Malware Analysis Report

2024-09-11 01:08

Sample ID 240317-m4m5fscg84
Target d0b55391935307500af21d28af2299df
SHA256 fa0a1227da320afa57509dadf4ece1f264c184abd61f425ae00c43c19e09b006
Tags
phobos evasion persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fa0a1227da320afa57509dadf4ece1f264c184abd61f425ae00c43c19e09b006

Threat Level: Known bad

The file d0b55391935307500af21d28af2299df was found to be: Known bad.

Malicious Activity Summary

phobos evasion persistence ransomware spyware stealer

Phobos

Deletes shadow copies

Renames multiple (319) files with added filename extension

Renames multiple (255) files with added filename extension

Modifies boot configuration data using bcdedit

Modifies Windows Firewall

Deletes backup catalog

Drops startup file

Reads user/profile data of web browsers

Adds Run key to start application

Drops desktop.ini file(s)

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Interacts with shadow copies

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Uses Volume Shadow Copy service COM API

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Indicator Removal
T1070
File Deletion
T1070.004
Impair Defenses
T1562
Disable or Modify System Firewall
T1562.004
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-03-17 11:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-17 11:01

Reported

2024-03-17 11:03

Platform

win7-20240221-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (319) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\d0b55391935307500af21d28af2299df.exe C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[22CCAE4E-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\d0b55391935307500af21d28af2299df = "C:\\Users\\Admin\\AppData\\Local\\d0b55391935307500af21d28af2299df.exe" C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d0b55391935307500af21d28af2299df = "C:\\Users\\Admin\\AppData\\Local\\d0b55391935307500af21d28af2299df.exe" C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ED1QUGW8\desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\K9KFIAQ8\desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\U6FX44QQ\desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-3787592910-3720486031-2929222812-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0C0JDM6X\desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CVDYGDJO\desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3787592910-3720486031-2929222812-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jre7\lib\jfr.jar.id[22CCAE4E-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File created C:\Program Files\Java\jre7\lib\security\US_export_policy.jar.id[22CCAE4E-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Thatch.dotx.id[22CCAE4E-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\verify.dll C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Casey.id[22CCAE4E-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.attributeTransformation.exsd C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.ssl_1.1.0.v20140827-1444.jar C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File created C:\Program Files\Java\jre7\bin\jp2launcher.exe.id[22CCAE4E-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_Country.gif C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOCF.DLL C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10301_.GIF C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15274_.GIF C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21320_.GIF.id[22CCAE4E-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssv.dll.id[22CCAE4E-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\ECLIPSE_.RSA C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_ja_4.4.0.v20140623020002.jar.id[22CCAE4E-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00161_.GIF C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00346_.WMF C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationProvider.resources.dll C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-annotations-common.xml C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\settings.css C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ccme_base.dll.id[22CCAE4E-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\GoldRing.png C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\PAPYRUS.INF.id[22CCAE4E-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00440_.WMF.id[22CCAE4E-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0234376.WMF.id[22CCAE4E-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00388_.WMF C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.BR.XML.id[22CCAE4E-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SAMPLES\SOLVSAMP.XLS C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Tripoli.id[22CCAE4E-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Havana C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Krasnoyarsk.id[22CCAE4E-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\msdasqlr.dll.mui C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00346_.WMF.id[22CCAE4E-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\InkObj.dll.mui C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14757_.GIF C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OL.SAM C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\license.html C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html.id[22CCAE4E-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.win32.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File created C:\Program Files\Java\jre7\bin\policytool.exe.id[22CCAE4E-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\control\libwin_msg_plugin.dll C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierBackground.jpg C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN048.XML.id[22CCAE4E-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\manifest.json C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe.id[22CCAE4E-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEDAO.DLL.id[22CCAE4E-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00076_.WMF C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTVIEW.JPG C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\en-US\Chess.exe.mui C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_transcode_plugin.dll C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\RSSFeeds.js C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.lnk C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107264.WMF.id[22CCAE4E-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187881.WMF.id[22CCAE4E-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Pushpin.xml C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.p2.ui.overridden_5.5.0.165303.jar.id[22CCAE4E-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\imap.jar.id[22CCAE4E-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR4F.GIF C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\9.png C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\ContactSelector.ico C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3020 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe C:\Windows\system32\cmd.exe
PID 2492 wrote to memory of 2692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2492 wrote to memory of 2692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2492 wrote to memory of 2692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2528 wrote to memory of 2428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2528 wrote to memory of 2428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2528 wrote to memory of 2428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2528 wrote to memory of 340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2528 wrote to memory of 340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2528 wrote to memory of 340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2492 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2492 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2492 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2492 wrote to memory of 2084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2492 wrote to memory of 2084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2492 wrote to memory of 2084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2492 wrote to memory of 1592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2492 wrote to memory of 1592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2492 wrote to memory of 1592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2492 wrote to memory of 2204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2492 wrote to memory of 2204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2492 wrote to memory of 2204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3020 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe C:\Windows\SysWOW64\mshta.exe
PID 3020 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe C:\Windows\SysWOW64\mshta.exe
PID 3020 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe C:\Windows\SysWOW64\mshta.exe
PID 3020 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe C:\Windows\SysWOW64\mshta.exe
PID 3020 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe C:\Windows\SysWOW64\mshta.exe
PID 3020 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe C:\Windows\SysWOW64\mshta.exe
PID 3020 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe C:\Windows\SysWOW64\mshta.exe
PID 3020 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe C:\Windows\SysWOW64\mshta.exe
PID 3020 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe C:\Windows\SysWOW64\mshta.exe
PID 3020 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe C:\Windows\SysWOW64\mshta.exe
PID 3020 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe C:\Windows\SysWOW64\mshta.exe
PID 3020 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe C:\Windows\SysWOW64\mshta.exe
PID 3020 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe C:\Windows\SysWOW64\mshta.exe
PID 3020 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe C:\Windows\SysWOW64\mshta.exe
PID 3020 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe C:\Windows\SysWOW64\mshta.exe
PID 3020 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe C:\Windows\SysWOW64\mshta.exe
PID 3020 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe C:\Windows\system32\cmd.exe
PID 2536 wrote to memory of 2472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2536 wrote to memory of 2472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2536 wrote to memory of 2472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2536 wrote to memory of 2548 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2536 wrote to memory of 2548 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2536 wrote to memory of 2548 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2536 wrote to memory of 764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2536 wrote to memory of 764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2536 wrote to memory of 764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2536 wrote to memory of 2780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2536 wrote to memory of 2780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2536 wrote to memory of 2780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2536 wrote to memory of 2736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2536 wrote to memory of 2736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2536 wrote to memory of 2736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe

"C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe"

C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe

"C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

N/A

Files

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.id[22CCAE4E-3070].[[email protected]].banjo

MD5 047574292ef0e5e88d2a42c738d179e6
SHA1 5570a5595951345122bf845b6524d8b8d74a1896
SHA256 046726f4414419b9b523c80dd55eec27960e93b621e05d5f5a95b2cab60037f2
SHA512 f266550807dc8543ebdfd1c2263e49940bffce6069a8e2d784947b19b015a79bdcc846c8627a28d10049e153d333db343c48da6f0780d5003b277a8de1ca5daa

C:\info.hta

MD5 fcb42bbe08c30a011118f05e485e3e41
SHA1 1143cb6459a8f60c4b8896d1e98fa2b82564d707
SHA256 5fea63506587dbe9c4126b3885080b632bef3e7d3f2cbe2dfe8d1ff567c4223e
SHA512 90a54b2a1fc1d166848e107be7cd5afbc823584b1fb5910816dec557a783ef89fbdaf18175bcab14e06a99bbd659c67cf67be2a8e140f17a17ecf4be680a7e8e

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-17 11:01

Reported

2024-03-17 11:03

Platform

win10v2004-20240226-en

Max time kernel

152s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (255) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\d0b55391935307500af21d28af2299df.exe C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d0b55391935307500af21d28af2299df = "C:\\Users\\Admin\\AppData\\Local\\d0b55391935307500af21d28af2299df.exe" C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d0b55391935307500af21d28af2299df = "C:\\Users\\Admin\\AppData\\Local\\d0b55391935307500af21d28af2299df.exe" C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\es\System.Windows.Forms.resources.dll.id[8A8245B9-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\System.Windows.Input.Manipulations.dll.id[8A8245B9-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-crt-runtime-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pt-BR\System.Windows.Input.Manipulations.resources.dll C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSOCR.DLL.id[8A8245B9-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\Configuration\card_security_terms_dict.txt C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkDrop32x32.gif C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-stdio-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ko\PresentationFramework.resources.dll.id[8A8245B9-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\Logo.png C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-process-l1-1-0.dll.id[8A8245B9-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\javac.exe.id[8A8245B9-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\thaidict.md C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaSansRegular.ttf.id[8A8245B9-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Threading.Overlapped.dll C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Xml.XDocument.dll C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-pl.xrm-ms.id[8A8245B9-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\SEQCHK10.DLL C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\psfontj2d.properties.id[8A8245B9-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ppd.xrm-ms.id[8A8245B9-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeServiceBypassR_PrepidBypass-ppd.xrm-ms.id[8A8245B9-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\DSMESSAGES.XML.id[8A8245B9-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-time-l1-1-0.dll.id[8A8245B9-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VC\msdia100.dll C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml.id[8A8245B9-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ul-phn.xrm-ms.id[8A8245B9-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD.HXS C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\excelcnvpxy.dll.id[8A8245B9-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\msvcp140.dll.id[8A8245B9-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\de\UIAutomationClientSideProviders.resources.dll.id[8A8245B9-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140_2.dll C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote.ini.id[8A8245B9-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.AppContext.dll C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ReachFramework.dll.id[8A8245B9-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hant\System.Windows.Controls.Ribbon.resources.dll C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-math-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssv.dll C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\bcel.md.id[8A8245B9-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-errorhandling-l1-1-0.dll.id[8A8245B9-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-br.dll C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\UIAutomationClient.dll.id[8A8245B9-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ONRES.DLL.id[8A8245B9-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ja\UIAutomationProvider.resources.dll C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-heap-l1-1-0.dll.id[8A8245B9-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Grace-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PPINTL.DLL.id[8A8245B9-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-140.png C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ko\WindowsFormsIntegration.resources.dll C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME.txt C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-phn.xrm-ms.id[8A8245B9-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-ul-oob.xrm-ms.id[8A8245B9-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ppd.xrm-ms.id[8A8245B9-3070].[[email protected]].banjo C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4196 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe C:\Windows\system32\cmd.exe
PID 4196 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe C:\Windows\system32\cmd.exe
PID 4196 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe C:\Windows\system32\cmd.exe
PID 4196 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe C:\Windows\system32\cmd.exe
PID 4596 wrote to memory of 3152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4596 wrote to memory of 3152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 224 wrote to memory of 2756 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 224 wrote to memory of 2756 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4596 wrote to memory of 3336 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4596 wrote to memory of 3336 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 224 wrote to memory of 3204 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 224 wrote to memory of 3204 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 224 wrote to memory of 852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 224 wrote to memory of 852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 224 wrote to memory of 1808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 224 wrote to memory of 1808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 224 wrote to memory of 3036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 224 wrote to memory of 3036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe

"C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe"

C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe

"C:\Users\Admin\AppData\Local\Temp\d0b55391935307500af21d28af2299df.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3676 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id[8A8245B9-3070].[[email protected]].banjo

MD5 a122718e24d3eced50259699d0be8dbe
SHA1 8af10caf6e51ebcd4aa54f3d8172cfbe2b3ccbc0
SHA256 883ff5326573c75646817122bd3b107d657c882dfbb6fc1dacd55dd12c16ac25
SHA512 201b71a6f0706bc9a38cf4c1875b2890bc5dd13491b91fc5cddb096d4cde225a0426d1a86a61a4050e16b2bb1e1f8c33b62fb0aed0962025c8b0b38668175d88