Description	Indicator	Process	Target
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A

Adds Run key to start application

persistence

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46 = "C:\\Users\\Admin\\AppData\\Local\\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe"	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46 = "C:\\Users\\Admin\\AppData\\Local\\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe"	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A

Drops desktop.ini file(s)

Description	Indicator	Process	Target
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1658372521-4246568289-2509113762-1000\desktop.ini	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1658372521-4246568289-2509113762-1000\desktop.ini	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File opened for modification	C:\Program Files\desktop.ini	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A

Drops file in Program Files directory

Description	Indicator	Process	Target
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_zh_CN.jar.id[7D017904-2803].[[email protected]].eight	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\prism-d3d.dll.id[7D017904-2803].[[email protected]].eight	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Tunis	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File created	C:\Program Files\Java\jdk1.7.0_80\include\jvmti.h.id[7D017904-2803].[[email protected]].eight	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-highlight.png	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bn.pak	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File opened for modification	C:\Program Files\Internet Explorer\en-US\DiagnosticsTap.dll.mui	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fontconfig.properties.src.id[7D017904-2803].[[email protected]].eight	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File opened for modification	C:\Program Files\Common Files\System\ado\msadomd28.tlb	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File opened for modification	C:\Program Files\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File created	C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html.id[7D017904-2803].[[email protected]].eight	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File opened for modification	C:\Program Files\DVD Maker\es-ES\OmdProject.dll.mui	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File opened for modification	C:\Program Files\Common Files\System\en-US\wab32res.dll.mui	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Caracas.id[7D017904-2803].[[email protected]].eight	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Detroit.id[7D017904-2803].[[email protected]].eight	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkObj.dll.mui	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Mendoza	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\vulkan-1.dll.id[7D017904-2803].[[email protected]].eight	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\fxplugins.dll.id[7D017904-2803].[[email protected]].eight	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Knox	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File opened for modification	C:\Program Files\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_ButtonGraphic.png	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\vk_swiftshader_icd.json.id[7D017904-2803].[[email protected]].eight	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File created	C:\Program Files\7-Zip\Lang\sw.txt.id[7D017904-2803].[[email protected]].eight	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_SelectionSubpicture.png	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File created	C:\Program Files\7-Zip\Lang\mr.txt.id[7D017904-2803].[[email protected]].eight	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwresslm.dat	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\en-US.pak.id[7D017904-2803].[[email protected]].eight	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\es.pak.id[7D017904-2803].[[email protected]].eight	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\prism-d3d.dll	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File created	C:\Program Files\7-Zip\Lang\af.txt.id[7D017904-2803].[[email protected]].eight	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\FlickLearningWizard.exe.mui	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\203x8subpicture.png	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File opened for modification	C:\Program Files\DVD Maker\en-US\DVDMaker.exe.mui	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Ndjamena	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\am.pak.id[7D017904-2803].[[email protected]].eight	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.cpl	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_ButtonGraphic.png	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\scenesscroll.png	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Knox.id[7D017904-2803].[[email protected]].eight	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\sRGB.pf.id[7D017904-2803].[[email protected]].eight	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\npdeployJava1.dll	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\15x15dot.png	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File created	C:\Program Files\Java\jdk1.7.0_80\include\jni.h.id[7D017904-2803].[[email protected]].eight	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSLoc.dll.mui	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File opened for modification	C:\Program Files\DVD Maker\directshowtap.ax	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\203x8subpicture.png	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\msadcfr.dll.mui	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File opened for modification	C:\Program Files\DVD Maker\es-ES\WMM2CLIP.dll.mui	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogo.png	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File created	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe.id[7D017904-2803].[[email protected]].eight	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\javafx.properties.id[7D017904-2803].[[email protected]].eight	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPOBJS.DLL.id[7D017904-2803].[[email protected]].eight	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File opened for modification	C:\Program Files\Common Files\System\Ole DB\sqloledb.dll	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_videoinset.png	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A

Interacts with shadow copies

ransomware

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\vssadmin.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeAuditPrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\system32\taskmgr.exe	N/A

Suspicious use of FindShellTrayWindow

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A

Suspicious use of SendNotifyMessage

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1944 wrote to memory of 3020	N/A	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	C:\Windows\system32\cmd.exe
PID 1944 wrote to memory of 3020	N/A	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	C:\Windows\system32\cmd.exe
PID 1944 wrote to memory of 3020	N/A	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	C:\Windows\system32\cmd.exe
PID 1944 wrote to memory of 3020	N/A	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	C:\Windows\system32\cmd.exe
PID 1944 wrote to memory of 2548	N/A	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	C:\Windows\system32\cmd.exe
PID 1944 wrote to memory of 2548	N/A	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	C:\Windows\system32\cmd.exe
PID 1944 wrote to memory of 2548	N/A	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	C:\Windows\system32\cmd.exe
PID 1944 wrote to memory of 2548	N/A	C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 2620	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\netsh.exe
PID 3020 wrote to memory of 2620	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\netsh.exe
PID 3020 wrote to memory of 2620	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\netsh.exe
PID 2548 wrote to memory of 2628	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\vssadmin.exe
PID 2548 wrote to memory of 2628	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\vssadmin.exe
PID 2548 wrote to memory of 2628	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\vssadmin.exe
PID 3020 wrote to memory of 1800	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\netsh.exe
PID 3020 wrote to memory of 1800	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\netsh.exe
PID 3020 wrote to memory of 1800	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\netsh.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe

"C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe"

C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe

"C:\Users\Admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

Network

N/A

Files

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.id[7D017904-2803].[[email protected]].eight

MD5	a3394e8ecb543eb76f3f6c67cd371c8c
SHA1	94a532a66ecce833f2df50cd2e04ad8b32c90bfa
SHA256	16c59bb4aefe19f81cbd4cfd90c0eb6e99c2c478c5d3507d2750ef577f2a9efa
SHA512	8bd1a92808e16e6291fab41ce84964fe91a02dca95faef9aa5a512faa9a21d88d5e20c567c9628ddb67a6f85b1adc7b56e3e819ce4b3f5d43120a5bf8aae647b

memory/2500-441-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2500-465-0x0000000140000000-0x00000001405E8000-memory.dmp

Malware Analysis Report

2024-09-11 01:08

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Sample ID	240316-mtkxcabd96
Target	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.zip
SHA256	c78d3d8c7b9d6f3adb63d8b89fa87b7fd62d9fb8bb38e828d81e622c87fdfd32
Tags	phobos evasion persistence ransomware