Malware Analysis Report

2024-09-11 01:17

Sample ID 240425-s52l5acb86
Target m.exe
SHA256 43f846c12c24a078ebe33f71e8ea3b4f75107aeb275e2c3cd9dc61617c9757fc
Tags
phobos evasion persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

43f846c12c24a078ebe33f71e8ea3b4f75107aeb275e2c3cd9dc61617c9757fc

Threat Level: Known bad

The file m.exe was found to be: Known bad.

Malicious Activity Summary

phobos evasion persistence ransomware spyware stealer

Phobos

Renames multiple (446) files with added filename extension

Deletes shadow copies

Modifies boot configuration data using bcdedit

Deletes backup catalog

Modifies Windows Firewall

Drops startup file

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Adds Run key to start application

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Uses Volume Shadow Copy service COM API

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Interacts with shadow copies

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Indicator Removal
T1070
File Deletion
T1070.004
Impair Defenses
T1562
Disable or Modify System Firewall
T1562.004
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-04-25 15:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-25 15:43

Reported

2024-04-25 15:45

Platform

win10-20240404-en

Max time kernel

131s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\m.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (446) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\m.exe C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[E4B18B78-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\m.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Windows\CurrentVersion\Run\m = "C:\\Users\\Admin\\AppData\\Local\\m.exe" C:\Users\Admin\AppData\Local\Temp\m.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\m = "C:\\Users\\Admin\\AppData\\Local\\m.exe" C:\Users\Admin\AppData\Local\Temp\m.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu Places\desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-1739856679-3467441365-73334005-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1739856679-3467441365-73334005-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\m.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.Speech.resources.dll C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorLargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarLargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-36_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\1251_48x48x32.png C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\nc_60x42.png C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\nb-no\ui-strings.js.id[E4B18B78-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_rist_plugin.dll C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons_hiContrast_wob.png C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Aquarium\mask\11d.png C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\WideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-ae\ui-strings.js C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets.id[E4B18B78-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-pl.xrm-ms.id[E4B18B78-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.targetsize-36.png C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-si\ui-strings.js C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\McePerfCtr.man.id[E4B18B78-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\charsets.jar.id[E4B18B78-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso98win32client.dll.id[E4B18B78-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\NativeShim.Resources.dll C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Protect_R_RHP.aapp C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\powerpointmui.msi.16.en-us.boot.tree.dat.id[E4B18B78-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_TeethSmile.png C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filter_18.svg C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Dark.scale-125.png C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATERMAR\WATERMAR.INF.id[E4B18B78-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_PigNose.png C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\improved-office-to-pdf.png.id[E4B18B78-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_splitter\libwall_plugin.dll C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\MainPageState2\mainPage_more_themes_bp_920.jpg C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\tl_16x11.png C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\ExchangeBadge.scale-100.png C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File created C:\Program Files\7-Zip\7-zip.chm.id[E4B18B78-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-100.png.id[E4B18B78-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-96.png C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\license.txt C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcr120.dll C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosWideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\contrast-white\StoreLogo.scale-100.png C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ul-phn.xrm-ms.id[E4B18B78-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\LargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-pl.xrm-ms.id[E4B18B78-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\EmbossBitmaps\Donut_icon.png C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\da-dk\ui-strings.js C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\pkcs11cryptotoken.md C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\check-mark-2x.png C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BOOKOS.TTF C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Localization\localized_RU-RU.respack C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\System.Speech.resources.dll C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\glib-lite.dll C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\en-ae\ui-strings.js.id[E4B18B78-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-BA\msipc.dll.mui.id[E4B18B78-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\javafx\webkit.md C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\jfxswt.jar.id[E4B18B78-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\vlc.mo.id[E4B18B78-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Livetiles\MicrosoftSolitaireAppList.targetsize-72_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\rhp_world_icon_hover_2x.png C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.ViewModel.winmd C:\Users\Admin\AppData\Local\Temp\m.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\do_60x42.png C:\Users\Admin\AppData\Local\Temp\m.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\m.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\m.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2816 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\m.exe C:\Windows\system32\cmd.exe
PID 2816 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\m.exe C:\Windows\system32\cmd.exe
PID 2816 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\m.exe C:\Windows\system32\cmd.exe
PID 2816 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\m.exe C:\Windows\system32\cmd.exe
PID 4984 wrote to memory of 4696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4984 wrote to memory of 4696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 784 wrote to memory of 4072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 784 wrote to memory of 4072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4984 wrote to memory of 3428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4984 wrote to memory of 3428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 784 wrote to memory of 4236 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 784 wrote to memory of 4236 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 784 wrote to memory of 1580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 784 wrote to memory of 1580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 784 wrote to memory of 2364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 784 wrote to memory of 2364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 784 wrote to memory of 4772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 784 wrote to memory of 4772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2816 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\m.exe C:\Windows\SysWOW64\mshta.exe
PID 2816 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\m.exe C:\Windows\SysWOW64\mshta.exe
PID 2816 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\m.exe C:\Windows\SysWOW64\mshta.exe
PID 2816 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\m.exe C:\Windows\SysWOW64\mshta.exe
PID 2816 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\m.exe C:\Windows\SysWOW64\mshta.exe
PID 2816 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\m.exe C:\Windows\SysWOW64\mshta.exe
PID 2816 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\m.exe C:\Windows\SysWOW64\mshta.exe
PID 2816 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\m.exe C:\Windows\SysWOW64\mshta.exe
PID 2816 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\m.exe C:\Windows\SysWOW64\mshta.exe
PID 2816 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\m.exe C:\Windows\SysWOW64\mshta.exe
PID 2816 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\m.exe C:\Windows\SysWOW64\mshta.exe
PID 2816 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\m.exe C:\Windows\SysWOW64\mshta.exe
PID 2816 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\m.exe C:\Windows\system32\cmd.exe
PID 2816 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\m.exe C:\Windows\system32\cmd.exe
PID 3724 wrote to memory of 3656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3724 wrote to memory of 3656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3724 wrote to memory of 1716 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3724 wrote to memory of 1716 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3724 wrote to memory of 1600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3724 wrote to memory of 1600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3724 wrote to memory of 2428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3724 wrote to memory of 2428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3724 wrote to memory of 4228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3724 wrote to memory of 4228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\m.exe

"C:\Users\Admin\AppData\Local\Temp\m.exe"

C:\Users\Admin\AppData\Local\Temp\m.exe

"C:\Users\Admin\AppData\Local\Temp\m.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 94.65.42.20.in-addr.arpa udp

Files

C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.id[E4B18B78-2822].[[email protected]].eight

MD5 e996912d8a05c237321003cae1304f91
SHA1 3a28996c0395fe104daf91e280b295215c80343e
SHA256 4f959fee7ad02b1cf0720fbf39b939a1c0ad739cb07d188f44dc320a3025e34c
SHA512 fee0f3c2e32fc7df9bae0b6c1e7bc6ab68dbb828440e868c3bb89287982f8f46553e5776ef973e9047acde79d0a6a6a8ea5692c27cfde49e661f3d9819cb9fd5

C:\info.hta

MD5 e41f1abc13b6b942cf3f6eea91e80b15
SHA1 c2cc55bc6a999ab9338b3b6e04bfa7fbdf864935
SHA256 075d57e17cd08b42eb32ec48cc11638dcc7f83205eb5e69731346e030c1e48b0
SHA512 8619379f92279d6691ae8af3f2b8a4e4f9e7fd7ca47556ec0b51e604e0d6d4afb87903ed85c9524c1edf858fb4a797dba3fac26887763053d8f0399f24056d6b