Malware Analysis Report

2024-09-11 01:15

Sample ID 240319-z5t1lsge7x
Target a.bin
SHA256 58626a9bfb48cd30acd0d95debcaefd188ae794e1e0072c5bde8adae9bccafa6
Tags
phobos evasion persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

58626a9bfb48cd30acd0d95debcaefd188ae794e1e0072c5bde8adae9bccafa6

Threat Level: Known bad

The file a.bin was found to be: Known bad.

Malicious Activity Summary

phobos evasion persistence ransomware spyware stealer

Phobos

Modifies boot configuration data using bcdedit

Renames multiple (498) files with added filename extension

Deletes shadow copies

Renames multiple (310) files with added filename extension

Modifies Windows Firewall

Deletes backup catalog

Reads user/profile data of web browsers

Drops startup file

Drops desktop.ini file(s)

Adds Run key to start application

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Interacts with shadow copies

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Indicator Removal
T1070
File Deletion
T1070.004
Impair Defenses
T1562
Disable or Modify System Firewall
T1562.004
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-03-19 21:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-19 21:18

Reported

2024-03-19 21:21

Platform

win7-20240221-en

Max time kernel

149s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (310) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\a.exe C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[02E6D95B-3398].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\a.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\a = "C:\\Users\\Admin\\AppData\\Local\\a.exe" C:\Users\Admin\AppData\Local\Temp\a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a = "C:\\Users\\Admin\\AppData\\Local\\a.exe" C:\Users\Admin\AppData\Local\Temp\a.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3J2LRC5A\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LGZQH3SP\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\108YEMNS\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\F9UL0C6O\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CYTS71XD\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\J3XTYXPF\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\PY5FLSJ8\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.dll C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00694_.WMF C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\java_crw_demo.dll C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_mac.css C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00435_.WMF.id[02E6D95B-3398].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGATNGET.XML C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_pl.jar.id[02E6D95B-3398].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01063_.WMF C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01295_.GIF.id[02E6D95B-3398].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\TAB_OFF.GIF C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_divider_left.png C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PSSKETSM.WMF C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\es-ES\Sidebar.exe.mui C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectToolsetIconImages.jpg C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_up.png C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\Windows Journal\ja-JP\jnwdui.dll.mui C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\CAGCAT10.DLL.id[02E6D95B-3398].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14656_.GIF.id[02E6D95B-3398].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR43F.GIF.id[02E6D95B-3398].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsHomePage.html.id[02E6D95B-3398].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\vlc.mo.id[02E6D95B-3398].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\RTF_BOLD.GIF C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\DefaultBlackAndWhite.dotx C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CERT98.POC C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\release C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107480.WMF C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145879.JPG C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_ja.properties.id[02E6D95B-3398].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.ja_5.5.0.165303.jar.id[02E6D95B-3398].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\dialogs\batch_window.html.id[02E6D95B-3398].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\BLUEPRNT.INF.id[02E6D95B-3398].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\VGX.dll C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\AddIns.store C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Perspective.xml C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL058.XML C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\msdaremr.dll C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mng.txt C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Month_Calendar.emf C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_is.dll.id[02E6D95B-3398].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00394_.WMF C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File created C:\Program Files\7-Zip\Lang\an.txt.id[02E6D95B-3398].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeLinguistic.dll C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00145_.WMF C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15301_.GIF C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Utilities.v3.5.resources.dll C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02265_.WMF.id[02E6D95B-3398].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Wordcnvr.dll C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIcon.png C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Australia\Darwin.id[02E6D95B-3398].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Nauru C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_sw.dll C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21434_.GIF C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\SettingsInternal.zip.id[02E6D95B-3398].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-coredump_zh_CN.jar.id[02E6D95B-3398].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EAST_01.MID.id[02E6D95B-3398].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01084_.WMF.id[02E6D95B-3398].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Resource.zip C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\settings.js C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\tab_off.gif C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\icudt36.dll C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0197983.WMF.id[02E6D95B-3398].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02446_.WMF C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14871_.GIF.id[02E6D95B-3398].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\a.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2972 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Windows\system32\cmd.exe
PID 2972 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Windows\system32\cmd.exe
PID 2972 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Windows\system32\cmd.exe
PID 2972 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Windows\system32\cmd.exe
PID 2972 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Windows\system32\cmd.exe
PID 2972 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Windows\system32\cmd.exe
PID 2972 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Windows\system32\cmd.exe
PID 2972 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Windows\system32\cmd.exe
PID 1908 wrote to memory of 2588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1908 wrote to memory of 2588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1908 wrote to memory of 2588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2136 wrote to memory of 2580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2136 wrote to memory of 2580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2136 wrote to memory of 2580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2136 wrote to memory of 2252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2136 wrote to memory of 2252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2136 wrote to memory of 2252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1908 wrote to memory of 2328 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1908 wrote to memory of 2328 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1908 wrote to memory of 2328 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1908 wrote to memory of 2388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1908 wrote to memory of 2388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1908 wrote to memory of 2388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1908 wrote to memory of 1520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1908 wrote to memory of 1520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1908 wrote to memory of 1520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1908 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1908 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1908 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2972 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Windows\SysWOW64\mshta.exe
PID 2972 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Windows\SysWOW64\mshta.exe
PID 2972 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Windows\SysWOW64\mshta.exe
PID 2972 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Windows\SysWOW64\mshta.exe
PID 2972 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Windows\SysWOW64\mshta.exe
PID 2972 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Windows\SysWOW64\mshta.exe
PID 2972 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Windows\SysWOW64\mshta.exe
PID 2972 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Windows\SysWOW64\mshta.exe
PID 2972 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Windows\SysWOW64\mshta.exe
PID 2972 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Windows\SysWOW64\mshta.exe
PID 2972 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Windows\SysWOW64\mshta.exe
PID 2972 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Windows\SysWOW64\mshta.exe
PID 2972 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Windows\SysWOW64\mshta.exe
PID 2972 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Windows\SysWOW64\mshta.exe
PID 2972 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Windows\SysWOW64\mshta.exe
PID 2972 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Windows\SysWOW64\mshta.exe
PID 2972 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Windows\system32\cmd.exe
PID 2972 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Windows\system32\cmd.exe
PID 2972 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Windows\system32\cmd.exe
PID 2972 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Windows\system32\cmd.exe
PID 1556 wrote to memory of 1768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1556 wrote to memory of 1768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1556 wrote to memory of 1768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1556 wrote to memory of 2224 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1556 wrote to memory of 2224 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1556 wrote to memory of 2224 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1556 wrote to memory of 2492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1556 wrote to memory of 2492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1556 wrote to memory of 2492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1556 wrote to memory of 2056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1556 wrote to memory of 2056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1556 wrote to memory of 2056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1556 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1556 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1556 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\a.exe

"C:\Users\Admin\AppData\Local\Temp\a.exe"

C:\Users\Admin\AppData\Local\Temp\a.exe

"C:\Users\Admin\AppData\Local\Temp\a.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

N/A

Files

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.id[02E6D95B-3398].[[email protected]].Elbie

MD5 61e64acca1cd01853fe6be727d95bf41
SHA1 d234e20dc5942db22636f1f2878f29ee4a99d230
SHA256 016bcb1dd6e4956d2de4cbf83f4cc35b52b30107bf370860c183dcb27babad83
SHA512 0f5f55820940178c4f8ae8127e84ecf2debb30a08b0a3c64fa8454d7ff6b8bdbab3fe4b228d63f0ab66dc331659096646030f08e822735d6ead588668ef21ea7

C:\info.hta

MD5 29eeb575aa0afe0ae1396951fa4c0d23
SHA1 c195f101b2d7433f8d19c25c8f517145699ce000
SHA256 77554467ebadf749588b47bd3dbcce946c648e48145bab773a6ea34b0fe8650a
SHA512 51b4b82020b0a351d5c3638dff550505a08d1c15701575aa3336878779dc9721d25f5823a6c0387cc24a4f0da10acb8c67d65ba8e9de6100bbaf72b7df1a8d86

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-19 21:18

Reported

2024-03-19 21:21

Platform

win10v2004-20240226-en

Max time kernel

163s

Max time network

163s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (498) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\a.exe C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[6EDB2AA7-3398].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\a.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a = "C:\\Users\\Admin\\AppData\\Local\\a.exe" C:\Users\Admin\AppData\Local\Temp\a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a = "C:\\Users\\Admin\\AppData\\Local\\a.exe" C:\Users\Admin\AppData\Local\Temp\a.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-3045580317-3728985860-206385570-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3045580317-3728985860-206385570-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\a.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-3045580317-3728985860-206385570-1000-MergedResources-0.pri C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\MedTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-32_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\vcruntime140_cor3.dll.id[6EDB2AA7-3398].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\preloaded_data.pb.id[6EDB2AA7-3398].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\sspi_bridge.dll.id[6EDB2AA7-3398].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ppd.xrm-ms.id[6EDB2AA7-3398].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ko-kr\ui-strings.js C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\msdasqlr.dll C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.FileUtils.dll.id[6EDB2AA7-3398].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\zipfs.jar.id[6EDB2AA7-3398].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\powerview.x-none.msi.16.x-none.tree.dat.id[6EDB2AA7-3398].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\SmallTile.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Grace-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-100_contrast-high.png C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\logo_retina.png C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\it-IT\mpvis.dll.mui C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageWideTile.scale-150_contrast-black.png C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_scale-100.png C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\fr-FR\PackageManagementDscUtilities.strings.psd1.id[6EDB2AA7-3398].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-process-l1-1-0.dll.id[6EDB2AA7-3398].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-100.png C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\jscripts\winrthost.js C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\ui-strings.js C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\models\de-DE.mail.config C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_K_COL.HXK C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-16_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookLargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\Assets\EmptyStoryCover.png C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-40_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ko\WindowsFormsIntegration.resources.dll C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-30.png C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\lt_get.svg C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\fr-FR\msadcer.dll.mui C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalSplashScreen.scale-200.png C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-40_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Services.resources.dll C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-32_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeSmallTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\de_get.svg.id[6EDB2AA7-3398].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\es-es\ui-strings.js C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-runtime-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-string-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.17\msedgeupdateres_kn.dll C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet II.xml.id[6EDB2AA7-3398].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ul-oob.xrm-ms.id[6EDB2AA7-3398].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ScreenSketchWide310x150Logo.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-us\hxoutlookintl.dll C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\micaut.dll.mui C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-256_altform-lightunplated_devicefamily-colorfulunplated.png C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-24_altform-fullcolor.png C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-64.png C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Private.DataContractSerialization.dll C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\GlassVertexShader.cso C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\s_thumbnailview_18.svg C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\lcms.dll C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Unlock.png.id[6EDB2AA7-3398].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSYH.TTC.id[6EDB2AA7-3398].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\a.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2644 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Windows\system32\cmd.exe
PID 2644 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Windows\system32\cmd.exe
PID 2644 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Windows\system32\cmd.exe
PID 2644 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Windows\system32\cmd.exe
PID 3244 wrote to memory of 2836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3244 wrote to memory of 2836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1580 wrote to memory of 2204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1580 wrote to memory of 2204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1580 wrote to memory of 3384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1580 wrote to memory of 3384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3244 wrote to memory of 1140 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3244 wrote to memory of 1140 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3244 wrote to memory of 296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3244 wrote to memory of 296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3244 wrote to memory of 3416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3244 wrote to memory of 3416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3244 wrote to memory of 2140 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3244 wrote to memory of 2140 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\a.exe

"C:\Users\Admin\AppData\Local\Temp\a.exe"

C:\Users\Admin\AppData\Local\Temp\a.exe

"C:\Users\Admin\AppData\Local\Temp\a.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 205.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 40.173.79.40.in-addr.arpa udp

Files

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[6EDB2AA7-3398].[[email protected]].Elbie

MD5 32efb74dd0fa5acc04d4ac2a472aee98
SHA1 fcc721487a83dbe2d6c2264cf2d00f412b10a9b9
SHA256 b89dae417ddbd36871bc496407239567e4e0bd4acc67510d6df163f06143cf9b
SHA512 a17d3686269b8c287f2fabb8276e765fd63f816c9d97c9845c97f237ea3bd876ddfdc8fc148955922a972993d4e0281b6dc404bc91efb0baec6d7949bd6b8776