A 10.127.0.200:445 tcp
N/A 10.127.0.199:445 tcp
N/A 10.127.0.198:445 tcp
N/A 10.127.0.197:445 tcp
N/A 10.127.0.196:445 tcp
N/A 10.127.0.195:445 tcp
N/A 10.127.0.194:445 tcp
N/A 10.127.0.193:445 tcp
N/A 10.127.0.192:445 tcp
N/A 10.127.0.191:445 tcp
N/A 10.127.0.190:445 tcp
N/A 10.127.0.189:445 tcp
N/A 10.127.0.188:445 tcp
N/A 10.127.0.187:445 tcp
N/A 10.127.0.186:445 tcp
N/A 10.127.0.185:445 tcp
N/A 10.127.0.184:445 tcp
N/A 10.127.0.183:445 tcp
N/A 10.127.0.182:445 tcp
N/A 10.127.0.181:445 tcp
N/A 10.127.0.180:445 tcp
N/A 10.127.0.179:445 tcp
N/A 10.127.0.178:445 tcp
N/A 10.127.0.177:445 tcp
N/A 10.127.0.176:445 tcp
N/A 10.127.0.175:445 tcp
N/A 10.127.0.173:445 tcp
N/A 10.127.0.172:445 tcp
N/A 10.127.0.171:445 tcp
N/A 10.127.0.170:445 tcp
N/A 10.127.0.169:445 tcp
N/A 10.127.0.168:445 tcp
N/A 10.127.0.167:445 tcp
N/A 10.127.0.166:445 tcp
N/A 10.127.0.165:445 tcp
N/A 10.127.0.253:445 tcp
N/A 10.127.0.164:445 tcp
N/A 10.127.0.163:445 tcp
N/A 10.127.0.162:445 tcp
N/A 10.127.0.250:445 tcp
N/A 10.127.0.161:445 tcp
N/A 10.127.0.254:445 tcp
N/A 10.127.0.160:445 tcp
N/A 10.127.0.159:445 tcp
N/A 10.127.0.158:445 tcp
N/A 10.127.0.156:445 tcp
N/A 10.127.0.157:445 tcp
N/A 10.127.0.155:445 tcp
N/A 10.127.0.154:445 tcp
N/A 10.127.0.153:445 tcp
N/A 10.127.0.152:445 tcp
N/A 10.127.0.151:445 tcp
N/A 10.127.0.150:445 tcp
N/A 10.127.0.149:445 tcp
N/A 10.127.0.148:445 tcp
N/A 10.127.0.147:445 tcp
N/A 10.127.0.146:445 tcp
N/A 10.127.0.145:445 tcp
N/A 10.127.0.144:445 tcp
N/A 10.127.0.143:445 tcp
N/A 10.127.0.142:445 tcp
N/A 10.127.0.141:445 tcp
N/A 10.127.0.139:445 tcp
N/A 10.127.0.140:445 tcp
N/A 10.127.0.138:445 tcp
N/A 10.127.0.137:445 tcp
N/A 10.127.0.136:445 tcp
N/A 10.127.0.135:445 tcp
N/A 10.127.0.134:445 tcp
N/A 10.127.0.133:445 tcp
N/A 10.127.0.132:445 tcp
N/A 10.127.0.131:445 tcp
N/A 10.127.0.130:445 tcp
N/A 10.127.0.129:445 tcp
N/A 10.127.0.128:445 tcp
N/A 10.127.0.127:445 tcp
N/A 10.127.0.126:445 tcp
N/A 10.127.0.125:445 tcp
N/A 10.127.0.124:445 tcp
N/A 10.127.0.123:445 tcp
N/A 10.127.0.122:445 tcp
N/A 10.127.0.121:445 tcp
N/A 10.127.0.120:445 tcp
N/A 10.127.0.119:445 tcp
N/A 10.127.0.118:445 tcp
N/A 10.127.0.117:445 tcp
N/A 10.127.0.116:445 tcp
N/A 10.127.0.115:445 tcp
N/A 10.127.0.114:445 tcp
N/A 10.127.0.113:445 tcp
N/A 10.127.0.112:445 tcp
N/A 10.127.0.111:445 tcp
N/A 10.127.0.110:445 tcp
N/A 10.127.0.109:445 tcp
N/A 10.127.0.108:445 tcp
N/A 10.127.0.107:445 tcp
N/A 10.127.0.106:445 tcp
N/A 10.127.0.105:445 tcp
N/A 10.127.0.104:445 tcp
N/A 10.127.0.103:445 tcp
N/A 10.127.0.102:445 tcp
N/A 10.127.0.101:445 tcp
N/A 10.127.0.100:445 tcp
N/A 10.127.0.99:445 tcp
N/A 10.127.0.98:445 tcp
N/A 10.127.0.97:445 tcp
N/A 10.127.0.96:445 tcp
N/A 10.127.0.95:445 tcp
N/A 10.127.0.94:445 tcp
N/A 10.127.0.93:445 tcp
N/A 10.127.0.92:445 tcp
N/A 10.127.0.91:445 tcp
N/A 10.127.0.90:445 tcp
N/A 10.127.0.89:445 tcp
N/A 10.127.0.88:445 tcp
N/A 10.127.0.87:445 tcp
N/A 10.127.0.86:445 tcp
N/A 10.127.0.85:445 tcp
N/A 10.127.0.84:445 tcp
N/A 10.127.0.83:445 tcp
N/A 10.127.0.82:445 tcp
N/A 10.127.0.81:445 tcp
N/A 10.127.0.80:445 tcp
N/A 10.127.0.79:445 tcp
N/A 10.127.0.78:445 tcp
N/A 10.127.0.77:445 tcp
N/A 10.127.0.76:445 tcp
N/A 10.127.0.75:445 tcp
N/A 10.127.0.74:445 tcp
N/A 10.127.0.73:445 tcp
N/A 10.127.0.72:445 tcp
N/A 10.127.0.71:445 tcp
N/A 10.127.0.70:445 tcp
N/A 10.127.0.69:445 tcp
N/A 10.127.0.68:445 tcp
N/A 10.127.0.67:445 tcp
N/A 10.127.0.66:445 tcp
N/A 10.127.0.65:445 tcp
N/A 10.127.0.64:445 tcp
N/A 10.127.0.63:445 tcp
N/A 10.127.0.62:445 tcp
N/A 10.127.0.61:445 tcp
N/A 10.127.0.60:445 tcp
N/A 10.127.0.59:445 tcp
N/A 10.127.0.58:445 tcp
N/A 10.127.0.57:445 tcp
N/A 10.127.0.56:445 tcp
N/A 10.127.0.55:445 tcp
N/A 10.127.0.54:445 tcp
N/A 10.127.0.53:445 tcp
N/A 10.127.0.52:445 tcp
N/A 10.127.0.50:445 tcp
N/A 10.127.0.51:445 tcp
N/A 10.127.0.49:445 tcp
N/A 10.127.0.48:445 tcp
N/A 10.127.0.47:445 tcp
N/A 10.127.0.46:445 tcp
N/A 10.127.0.45:445 tcp
N/A 10.127.0.44:445 tcp
N/A 10.127.0.43:445 tcp
N/A 10.127.0.42:445 tcp
N/A 10.127.0.41:445 tcp
N/A 10.127.0.40:445 tcp
N/A 10.127.0.39:445 tcp
N/A 10.127.0.38:445 tcp
N/A 10.127.0.37:445 tcp
N/A 10.127.0.36:445 tcp
N/A 10.127.0.35:445 tcp
N/A 10.127.0.34:445 tcp
N/A 10.127.0.33:445 tcp
N/A 10.127.0.32:445 tcp
N/A 10.127.0.31:445 tcp
N/A 10.127.0.30:445 tcp
N/A 10.127.0.29:445 tcp
N/A 10.127.0.28:445 tcp
N/A 10.127.0.27:445 tcp
N/A 10.127.0.26:445 tcp
N/A 10.127.0.25:445 tcp
N/A 10.127.0.24:445 tcp
N/A 10.127.0.23:445 tcp
N/A 10.127.0.22:445 tcp
N/A 10.127.0.21:445 tcp
N/A 10.127.0.20:445 tcp
N/A 10.127.0.19:445 tcp
N/A 10.127.0.18:445 tcp
N/A 10.127.0.17:445 tcp
N/A 10.127.0.16:445 tcp
N/A 10.127.0.15:445 tcp
N/A 10.127.0.14:445 tcp
N/A 10.127.0.13:445 tcp
N/A 10.127.0.12:445 tcp
N/A 10.127.0.11:445 tcp
N/A 10.127.0.10:445 tcp
N/A 10.127.0.9:445 tcp
N/A 10.127.0.8:445 tcp
N/A 10.127.0.7:445 tcp
N/A 10.127.0.6:445 tcp
N/A 10.127.0.5:445 tcp
N/A 10.127.0.4:445 tcp
N/A 10.127.0.3:445 tcp
N/A 10.127.0.2:445 tcp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.0:445 tcp
N/A 10.127.0.231:135 tcp
N/A 10.127.0.230:135 tcp
N/A 10.127.0.232:135 tcp
N/A 10.127.0.233:135 tcp
N/A 10.127.0.234:135 tcp
N/A 10.127.0.235:135 tcp
N/A 10.127.0.249:135 tcp
N/A 10.127.0.252:135 tcp
N/A 10.127.0.251:135 tcp
N/A 10.127.0.246:135 tcp
N/A 10.127.0.247:135 tcp
N/A 10.127.0.245:135 tcp
N/A 10.127.0.239:135 tcp
N/A 10.127.0.236:135 tcp
N/A 10.127.0.238:135 tcp
N/A 10.127.0.243:135 tcp
N/A 10.127.0.240:135 tcp
N/A 10.127.0.241:135 tcp
N/A 10.127.0.244:135 tcp
N/A 10.127.0.242:135 tcp
N/A 10.127.0.237:135 tcp
N/A 10.127.0.229:135 tcp
N/A 10.127.0.228:135 tcp
N/A 10.127.0.226:135 tcp
N/A 10.127.0.227:135 tcp
N/A 10.127.0.225:135 tcp
N/A 10.127.0.224:135 tcp
N/A 10.127.0.223:135 tcp
N/A 10.127.0.222:135 tcp
N/A 10.127.0.221:135 tcp
N/A 10.127.0.220:135 tcp
N/A 10.127.0.218:135 tcp
N/A 10.127.0.217:135 tcp
N/A 10.127.0.219:135 tcp
N/A 10.127.0.215:135 tcp
N/A 10.127.0.216:135 tcp
N/A 10.127.0.214:135 tcp
N/A 10.127.0.213:135 tcp
N/A 10.127.0.212:135 tcp
N/A 10.127.0.210:135 tcp
N/A 10.127.0.211:135 tcp
N/A 10.127.0.208:135 tcp
N/A 10.127.0.209:135 tcp
N/A 10.127.0.207:135 tcp
N/A 10.127.0.206:135 tcp
N/A 10.127.0.204:135 tcp
N/A 10.127.0.205:135 tcp
N/A 10.127.0.203:135 tcp
N/A 10.127.0.202:135 tcp
N/A 10.127.0.201:135 tcp
N/A 10.127.0.200:135 tcp
N/A 10.127.0.199:135 tcp
N/A 10.127.0.198:135 tcp
N/A 10.127.0.197:135 tcp
N/A 10.127.0.195:135 tcp
N/A 10.127.0.196:135 tcp
N/A 10.127.0.193:135 tcp
N/A 10.127.0.194:135 tcp
N/A 10.127.0.192:135 tcp
N/A 10.127.0.191:135 tcp
N/A 10.127.0.189:135 tcp
N/A 10.127.0.190:135 tcp
N/A 10.127.0.188:135 tcp
N/A 10.127.0.187:135 tcp
N/A 10.127.0.186:135 tcp
N/A 10.127.0.184:135 tcp
N/A 10.127.0.185:135 tcp
N/A 10.127.0.182:135 tcp
N/A 10.127.0.183:135 tcp
N/A 10.127.0.181:135 tcp
N/A 10.127.0.180:135 tcp
N/A 10.127.0.178:135 tcp
N/A 10.127.0.177:135 tcp
N/A 10.127.0.179:135 tcp
N/A 10.127.0.175:135 tcp
N/A 10.127.0.176:135 tcp
N/A 10.127.0.173:135 tcp
N/A 10.127.0.172:135 tcp
N/A 10.127.0.171:135 tcp
N/A 10.127.0.170:135 tcp
N/A 10.127.0.169:135 tcp
N/A 10.127.0.168:135 tcp
N/A 10.127.0.167:135 tcp
N/A 10.127.0.165:135 tcp
N/A 10.127.0.166:135 tcp
N/A 10.127.0.253:135 tcp
N/A 10.127.0.164:135 tcp
N/A 10.127.0.162:135 tcp
N/A 10.127.0.163:135 tcp
N/A 10.127.0.250:135 tcp
N/A 10.127.0.161:135 tcp
N/A 10.127.0.160:135 tcp
N/A 10.127.0.254:135 tcp
N/A 10.127.0.159:135 tcp
N/A 10.127.0.158:135 tcp
N/A 10.127.0.157:135 tcp
N/A 10.127.0.156:135 tcp
N/A 10.127.0.154:135 tcp
N/A 10.127.0.155:135 tcp
N/A 10.127.0.153:135 tcp
N/A 10.127.0.151:135 tcp
N/A 10.127.0.152:135 tcp
N/A 10.127.0.150:135 tcp
N/A 10.127.0.149:135 tcp
N/A 10.127.0.148:135 tcp
N/A 10.127.0.147:135 tcp
N/A 10.127.0.146:135 tcp
N/A 10.127.0.145:135 tcp
N/A 10.127.0.144:135 tcp
N/A 10.127.0.143:135 tcp
N/A 10.127.0.142:135 tcp
N/A 10.127.0.139:135 tcp
N/A 10.127.0.141:135 tcp
N/A 10.127.0.140:135 tcp
N/A 10.127.0.138:135 tcp
N/A 10.127.0.137:135 tcp
N/A 10.127.0.135:135 tcp
N/A 10.127.0.136:135 tcp
N/A 10.127.0.134:135 tcp
N/A 10.127.0.133:135 tcp
N/A 10.127.0.131:135 tcp
N/A 10.127.0.132:135 tcp
N/A 10.127.0.130:135 tcp
N/A 10.127.0.10:135 tcp
N/A 10.127.0.11:135 tcp
N/A 10.127.0.12:135 tcp
N/A 10.127.0.14:135 tcp
N/A 10.127.0.13:135 tcp
N/A 10.127.0.16:135 tcp
N/A 10.127.0.15:135 tcp
N/A 10.127.0.18:135 tcp
N/A 10.127.0.17:135 tcp
N/A 10.127.0.19:135 tcp
N/A 10.127.0.20:135 tcp
N/A 10.127.0.21:135 tcp
N/A 10.127.0.22:135 tcp
N/A 10.127.0.23:135 tcp
N/A 10.127.0.24:135 tcp
N/A 10.127.0.25:135 tcp
N/A 10.127.0.27:135 tcp
N/A 10.127.0.26:135 tcp
N/A 10.127.0.28:135 tcp
N/A 10.127.0.29:135 tcp
N/A 10.127.0.31:135 tcp
N/A 10.127.0.30:135 tcp
N/A 10.127.0.32:135 tcp
N/A 10.127.0.33:135 tcp
N/A 10.127.0.34:135 tcp
N/A 10.127.0.35:135 tcp
N/A 10.127.0.36:135 tcp
N/A 10.127.0.37:135 tcp
N/A 10.127.0.38:135 tcp
N/A 10.127.0.39:135 tcp
N/A 10.127.0.40:135 tcp
N/A 10.127.0.41:135 tcp
N/A 10.127.0.42:135 tcp
N/A 10.127.0.43:135 tcp
N/A 10.127.0.44:135 tcp
N/A 10.127.0.45:135 tcp
N/A 10.127.0.46:135 tcp
N/A 10.127.0.47:135 tcp
N/A 10.127.0.48:135 tcp
N/A 10.127.0.49:135 tcp
N/A 10.127.0.51:135 tcp
N/A 10.127.0.50:135 tcp
N/A 10.127.0.52:135 tcp
N/A 10.127.0.53:135 tcp
N/A 10.127.0.54:135 tcp
N/A 10.127.0.55:135 tcp
N/A 10.127.0.56:135 tcp
N/A 10.127.0.58:135 tcp
N/A 10.127.0.57:135 tcp
N/A 10.127.0.59:135 tcp
N/A 10.127.0.60:135 tcp
N/A 10.127.0.61:135 tcp
N/A 10.127.0.62:135 tcp
N/A 10.127.0.63:135 tcp
N/A 10.127.0.64:135 tcp
N/A 10.127.0.66:135 tcp
N/A 10.127.0.65:135 tcp
N/A 10.127.0.67:135 tcp
N/A 10.127.0.70:135 tcp
N/A 10.127.0.128:135 tcp
N/A 10.127.0.111:135 tcp
N/A 10.127.0.127:135 tcp
N/A 10.127.0.126:135 tcp
N/A 10.127.0.129:135 tcp
N/A 10.127.0.124:135 tcp
N/A 10.127.0.122:135 tcp
N/A 10.127.0.125:135 tcp
N/A 10.127.0.123:135 tcp
N/A 10.127.0.120:135 tcp
N/A 10.127.0.121:135 tcp
N/A 10.127.0.118:135 tcp
N/A 10.127.0.248:135 tcp
N/A 10.127.0.119:135 tcp
N/A 10.127.0.115:135 tcp
N/A 10.127.0.116:135 tcp
N/A 10.127.0.117:135 tcp
N/A 10.127.0.113:135 tcp
N/A 10.127.0.110:135 tcp
N/A 10.127.0.106:135 tcp
N/A 10.127.0.114:135 tcp
N/A 10.127.0.109:135 tcp
N/A 10.127.0.107:135 tcp
N/A 10.127.0.108:135 tcp
N/A 10.127.0.99:135 tcp
N/A 10.127.0.105:135 tcp
N/A 10.127.0.103:135 tcp
N/A 10.127.0.101:135 tcp
N/A 10.127.0.102:135 tcp
N/A 10.127.0.96:135 tcp
N/A 10.127.0.104:135 tcp
N/A 10.127.0.97:135 tcp
N/A 10.127.0.100:135 tcp
N/A 10.127.0.98:135 tcp
N/A 10.127.0.95:135 tcp
N/A 10.127.0.93:135 tcp
N/A 10.127.0.90:135 tcp
N/A 10.127.0.94:135 tcp
N/A 10.127.0.92:135 tcp
N/A 10.127.0.91:135 tcp
N/A 10.127.0.88:135 tcp
N/A 10.127.0.89:135 tcp
N/A 10.127.0.86:135 tcp
N/A 10.127.0.83:135 tcp
N/A 10.127.0.84:135 tcp
N/A 10.127.0.78:135 tcp
N/A 10.127.0.82:135 tcp
N/A 10.127.0.79:135 tcp
N/A 10.127.0.80:135 tcp
N/A 10.127.0.75:135 tcp
N/A 10.127.0.77:135 tcp
N/A 10.127.0.69:135 tcp
N/A 10.127.0.76:135 tcp
N/A 10.127.0.74:135 tcp
N/A 10.127.0.71:135 tcp
N/A 10.127.0.72:135 tcp
N/A 10.127.0.73:135 tcp
N/A 10.127.0.68:135 tcp
N/A 10.127.0.112:135 tcp
N/A 10.127.0.87:135 tcp
N/A 10.127.0.85:135 tcp
N/A 10.127.0.81:135 tcp
N/A 10.127.0.1:135 tcp
N/A 10.127.0.0:135 tcp
N/A 10.127.0.2:135 tcp
N/A 10.127.0.3:135 tcp
N/A 10.127.0.4:135 tcp
N/A 10.127.0.6:135 tcp
N/A 10.127.0.5:135 tcp
N/A 10.127.0.7:135 tcp
N/A 10.127.0.8:135 tcp
N/A 10.127.0.9:135 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 154.141.79.40.in-addr.arpa udp

Files

C:\Program Files\dotnet\Restore-My-Files.txt

MD5 c38a36605de423cc9f307dbc1e0c238c
SHA1 d9fc6cd1c1b2e924cef03a35d54fdfcfcf94ea48
SHA256 63d9d358405ff1f22af00c93ff0698886ddca004d2c38295b00f0cbf7a0c5bd1
SHA512 d627af27e36bc3403ecaf5b0ffd1ee4e6478e971ec486658f836dbec4a7cb34476248ba029cfc2b28b76538b2024c00a5df11cf64d4dc986401a480697421483