Malware Analysis Report

2024-09-11 01:17

Sample ID 240419-wyl5msbg69
Target ac55175193c138897d08bd1ed3f4d4f420e02b98f086304c75a9d900cf5aafde
SHA256 ac55175193c138897d08bd1ed3f4d4f420e02b98f086304c75a9d900cf5aafde
Tags
phobos evasion persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ac55175193c138897d08bd1ed3f4d4f420e02b98f086304c75a9d900cf5aafde

Threat Level: Known bad

The file ac55175193c138897d08bd1ed3f4d4f420e02b98f086304c75a9d900cf5aafde was found to be: Known bad.

Malicious Activity Summary

phobos evasion persistence ransomware spyware stealer

Phobos

Deletes shadow copies

Renames multiple (315) files with added filename extension

Modifies boot configuration data using bcdedit

Renames multiple (62) files with added filename extension

Deletes backup catalog

Modifies Windows Firewall

Drops startup file

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Adds Run key to start application

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Interacts with shadow copies

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Indicator Removal
T1070
File Deletion
T1070.004
Impair Defenses
T1562
Disable or Modify System Firewall
T1562.004
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-04-19 18:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-19 18:19

Reported

2024-04-19 18:23

Platform

win10v2004-20240226-en

Max time kernel

158s

Max time network

169s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (62) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87 = "C:\\Users\\Admin\\AppData\\Local\\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe" C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87 = "C:\\Users\\Admin\\AppData\\Local\\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe" C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Threading.Tasks.Extensions.dll C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pl\Microsoft.VisualBasic.Forms.resources.dll.id[C80A1B75-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VGX\VGX.dll C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe.id[C80A1B75-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.ServiceModel.Web.dll.id[C80A1B75-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ko\PresentationFramework.resources.dll.id[C80A1B75-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pl\PresentationUI.resources.dll.id[C80A1B75-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hans\PresentationCore.resources.dll C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\msado28.tlb C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Xml.ReaderWriter.dll.id[C80A1B75-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pt-BR\UIAutomationTypes.resources.dll.id[C80A1B75-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hans\WindowsFormsIntegration.resources.dll C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File created C:\Program Files\7-Zip\Lang\zh-cn.txt.id[C80A1B75-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nb-no.dll.id[C80A1B75-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\System.Windows.Input.Manipulations.dll.id[C80A1B75-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ru\UIAutomationClientSideProviders.resources.dll.id[C80A1B75-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ru\Microsoft.VisualBasic.Forms.resources.dll.id[C80A1B75-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File created C:\Program Files\7-Zip\Lang\ko.txt.id[C80A1B75-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\fr-FR\msadcer.dll.mui C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Reflection.Primitives.dll.id[C80A1B75-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\fr\ReachFramework.resources.dll C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\WindowsBase.resources.dll.id[C80A1B75-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\tr\System.Windows.Forms.Design.resources.dll.id[C80A1B75-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\WindowsBase.resources.dll C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pl\Microsoft.VisualBasic.Forms.resources.dll C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\it\System.Windows.Controls.Ribbon.resources.dll C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\hr.txt C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Net.Ping.dll.id[C80A1B75-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Runtime.dll.id[C80A1B75-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Formats.Asn1.dll C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Windows.dll.id[C80A1B75-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ja\PresentationUI.resources.dll C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pl\WindowsBase.resources.dll C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\UIAutomationClientSideProviders.dll.id[C80A1B75-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-file-l2-1-0.dll.id[C80A1B75-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\Microsoft.VisualBasic.dll C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\fr\System.Windows.Forms.Primitives.resources.dll.id[C80A1B75-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ru\WindowsFormsIntegration.resources.dll.id[C80A1B75-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\cs\System.Xaml.resources.dll C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ja\System.Windows.Forms.Primitives.resources.dll C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ko\System.Windows.Forms.Design.resources.dll C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\Microsoft.Win32.Registry.AccessControl.dll C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\RepoMan.dll.id[C80A1B75-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\msinfo32.exe.mui C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\msdaremr.dll.mui C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\Microsoft.NETCore.App.runtimeconfig.json C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\System.Windows.Controls.Ribbon.dll.id[C80A1B75-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\zh-tw.txt C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TipRes.dll C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\WindowsFormsIntegration.dll C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\libEGL.dll C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TipTsf.dll.mui C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-heap-l1-1-0.dll.id[C80A1B75-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Xml.XmlDocument.dll.id[C80A1B75-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\System.Windows.Forms.resources.dll C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\System.Security.Cryptography.Pkcs.dll.id[C80A1B75-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\it-IT\msader15.dll.mui C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\sqloledb.dll C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4620 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe C:\Windows\system32\cmd.exe
PID 4620 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe C:\Windows\system32\cmd.exe
PID 4620 wrote to memory of 5136 N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe C:\Windows\system32\cmd.exe
PID 4620 wrote to memory of 5136 N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe C:\Windows\system32\cmd.exe
PID 3264 wrote to memory of 5320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3264 wrote to memory of 5320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5136 wrote to memory of 5368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 5136 wrote to memory of 5368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3264 wrote to memory of 5876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3264 wrote to memory of 5876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5136 wrote to memory of 1852 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 5136 wrote to memory of 1852 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 5136 wrote to memory of 2912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 5136 wrote to memory of 2912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 5136 wrote to memory of 3404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 5136 wrote to memory of 3404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 5136 wrote to memory of 3396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 5136 wrote to memory of 3396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe

"C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe"

C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe

"C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1328 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
GB 142.250.187.202:443 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 130.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp

Files

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[C80A1B75-3536].[[email protected]].dzen

MD5 f3600bbed2bc7dfd58bddc6f42067220
SHA1 eb9ab47f1ca1806c8d5415bc8401e7390e9c2af7
SHA256 f775e9ff604ace8a6c9ba9eacdb51658aa8badefd4f74367e631619e2bc12061
SHA512 39fb52dbb7dab43ec37bea2c0ad8aa25734b8d03bd1b8d4ddc3e1c64c451503a92cbdeec2d6f70d31586c5ed6c6b9644b05c1f1920f3eb36b8ef2f1324e0a68a

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-19 18:19

Reported

2024-04-19 18:23

Platform

win7-20240221-en

Max time kernel

150s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (315) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[CF0A0330-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87 = "C:\\Users\\Admin\\AppData\\Local\\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe" C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87 = "C:\\Users\\Admin\\AppData\\Local\\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe" C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BB0Z8TKM\desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WZPJ6IGS\desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JP38OXIN\desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LS99WIMF\desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1OEGTYQG\desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\266EQP1S\desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AS4I30IR\desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\2Y0HPGOE\desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00038_.GIF C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185818.WMF.id[CF0A0330-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00735_.WMF C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCDCNCLS.ICO.id[CF0A0330-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\CoolType.dll.id[CF0A0330-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107490.WMF C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FORM.JS.id[CF0A0330-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_standard_plugin.dll.id[CF0A0330-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00942_.WMF.id[CF0A0330-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15276_.GIF C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Memories_buttonClear.png C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sk.pak.id[CF0A0330-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.zh_CN_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File created C:\Program Files\Java\jre7\bin\dt_shmem.dll.id[CF0A0330-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_up.png C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGACCBAR.XML C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Nicosia.id[CF0A0330-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\Windows Journal\Templates\Music.jtp C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD20013_.WMF.id[CF0A0330-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.el_2.2.0.v201303151357.jar C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File created C:\Program Files\Java\jre7\lib\meta-index.id[CF0A0330-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\hxdsui.dll C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14752_.GIF C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.DEV.HXS.id[CF0A0330-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ext.txt C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Chicago.id[CF0A0330-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00437_.WMF.id[CF0A0330-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153518.WMF.id[CF0A0330-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0293240.WMF.id[CF0A0330-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMainMask.wmv C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-applemenu.jar C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\hxdsui.dll C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00260_.WMF.id[CF0A0330-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18237_.WMF C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115867.GIF C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCHKBRD.DPV C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\EMAILMOD.POC C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240811.profile.gz.id[CF0A0330-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-dialogs_zh_CN.jar.id[CF0A0330-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\SystemV\AST4.id[CF0A0330-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.dll.id[CF0A0330-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\OPHPROXY.DLL C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Runtime.Serialization.dll C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239953.WMF C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR36F.GIF.id[CF0A0330-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CNFRES.CFG C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_alignleft.gif C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_sv.properties.id[CF0A0330-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerActionExceptionHandlers.exsd C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable_1.4.1.v20140210-1835.jar.id[CF0A0330-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-api-caching_ja.jar C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\drag.png C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Wordcnv.dll.id[CF0A0330-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\preface.htm.id[CF0A0330-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0232171.WMF.id[CF0A0330-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02270_.WMF C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Adjacency.thmx C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\INCOMING.ICO.id[CF0A0330-3536].[[email protected]].dzen C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
File opened for modification C:\Program Files\AddRestart.ADT C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2172 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe C:\Windows\system32\cmd.exe
PID 2172 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe C:\Windows\system32\cmd.exe
PID 2172 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe C:\Windows\system32\cmd.exe
PID 2172 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe C:\Windows\system32\cmd.exe
PID 2172 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe C:\Windows\system32\cmd.exe
PID 2172 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe C:\Windows\system32\cmd.exe
PID 2172 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe C:\Windows\system32\cmd.exe
PID 2172 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe C:\Windows\system32\cmd.exe
PID 2616 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2616 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2616 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2520 wrote to memory of 2424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 2424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 2424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 1200 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 1200 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 1200 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2616 wrote to memory of 2556 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2616 wrote to memory of 2556 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2616 wrote to memory of 2556 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2616 wrote to memory of 616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2616 wrote to memory of 616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2616 wrote to memory of 616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2616 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2616 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2616 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2616 wrote to memory of 1744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2616 wrote to memory of 1744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2616 wrote to memory of 1744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2172 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe C:\Windows\SysWOW64\mshta.exe
PID 2172 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe C:\Windows\SysWOW64\mshta.exe
PID 2172 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe C:\Windows\SysWOW64\mshta.exe
PID 2172 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe C:\Windows\SysWOW64\mshta.exe
PID 2172 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe C:\Windows\SysWOW64\mshta.exe
PID 2172 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe C:\Windows\SysWOW64\mshta.exe
PID 2172 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe C:\Windows\SysWOW64\mshta.exe
PID 2172 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe C:\Windows\SysWOW64\mshta.exe
PID 2172 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe C:\Windows\SysWOW64\mshta.exe
PID 2172 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe C:\Windows\SysWOW64\mshta.exe
PID 2172 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe C:\Windows\SysWOW64\mshta.exe
PID 2172 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe C:\Windows\SysWOW64\mshta.exe
PID 2172 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe C:\Windows\SysWOW64\mshta.exe
PID 2172 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe C:\Windows\SysWOW64\mshta.exe
PID 2172 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe C:\Windows\SysWOW64\mshta.exe
PID 2172 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe C:\Windows\SysWOW64\mshta.exe
PID 2172 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe C:\Windows\system32\cmd.exe
PID 2172 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe C:\Windows\system32\cmd.exe
PID 2172 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe C:\Windows\system32\cmd.exe
PID 2172 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe C:\Windows\system32\cmd.exe
PID 1084 wrote to memory of 1176 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1084 wrote to memory of 1176 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1084 wrote to memory of 1176 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1084 wrote to memory of 2716 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1084 wrote to memory of 2716 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1084 wrote to memory of 2716 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1084 wrote to memory of 2464 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1084 wrote to memory of 2464 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1084 wrote to memory of 2464 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1084 wrote to memory of 1700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1084 wrote to memory of 1700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1084 wrote to memory of 1700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1084 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1084 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1084 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe

"C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe"

C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe

"C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

N/A

Files

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.id[CF0A0330-3536].[[email protected]].dzen

MD5 f8b863092486bb9f6a7bac5bb51b1cf9
SHA1 4768ed7d9e5567955f6598037cd640fa415523da
SHA256 e4662f622d4a85e2ac9a148753579810d46d8740304c9e2f42b15281cd805ba2
SHA512 efe91e01fcde5edb6fe1605b7b3ae1343598888bfe7d5aab71050410c7fb56ba6f68457514551882b6cd341dfd2fc01c20c890452fa0601203e0da319bca3403

C:\info.hta

MD5 27ebcc9fd6e5d0ffafd228c6547deb14
SHA1 102f90c3cc6ec39b5b28dbda098352f0561067f6
SHA256 4b141b1d75dbb1ba79e1749151b0b8e5a29ec403bb5b0d9e38b6d4b5737ddf9d
SHA512 80b06c71b3d7b7506195f2a3ab19b6491cd9a38814641261c3545bfe979c24aebee7437a12f83f56706f4b119a26b8b4e8b183a8d1b21df0bb9823c590afca84