Malware Analysis Report

2024-09-11 01:16

Sample ID 240501-vfdvwadh33
Target possible_irt_8base-16940971753.zip
SHA256 8dcd2cfd4c38ceb5e80e08e17c50bcca2232b33c2e78112545b2ede73cb5b8e3
Tags
phobos evasion persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8dcd2cfd4c38ceb5e80e08e17c50bcca2232b33c2e78112545b2ede73cb5b8e3

Threat Level: Known bad

The file possible_irt_8base-16940971753.zip was found to be: Known bad.

Malicious Activity Summary

phobos evasion persistence ransomware spyware stealer

Phobos

Renames multiple (316) files with added filename extension

Renames multiple (310) files with added filename extension

Renames multiple (312) files with added filename extension

Renames multiple (517) files with added filename extension

Renames multiple (317) files with added filename extension

Renames multiple (518) files with added filename extension

Deletes shadow copies

Renames multiple (511) files with added filename extension

Renames multiple (705) files with added filename extension

Modifies boot configuration data using bcdedit

Deletes backup catalog

Modifies Windows Firewall

Drops startup file

Reads user/profile data of web browsers

Checks computer location settings

Adds Run key to start application

Drops desktop.ini file(s)

Drops file in Program Files directory

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Checks SCSI registry key(s)

Modifies Internet Explorer settings

Modifies registry class

Interacts with shadow copies

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Indicator Removal
T1070
File Deletion
T1070.004
Impair Defenses
T1562
Disable or Modify System Firewall
T1562.004
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-01 16:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-01 16:55

Reported

2024-05-01 17:00

Platform

win7-20240215-en

Max time kernel

299s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (310) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[98E38C9F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb = "C:\\Users\\Admin\\AppData\\Local\\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe" C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb = "C:\\Users\\Admin\\AppData\\Local\\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe" C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FA862KXF\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2248906074-2862704502-246302768-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\P56GQFE8\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\EY0DVRIO\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-2248906074-2862704502-246302768-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\K03K2CA5\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1MQ01HTG\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P1KETFJO\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jre7\lib\zi\America\Thule.id[98E38C9F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\PresentationCore.resources.dll C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\clock.html C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00276_.WMF C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrcatlm.dat C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\El_Salvador.id[98E38C9F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\SETUP.XML C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02223U.BMP C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME10.CSS C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Vevay C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\libxml_plugin.dll C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-cli_ja.jar.id[98E38C9F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-options_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Winnipeg.id[98E38C9F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Andorra.id[98E38C9F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html.id[98E38C9F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif.id[98E38C9F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewFrame.html.id[98E38C9F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_alignleft.gif.id[98E38C9F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File created C:\Program Files\VideoLAN\VLC\libvlc.dll.id[98E38C9F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00918_.WMF C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Cape_Verde.id[98E38C9F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\Windows Journal\it-IT\PDIALOG.exe.mui C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\INFOMAIL.CFG C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\InformationIconMask.bmp.id[98E38C9F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0160590.WMF C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099195.GIF C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\background.gif C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\LoginDialogBackground.jpg C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\mip.exe.mui C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Clarity.eftx.id[98E38C9F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\WET C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\decora-sse.dll C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD07804_.WMF.id[98E38C9F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\ActiveTabImage.jpg.id[98E38C9F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\1047x576black.png C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libmirror_plugin.dll C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00011_.WMF C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\CollectSignatures_Init.xsn C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\gadget.xml C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+8.id[98E38C9F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libudp_plugin.dll C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Indiana\Knox.id[98E38C9F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196354.WMF.id[98E38C9F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\VCTRN_01.MID.id[98E38C9F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CATWIZ.POC C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_s.png C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Vilnius.id[98E38C9F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host-remote.jar C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02400_.WMF C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01777_.WMF.id[98E38C9F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR18F.GIF C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Hiring Requisition.fdt.id[98E38C9F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\IEAWSDC.DLL.id[98E38C9F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_rest.png C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00255_.WMF.id[98E38C9F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2268 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe C:\Windows\system32\cmd.exe
PID 2268 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe C:\Windows\system32\cmd.exe
PID 2268 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe C:\Windows\system32\cmd.exe
PID 2268 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe C:\Windows\system32\cmd.exe
PID 2268 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe C:\Windows\system32\cmd.exe
PID 2268 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe C:\Windows\system32\cmd.exe
PID 2268 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe C:\Windows\system32\cmd.exe
PID 2268 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe C:\Windows\system32\cmd.exe
PID 2972 wrote to memory of 2440 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2972 wrote to memory of 2440 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2972 wrote to memory of 2440 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2524 wrote to memory of 2468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2524 wrote to memory of 2468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2524 wrote to memory of 2468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2524 wrote to memory of 2228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2524 wrote to memory of 2228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2524 wrote to memory of 2228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2972 wrote to memory of 1940 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2972 wrote to memory of 1940 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2972 wrote to memory of 1940 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2972 wrote to memory of 2044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2972 wrote to memory of 2044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2972 wrote to memory of 2044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2972 wrote to memory of 1584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2972 wrote to memory of 1584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2972 wrote to memory of 1584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2972 wrote to memory of 1612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2972 wrote to memory of 1612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2972 wrote to memory of 1612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2268 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe C:\Windows\SysWOW64\mshta.exe
PID 2268 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe C:\Windows\SysWOW64\mshta.exe
PID 2268 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe C:\Windows\SysWOW64\mshta.exe
PID 2268 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe C:\Windows\SysWOW64\mshta.exe
PID 2268 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe C:\Windows\SysWOW64\mshta.exe
PID 2268 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe C:\Windows\SysWOW64\mshta.exe
PID 2268 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe C:\Windows\SysWOW64\mshta.exe
PID 2268 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe C:\Windows\SysWOW64\mshta.exe
PID 2268 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe C:\Windows\SysWOW64\mshta.exe
PID 2268 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe C:\Windows\SysWOW64\mshta.exe
PID 2268 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe C:\Windows\SysWOW64\mshta.exe
PID 2268 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe C:\Windows\SysWOW64\mshta.exe
PID 2268 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe C:\Windows\SysWOW64\mshta.exe
PID 2268 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe C:\Windows\SysWOW64\mshta.exe
PID 2268 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe C:\Windows\SysWOW64\mshta.exe
PID 2268 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe C:\Windows\SysWOW64\mshta.exe
PID 2268 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe C:\Windows\system32\cmd.exe
PID 2268 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe C:\Windows\system32\cmd.exe
PID 2268 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe C:\Windows\system32\cmd.exe
PID 2268 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe C:\Windows\system32\cmd.exe
PID 208 wrote to memory of 1296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 208 wrote to memory of 1296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 208 wrote to memory of 1296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 208 wrote to memory of 2832 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 208 wrote to memory of 2832 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 208 wrote to memory of 2832 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 208 wrote to memory of 2768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 208 wrote to memory of 2768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 208 wrote to memory of 2768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 208 wrote to memory of 576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 208 wrote to memory of 576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 208 wrote to memory of 576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 208 wrote to memory of 1504 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 208 wrote to memory of 1504 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 208 wrote to memory of 1504 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe

"C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe"

C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe

"C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

N/A

Files

memory/2268-1-0x0000000000230000-0x0000000000330000-memory.dmp

memory/2268-3-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2268-2-0x00000000003A0000-0x00000000003AF000-memory.dmp

memory/2284-7-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2284-6-0x00000000002F2000-0x0000000000305000-memory.dmp

memory/2284-5-0x0000000000400000-0x0000000000695000-memory.dmp

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.id[98E38C9F-3483].[[email protected]].8base

MD5 d7082615029d10685afef5c2943a543e
SHA1 8a19c1a4ad0c00ee557e92e899392b225588e7e9
SHA256 2560fbf7738169306acb73d38ea0c38a3e943c2299e2489e25427ab8ab2dbc43
SHA512 b4ca50182a896376bb2e21d7abd0ff2d8b3488d831ba243fac70a30466f6c88e81debcf994d0aa233201ffa45e8ae1532b88c16f91dcf0dc475facc81c0bad37

memory/2268-1032-0x0000000000400000-0x0000000000695000-memory.dmp

memory/2268-8009-0x0000000000230000-0x0000000000330000-memory.dmp

memory/2268-7999-0x0000000000400000-0x0000000000695000-memory.dmp

C:\info.hta

MD5 1e1b1997e0f383e7838c5192024c067e
SHA1 4a42026f1a5a10ac568698d5632f022597778067
SHA256 5b35334456de9d235aa8161c71c8aa53d86024afbbc03bbcc17ada641e1f33f3
SHA512 e283b6a973bc3bf0b05c50829ca70634834fd12a32ed2b834184fd6676cda58f1b910c79efded41e1565a33fc16696258abe1750d805f8c8ac7c5f3fc4ead364

memory/2268-10281-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2268-10301-0x0000000000400000-0x0000000000695000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-01 16:55

Reported

2024-05-01 17:00

Platform

win10v2004-20240226-en

Max time kernel

300s

Max time network

306s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (705) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[60D70AC9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb = "C:\\Users\\Admin\\AppData\\Local\\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe" C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb = "C:\\Users\\Admin\\AppData\\Local\\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe" C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ARIALN.TTF C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-64.png C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyShare.scale-125.png C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\SmallTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-de_de.gif.id[60D70AC9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\Locales\ko.pak.id[60D70AC9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hant\PresentationCore.resources.dll.id[60D70AC9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\cmm\LINEAR_RGB.pf.id[60D70AC9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-64.png C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\en-US\MSFT_PackageManagement.strings.psd1.id[60D70AC9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack2019_eula.txt.id[60D70AC9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-40_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptySearch-Dark.scale-200.png C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_folder-down_32.svg.id[60D70AC9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sv-se\ui-strings.js.id[60D70AC9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\control\liboldrc_plugin.dll.id[60D70AC9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libplaylist_plugin.dll.id[60D70AC9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.en-us.dll.id[60D70AC9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-80_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\msedge_200_percent.pak.id[60D70AC9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\ChronologicalResume.dotx.id[60D70AC9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fi-fi\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosLargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderSmallTile.contrast-black_scale-100.png C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\reflow.api.id[60D70AC9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul-oob.xrm-ms.id[60D70AC9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-pl.xrm-ms.id[60D70AC9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-48_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageBadgeLogo.scale-100.png C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\eu-es\ui-strings.js.id[60D70AC9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\resources.pri C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupLargeTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\en-US\ieinstal.exe.mui C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-48_altform-unplated_devicefamily-colorfulunplated.png C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\xmlresolver.md.id[60D70AC9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ul-phn.xrm-ms.id[60D70AC9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\dialogs\equalizer_window.html.id[60D70AC9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libchorus_flanger_plugin.dll.id[60D70AC9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.scale-150.png C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-80.png C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-60_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\micaut.dll.mui C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pt-BR\System.Windows.Forms.resources.dll C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Inset.eftx C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\msotelemetryintl.dll.id[60D70AC9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoutilstat.etw.man C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\vscroll-thumb.png C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\Accessibility.dll C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeTile.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-30_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nl-nl\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\VisualElements\LogoBeta.png.DATA C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluEmptyFolder_160.svg.id[60D70AC9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\es.pak.DATA.id[60D70AC9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\Trust Protection Lists\Mu\LICENSE C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\tr\Microsoft.VisualBasic.Forms.resources.dll.id[60D70AC9-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\Office.Runtime.js C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3420 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe C:\Windows\system32\cmd.exe
PID 3420 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe C:\Windows\system32\cmd.exe
PID 3420 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe C:\Windows\system32\cmd.exe
PID 3420 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe C:\Windows\system32\cmd.exe
PID 2908 wrote to memory of 456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2908 wrote to memory of 456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3308 wrote to memory of 2384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3308 wrote to memory of 2384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3308 wrote to memory of 1420 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3308 wrote to memory of 1420 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2908 wrote to memory of 2100 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2908 wrote to memory of 2100 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2908 wrote to memory of 2264 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2908 wrote to memory of 2264 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2908 wrote to memory of 1448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2908 wrote to memory of 1448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2908 wrote to memory of 2796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2908 wrote to memory of 2796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3420 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe C:\Windows\SysWOW64\mshta.exe
PID 3420 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe C:\Windows\SysWOW64\mshta.exe
PID 3420 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe C:\Windows\SysWOW64\mshta.exe
PID 3420 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe C:\Windows\SysWOW64\mshta.exe
PID 3420 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe C:\Windows\SysWOW64\mshta.exe
PID 3420 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe C:\Windows\SysWOW64\mshta.exe
PID 3420 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe C:\Windows\SysWOW64\mshta.exe
PID 3420 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe C:\Windows\SysWOW64\mshta.exe
PID 3420 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe C:\Windows\SysWOW64\mshta.exe
PID 3420 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe C:\Windows\SysWOW64\mshta.exe
PID 3420 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe C:\Windows\SysWOW64\mshta.exe
PID 3420 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe C:\Windows\SysWOW64\mshta.exe
PID 3420 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe C:\Windows\system32\cmd.exe
PID 3420 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe C:\Windows\system32\cmd.exe
PID 208 wrote to memory of 3868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 208 wrote to memory of 3868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 208 wrote to memory of 2360 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 208 wrote to memory of 2360 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 208 wrote to memory of 2032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 208 wrote to memory of 2032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 208 wrote to memory of 4052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 208 wrote to memory of 4052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 208 wrote to memory of 3956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 208 wrote to memory of 3956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe

"C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe"

C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe

"C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2252 -ip 2252

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 288

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3580 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.187.202:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 202.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 200.201.50.20.in-addr.arpa udp

Files

memory/3420-1-0x0000000000800000-0x0000000000900000-memory.dmp

memory/3420-2-0x00000000023E0000-0x00000000023EF000-memory.dmp

memory/3420-3-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2252-5-0x0000000000400000-0x0000000000695000-memory.dmp

memory/2252-6-0x0000000000400000-0x0000000000695000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[60D70AC9-3483].[[email protected]].8base

MD5 8f2b856e347ccb123050ab16956b56ea
SHA1 e48ac784673b332c9e4261cc59886eea26953407
SHA256 23e7e15d54ab68fd4dbf08929d5cdb75a0de2e0d4a63e2ef6ba8a61ddd2e8402
SHA512 bca2a6feacd2f0020d9f23382aae78807deb7c1b5337abc6c5c54aafeb99123ace39393155cfc7e700b90d482d199f644a4657b67f2a75e5d549b9b7932cc140

memory/3420-216-0x0000000000400000-0x0000000000695000-memory.dmp

memory/3420-572-0x0000000000800000-0x0000000000900000-memory.dmp

memory/3420-629-0x00000000023E0000-0x00000000023EF000-memory.dmp

memory/3420-628-0x0000000000400000-0x0000000000695000-memory.dmp

memory/3420-732-0x0000000000400000-0x0000000000413000-memory.dmp

memory/3420-943-0x0000000000400000-0x0000000000695000-memory.dmp

memory/3420-1709-0x0000000000400000-0x0000000000695000-memory.dmp

memory/3420-2526-0x0000000000400000-0x0000000000695000-memory.dmp

memory/3420-3628-0x0000000000400000-0x0000000000695000-memory.dmp

memory/3420-4286-0x0000000000400000-0x0000000000695000-memory.dmp

memory/3420-5181-0x0000000000400000-0x0000000000695000-memory.dmp

memory/3420-5665-0x0000000000400000-0x0000000000695000-memory.dmp

memory/3420-6185-0x0000000000400000-0x0000000000695000-memory.dmp

memory/3420-6524-0x0000000000400000-0x0000000000695000-memory.dmp

memory/3420-9049-0x0000000000400000-0x0000000000695000-memory.dmp

memory/3420-9357-0x0000000000400000-0x0000000000695000-memory.dmp

memory/3420-10319-0x0000000000400000-0x0000000000695000-memory.dmp

memory/3420-12530-0x0000000000400000-0x0000000000695000-memory.dmp

C:\info.hta

MD5 2a1d83e437af24e1d247d71bfaba622b
SHA1 d385f6fbfed898412ee600781dab3d569e76b64b
SHA256 2ef89d7b763ac4dce1c140f6b220d9e62e66182fbcc4d0f7902bc79f4adb825b
SHA512 19756655c979317fee46025feec31d9bcc61f49e66f694505b987c7bb5de016e029a82a1df1e7ea56694a552960d34651678a678909436f993105de126f45f83

memory/3420-12712-0x0000000000400000-0x0000000000695000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-01 16:55

Reported

2024-05-01 17:00

Platform

win7-20240221-en

Max time kernel

300s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (317) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[AC1C9AD4-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5 = "C:\\Users\\Admin\\AppData\\Local\\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe" C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5 = "C:\\Users\\Admin\\AppData\\Local\\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe" C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\108YEMNS\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CYTS71XD\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\F9UL0C6O\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\PY5FLSJ8\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\J3XTYXPF\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3J2LRC5A\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre7\lib\jsse.jar C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\librtpvideo_plugin.dll.id[AC1C9AD4-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-2.png C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00254_.WMF.id[AC1C9AD4-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Pushpin.eftx.id[AC1C9AD4-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\spacebackupicons.jpg.id[AC1C9AD4-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Pontianak.id[AC1C9AD4-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME14.CSS.id[AC1C9AD4-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\Windows Media Player\de-DE\wmpnscfg.exe.mui C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0151045.WMF.id[AC1C9AD4-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0188667.WMF C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0234001.WMF C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02092_.WMF C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\subscription.xsd.id[AC1C9AD4-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_rest.png C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.properties.id[AC1C9AD4-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html.id[AC1C9AD4-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\vlc.mo.id[AC1C9AD4-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB01741L.GIF.id[AC1C9AD4-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0199036.WMF.id[AC1C9AD4-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Foundry.eftx C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS_K_COL.HXK C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PICCAP98.POC.id[AC1C9AD4-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281632.WMF.id[AC1C9AD4-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Zaporozhye.id[AC1C9AD4-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\license.html C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04174_.WMF C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File created C:\Program Files\7-Zip\Lang\ta.txt.id[AC1C9AD4-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\librawvideo_plugin.dll.id[AC1C9AD4-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libdemuxdump_plugin.dll.id[AC1C9AD4-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_rgb_plugin.dll.id[AC1C9AD4-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115843.GIF C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_left.gif.id[AC1C9AD4-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Miquelon.id[AC1C9AD4-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00159_.WMF.id[AC1C9AD4-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00367_.WMF C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR16F.GIF C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\PresentationFramework.resources.dll C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\new-trigger-wiz.gif C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239941.WMF C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV_K_COL.HXK C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libty_plugin.dll C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\orbd.exe C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libdemuxdump_plugin.dll C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\MS.WPG.id[AC1C9AD4-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00998_.WMF.id[AC1C9AD4-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\mainimage-mask.png C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File created C:\Program Files\desktop.ini.id[AC1C9AD4-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_yuy2_sse2_plugin.dll.id[AC1C9AD4-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\NETWORK.ELM C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll.id[AC1C9AD4-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148309.JPG C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01474_.WMF C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\EADOCUMENTAPPROVAL_INIT.XSN C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR\MSTTSLoc.dll.mui C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB10.BDR C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPrintTemplateRTL.html C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\POSTIT.CFG.id[AC1C9AD4-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\service.js C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.properties.id[AC1C9AD4-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2792 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe C:\Windows\system32\cmd.exe
PID 2792 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe C:\Windows\system32\cmd.exe
PID 2792 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe C:\Windows\system32\cmd.exe
PID 2792 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe C:\Windows\system32\cmd.exe
PID 2792 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe C:\Windows\system32\cmd.exe
PID 2792 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe C:\Windows\system32\cmd.exe
PID 2792 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe C:\Windows\system32\cmd.exe
PID 2792 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe C:\Windows\system32\cmd.exe
PID 2276 wrote to memory of 2972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2276 wrote to memory of 2972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2276 wrote to memory of 2972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2628 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2628 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2628 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2276 wrote to memory of 1684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2276 wrote to memory of 1684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2276 wrote to memory of 1684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2628 wrote to memory of 2460 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2628 wrote to memory of 2460 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2628 wrote to memory of 2460 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2628 wrote to memory of 332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2628 wrote to memory of 332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2628 wrote to memory of 332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2628 wrote to memory of 2656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2628 wrote to memory of 2656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2628 wrote to memory of 2656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2628 wrote to memory of 3020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2628 wrote to memory of 3020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2628 wrote to memory of 3020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2792 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe C:\Windows\SysWOW64\mshta.exe
PID 2792 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe C:\Windows\SysWOW64\mshta.exe
PID 2792 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe C:\Windows\SysWOW64\mshta.exe
PID 2792 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe C:\Windows\SysWOW64\mshta.exe
PID 2792 wrote to memory of 204 N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe C:\Windows\SysWOW64\mshta.exe
PID 2792 wrote to memory of 204 N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe C:\Windows\SysWOW64\mshta.exe
PID 2792 wrote to memory of 204 N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe C:\Windows\SysWOW64\mshta.exe
PID 2792 wrote to memory of 204 N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe C:\Windows\SysWOW64\mshta.exe
PID 2792 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe C:\Windows\SysWOW64\mshta.exe
PID 2792 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe C:\Windows\SysWOW64\mshta.exe
PID 2792 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe C:\Windows\SysWOW64\mshta.exe
PID 2792 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe C:\Windows\SysWOW64\mshta.exe
PID 2792 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe C:\Windows\SysWOW64\mshta.exe
PID 2792 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe C:\Windows\SysWOW64\mshta.exe
PID 2792 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe C:\Windows\SysWOW64\mshta.exe
PID 2792 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe C:\Windows\SysWOW64\mshta.exe
PID 2792 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe C:\Windows\system32\cmd.exe
PID 2792 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe C:\Windows\system32\cmd.exe
PID 2792 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe C:\Windows\system32\cmd.exe
PID 2792 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe C:\Windows\system32\cmd.exe
PID 2500 wrote to memory of 1904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2500 wrote to memory of 1904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2500 wrote to memory of 1904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2500 wrote to memory of 2620 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2500 wrote to memory of 2620 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2500 wrote to memory of 2620 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2500 wrote to memory of 1736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2500 wrote to memory of 1736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2500 wrote to memory of 1736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2500 wrote to memory of 1668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2500 wrote to memory of 1668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2500 wrote to memory of 1668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2500 wrote to memory of 2172 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2500 wrote to memory of 2172 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2500 wrote to memory of 2172 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe

"C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe"

C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe

"C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

N/A

Files

memory/2792-1-0x0000000001BF0000-0x0000000001CF0000-memory.dmp

memory/2792-3-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2792-2-0x0000000000220000-0x000000000022F000-memory.dmp

memory/1740-6-0x0000000000400000-0x0000000000413000-memory.dmp

memory/1740-5-0x0000000000400000-0x0000000001B39000-memory.dmp

memory/1740-7-0x0000000000400000-0x0000000001B39000-memory.dmp

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.id[AC1C9AD4-3483].[[email protected]].8base

MD5 5c1b5a0143ed9e56963051031299f82c
SHA1 71f36d6abee5e33f9193ced658331c61362af9cc
SHA256 8f7a56ea6461ef6998768300465f135159a1f94b889e920d0f6010418b259140
SHA512 7eed25d3f2e92c1649fea30b0da2e95d088afb23e1a0dd586c2b22e4398e8d2810ea29a1b37727b3ed95ccce410c164d0d796964bca1e276a9496d03e96a0843

memory/2792-2563-0x0000000000400000-0x0000000001B39000-memory.dmp

memory/2792-4745-0x0000000000400000-0x0000000001B39000-memory.dmp

memory/2792-9500-0x0000000001BF0000-0x0000000001CF0000-memory.dmp

memory/2792-9501-0x0000000000400000-0x0000000000413000-memory.dmp

C:\info.hta

MD5 32dd4322e5835b96f905aff2106ee519
SHA1 82da65e1d2d7a3cf460349d133d8dd23298a5790
SHA256 53584793d05eae502d37f6d65a1453790f328ef88f753561c75c716118d7f4d7
SHA512 ba92c1b76424b7bb334d100674af29cd0fb73ba580d5e8b0abcfb22f90267b4a1f4054e428aa124cd6fdf35d530b899fc28ad1f5ec8d95b898b735d2410f91b8

memory/2792-10282-0x0000000000400000-0x0000000001B39000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-01 16:55

Reported

2024-05-01 17:00

Platform

win10v2004-20240426-en

Max time kernel

299s

Max time network

300s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (517) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[D597895B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5 = "C:\\Users\\Admin\\AppData\\Local\\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe" C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5 = "C:\\Users\\Admin\\AppData\\Local\\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe" C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-3571316656-3665257725-2415531812-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3571316656-3665257725-2415531812-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Edit.White.png.id[D597895B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\dialogs\equalizer_window.html.id[D597895B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\check-mark-2x.png.id[D597895B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\NOTICE.TXT C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File created C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE.id[D597895B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7EN.LEX C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-30_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-96_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\javafx\public_suffix.md C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Light.scale-400.png C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\illustrations.png.id[D597895B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Mira.Core.Engine.winmd C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\ja\Microsoft.PowerShell.PackageManagement.resources.dll C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-ul-oob.xrm-ms.id[D597895B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ul.xrm-ms C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\ACEWSTR.DLL.id[D597895B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-36_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\as90.xsl C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\eu-ES\View3d\3DViewerProductDescription-universal.xml C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7db.png C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\files_icons2x.png.id[D597895B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.ILGeneration.dll.id[D597895B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\15.jpg C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\ui-strings.js C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\gnsdk_fp.dll C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\s_empty_folder_state.svg C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\hu-hu\ui-strings.js.id[D597895B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.el-gr.dll.id[D597895B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Controls.Ribbon.dll C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\ja.pak C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-ppd.xrm-ms.id[D597895B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adobe_spinner_mini.gif C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.X509Certificates.dll C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\vlc.mo.id[D597895B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\jsaddins\locallaunch\locallaunch.html C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-64_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\MSFT_PackageManagement.psm1 C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\file_info2x.png C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_am.dll.id[D597895B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.id[D597895B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Excel.Amo.Core.dll C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsMedTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.DataSetExtensions.Resources.dll C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\mlib_image.dll.id[D597895B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.scale-125.png C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-64.png C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-20_contrast-high.png C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\css\main-selector.css C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_ko.properties.id[D597895B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft.NET\ADOMD.NET\130\Microsoft.AnalysisServices.AdomdClient.dll C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\css\mobile.css.id[D597895B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\main-selector.css C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-cn\ui-strings.js.id[D597895B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEERR.DLL C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Grid.Base.dll C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\offlineStrings.js C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\WideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2664 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe C:\Windows\system32\cmd.exe
PID 2664 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe C:\Windows\system32\cmd.exe
PID 2664 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe C:\Windows\system32\cmd.exe
PID 2664 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe C:\Windows\system32\cmd.exe
PID 1096 wrote to memory of 4332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1096 wrote to memory of 4332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 532 wrote to memory of 3104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 532 wrote to memory of 3104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 532 wrote to memory of 3012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 532 wrote to memory of 3012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1096 wrote to memory of 3028 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1096 wrote to memory of 3028 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1096 wrote to memory of 312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1096 wrote to memory of 312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1096 wrote to memory of 3992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1096 wrote to memory of 3992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1096 wrote to memory of 4200 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1096 wrote to memory of 4200 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2664 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe C:\Windows\SysWOW64\mshta.exe
PID 2664 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe C:\Windows\SysWOW64\mshta.exe
PID 2664 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe C:\Windows\SysWOW64\mshta.exe
PID 2664 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe C:\Windows\SysWOW64\mshta.exe
PID 2664 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe C:\Windows\SysWOW64\mshta.exe
PID 2664 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe C:\Windows\SysWOW64\mshta.exe
PID 2664 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe C:\Windows\SysWOW64\mshta.exe
PID 2664 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe C:\Windows\SysWOW64\mshta.exe
PID 2664 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe C:\Windows\SysWOW64\mshta.exe
PID 2664 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe C:\Windows\SysWOW64\mshta.exe
PID 2664 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe C:\Windows\SysWOW64\mshta.exe
PID 2664 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe C:\Windows\SysWOW64\mshta.exe
PID 2664 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe C:\Windows\system32\cmd.exe
PID 2664 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe C:\Windows\system32\cmd.exe
PID 4924 wrote to memory of 2884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4924 wrote to memory of 2884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4924 wrote to memory of 764 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4924 wrote to memory of 764 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4924 wrote to memory of 4380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4924 wrote to memory of 4380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4924 wrote to memory of 2280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4924 wrote to memory of 2280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4924 wrote to memory of 4548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 4924 wrote to memory of 4548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe

"C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe"

C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe

"C:\Users\Admin\AppData\Local\Temp\a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4324 -ip 4324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 460

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 99.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp

Files

memory/2664-1-0x0000000001D50000-0x0000000001E50000-memory.dmp

memory/2664-2-0x0000000001CA0000-0x0000000001CAF000-memory.dmp

memory/2664-3-0x0000000000400000-0x0000000000413000-memory.dmp

memory/4324-5-0x0000000000400000-0x0000000001B39000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.id[D597895B-3483].[[email protected]].8base

MD5 4df9bda982ac548d7e4ae601ab50d57d
SHA1 eb527f48d5a24297429e7078874e3c396be47631
SHA256 88a316472e16cc9aca2268f5ffb4cc6914d766725426a7c78d60cb302f3135f9
SHA512 a0cd65f9cc486e3f3de92abd58ccbc31d6856fa8fe2d023677e3688b9041269dd228661bea62d670bdfa0634d6a064e944fc38f7320d92bdc6705c2b9da14212

memory/2664-2700-0x0000000000400000-0x0000000001B39000-memory.dmp

memory/2664-6741-0x0000000000400000-0x0000000001B39000-memory.dmp

memory/2664-8939-0x0000000001D50000-0x0000000001E50000-memory.dmp

memory/2664-8941-0x0000000001CA0000-0x0000000001CAF000-memory.dmp

memory/2664-11470-0x0000000000400000-0x0000000000413000-memory.dmp

C:\info.hta

MD5 01ac576a825fe8f47600d5605cdf7c32
SHA1 514c45996f8f80b98e2f8cfbbd2c674c05a69ab5
SHA256 1bd3b9f1ee947dc492c89c7318a3ca25e080d5880f149dc90986c811a48e3c87
SHA512 81990eb541df078b2f6bb0b54bdc3213b994206d5a1065de3ab38b8e6ff8f622b8b35f6b070c44ca2f12eb92201d4cd25c65373d78bd75bce1793a6d87eb7a82

memory/2664-12632-0x0000000000400000-0x0000000001B39000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-01 16:55

Reported

2024-05-01 17:00

Platform

win10v2004-20240419-en

Max time kernel

299s

Max time network

300s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (518) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[BD6AA4D3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53 = "C:\\Users\\Admin\\AppData\\Local\\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe" C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53 = "C:\\Users\\Admin\\AppData\\Local\\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe" C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-877519540-908060166-1852957295-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GostName.XSL C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\arrow-down.png C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\LogoDev.png.DATA.id[BD6AA4D3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\PSGet.Resource.psd1.id[BD6AA4D3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\wxpr.dll C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_close_h.png C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\files_icons.png C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\cmm\sRGB.pf C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.FuzzyMatching.dll.id[BD6AA4D3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ru-ru\ui-strings.js.id[BD6AA4D3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Memory.dll.id[BD6AA4D3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\AppPackageSplashScreen.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_LogoSmall.scale-200.png C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Dark\Cabinet.png C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\ThankYou\GenericEnglish-2.jpg C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\[email protected][BD6AA4D3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Services.Client.resources.dll C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Paint_PDP.xml C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\de-de\AppStore_icon.svg.id[BD6AA4D3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\files_icons2x.png C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-pl.xrm-ms.id[BD6AA4D3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ul-phn.xrm-ms.id[BD6AA4D3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files\Windows Media Player\ja-JP\mpvis.dll.mui C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ppd.xrm-ms.id[BD6AA4D3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-96.png C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\accessibility.properties C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-ul-oob.xrm-ms.id[BD6AA4D3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-48_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-80.png C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ServiceProcess.dll C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\misc\libstats_plugin.dll.id[BD6AA4D3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\Microsoft.PackageManagement.MsuProvider.resources.dll.id[BD6AA4D3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-profile-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.Effects.dll C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fr-fr\ui-strings.js C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ja-jp\ui-strings.js.id[BD6AA4D3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-72_contrast-white.png C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\en-GB.pak C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Luna.dll.id[BD6AA4D3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\cs-cz\ui-strings.js C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\30.jpg C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\resource.dll.id[BD6AA4D3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-gb\officons.ttf C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\it-IT\MSFT_PackageManagementSource.schema.mfl C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fi-fi\ui-strings.js C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\ext\jfxrt.jar.id[BD6AA4D3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-24_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\meta_engine\libtaglib_plugin.dll.id[BD6AA4D3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageLargeTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionMedTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\rhp\editpdf-selector.js C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-80_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_ellipses_selected-hover.svg C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ko-kr\PlayStore_icon.svg C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\plugins\rhp\pages-app-tool-view.js C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\uk-ua\ui-strings.js.id[BD6AA4D3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ru-ru\ui-strings.js.id[BD6AA4D3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\oledb32r.dll.mui C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationTypes.resources.dll C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1064 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe C:\Windows\system32\cmd.exe
PID 1064 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe C:\Windows\system32\cmd.exe
PID 1064 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe C:\Windows\system32\cmd.exe
PID 1064 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe C:\Windows\system32\cmd.exe
PID 2556 wrote to memory of 1608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2556 wrote to memory of 1608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2620 wrote to memory of 1580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2620 wrote to memory of 1580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2556 wrote to memory of 4560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2556 wrote to memory of 4560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2620 wrote to memory of 3620 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2620 wrote to memory of 3620 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2620 wrote to memory of 2108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2620 wrote to memory of 2108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2620 wrote to memory of 2120 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2620 wrote to memory of 2120 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2620 wrote to memory of 2316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2620 wrote to memory of 2316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1064 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe C:\Windows\SysWOW64\mshta.exe
PID 1064 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe C:\Windows\SysWOW64\mshta.exe
PID 1064 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe C:\Windows\SysWOW64\mshta.exe
PID 1064 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe C:\Windows\SysWOW64\mshta.exe
PID 1064 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe C:\Windows\SysWOW64\mshta.exe
PID 1064 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe C:\Windows\SysWOW64\mshta.exe
PID 1064 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe C:\Windows\SysWOW64\mshta.exe
PID 1064 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe C:\Windows\SysWOW64\mshta.exe
PID 1064 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe C:\Windows\SysWOW64\mshta.exe
PID 1064 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe C:\Windows\SysWOW64\mshta.exe
PID 1064 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe C:\Windows\SysWOW64\mshta.exe
PID 1064 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe C:\Windows\SysWOW64\mshta.exe
PID 1064 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe C:\Windows\system32\cmd.exe
PID 1064 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe C:\Windows\system32\cmd.exe
PID 3024 wrote to memory of 3216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3024 wrote to memory of 3216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3024 wrote to memory of 1900 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3024 wrote to memory of 1900 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3024 wrote to memory of 4940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3024 wrote to memory of 4940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3024 wrote to memory of 3748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3024 wrote to memory of 3748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3024 wrote to memory of 3992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3024 wrote to memory of 3992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe

"C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe"

C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe

"C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 94.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.id[BD6AA4D3-3483].[[email protected]].8base

MD5 3befab024be493c4948244d2ce23beb9
SHA1 45523814033e72a5ab89d96ee691d207e9f5d52e
SHA256 12fd2427eb16e388982b3f8febc2d17b5d7404c903d220b058ec6f3811f24910
SHA512 77a0417bd4fd3af56745711e96abc4abaef1013d80d2d4b88ab3712f40f7af9631b3b8bdaad327d6e18518ae6908abe44244df3d2b1ca3ba901920595b8ce6c7

C:\info.hta

MD5 77112e9bba8ca72c89ef7e3cf7116c3f
SHA1 8c308a596f369b27c02dea2c0fdefe6fb8bfe3d3
SHA256 c29d5b753dff8d7e0a9dec57fcde681067bc1e1bf09a2ad325836158e92be1f4
SHA512 446d2c3f4a8a6c604e9a422de08e680373589f39b3c791e39e473db11ff207ffb00060283499dd70218f460170e41da3ff1d318181c3a5bda128d3e82b8fb4d7

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-01 16:55

Reported

2024-05-01 17:00

Platform

win10v2004-20240419-en

Max time kernel

300s

Max time network

299s

Command Line

"C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (511) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[CD9AC975-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c = "C:\\Users\\Admin\\AppData\\Local\\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe" C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c = "C:\\Users\\Admin\\AppData\\Local\\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe" C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-2818691465-3043947619-2475182763-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2818691465-3043947619-2475182763-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.IO.UnmanagedMemoryStream.dll C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_unshare_18.svg C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected][CD9AC975-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libmpg123_plugin.dll C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarSplashLogo.scale-200.png C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover_2x.png.id[CD9AC975-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\sq.pak.DATA.id[CD9AC975-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATER\WATER.INF C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pl-pl\ui-strings.js.id[CD9AC975-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7ES.DLL.id[CD9AC975-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Login.m4a C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\drvSOFT.x3d C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filter-down_32.svg C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\illustrations.png.id[CD9AC975-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Linq.dll C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\ja\Microsoft.PackageManagement.MetaProvider.PowerShell.resources.dll C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\PresentationCore.resources.dll.id[CD9AC975-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\jfr\profile.jfc.id[CD9AC975-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ul-phn.xrm-ms.id[CD9AC975-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-16.png C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\hr-hr\ui-strings.js.id[CD9AC975-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\ml.pak.DATA C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File created C:\Program Files\7-Zip\readme.txt.id[CD9AC975-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\sqloledb.rll C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Extensions.dll C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\warning.png C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pt-br\ui-strings.js C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-stdio-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libsftp_plugin.dll C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-de_de_2x.gif C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.Win32.Registry.dll C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\ind_prog.gif.id[CD9AC975-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files\Internet Explorer\images\bing.ico C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\BCSRuntimeRes.dll C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\OFFSYMSL.TTF.id[CD9AC975-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Aero.dll C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\DirectInk.dll C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annots.api.id[CD9AC975-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\[email protected][CD9AC975-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\legal\javafx\glib.md C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ul-oob.xrm-ms.id[CD9AC975-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\resources.pri C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Microsoft.WebMediaExtensions.exe C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarMediumTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarSmallTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-80_contrast-white.png C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_editpdf_18.svg.id[CD9AC975-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\msedgeupdateres_cy.dll C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\cy.txt C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Runtime.Serialization.dll C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppValueProp.svg C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\SmallTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\pt-br\ui-strings.js.id[CD9AC975-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\msedgeupdateres_pt-PT.dll C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\PresentationCore.resources.dll C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.Themes.dll.id[CD9AC975-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.ConnectionUI.dll C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\zh-tw\ui-strings.js C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationProvider.resources.dll C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3788 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe C:\Windows\system32\cmd.exe
PID 3788 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe C:\Windows\system32\cmd.exe
PID 3788 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe C:\Windows\system32\cmd.exe
PID 3788 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe C:\Windows\system32\cmd.exe
PID 2236 wrote to memory of 2712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2236 wrote to memory of 2712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1932 wrote to memory of 4500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1932 wrote to memory of 4500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2236 wrote to memory of 3740 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2236 wrote to memory of 3740 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1932 wrote to memory of 3804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1932 wrote to memory of 3804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2236 wrote to memory of 4984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2236 wrote to memory of 4984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2236 wrote to memory of 3364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2236 wrote to memory of 3364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2236 wrote to memory of 1924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2236 wrote to memory of 1924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3788 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe C:\Windows\SysWOW64\mshta.exe
PID 3788 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe C:\Windows\SysWOW64\mshta.exe
PID 3788 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe C:\Windows\SysWOW64\mshta.exe
PID 3788 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe C:\Windows\SysWOW64\mshta.exe
PID 3788 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe C:\Windows\SysWOW64\mshta.exe
PID 3788 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe C:\Windows\SysWOW64\mshta.exe
PID 3788 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe C:\Windows\SysWOW64\mshta.exe
PID 3788 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe C:\Windows\SysWOW64\mshta.exe
PID 3788 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe C:\Windows\SysWOW64\mshta.exe
PID 3788 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe C:\Windows\SysWOW64\mshta.exe
PID 3788 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe C:\Windows\SysWOW64\mshta.exe
PID 3788 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe C:\Windows\SysWOW64\mshta.exe
PID 3788 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe C:\Windows\system32\cmd.exe
PID 3788 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe C:\Windows\system32\cmd.exe
PID 1520 wrote to memory of 2012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1520 wrote to memory of 2012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1520 wrote to memory of 4960 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1520 wrote to memory of 4960 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1520 wrote to memory of 376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1520 wrote to memory of 376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1520 wrote to memory of 5068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1520 wrote to memory of 5068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1520 wrote to memory of 220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1520 wrote to memory of 220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe

"C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe"

C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe

"C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4864 -ip 4864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 460

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 99.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/3788-0-0x0000000002530000-0x0000000002545000-memory.dmp

memory/3788-1-0x0000000002530000-0x0000000002545000-memory.dmp

memory/3788-2-0x0000000002550000-0x000000000255F000-memory.dmp

memory/3788-3-0x0000000000400000-0x0000000000413000-memory.dmp

memory/4864-5-0x0000000000400000-0x000000000092B000-memory.dmp

memory/4864-6-0x0000000000400000-0x000000000092B000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.id[CD9AC975-3483].[[email protected]].8base

MD5 c49127f4f799d38594bf1adc9b074b6c
SHA1 85223c8462eb1e8bab9e151aea0ca7087f5ff410
SHA256 9610e95dd8916aecade4ce968a6b4dfe8745383b9562b198bbf2503a236da818
SHA512 0920981146bbee00f7924e96550fd2416dffa4b46f967d1070508d26a10ba7da7206280ad2aa2579ac1a1c24bf2d5f85f04260101c8647b23bb25799057d3ae4

memory/3788-3889-0x0000000000400000-0x000000000092B000-memory.dmp

memory/3788-7211-0x0000000002550000-0x000000000255F000-memory.dmp

memory/3788-7130-0x0000000000400000-0x000000000092B000-memory.dmp

memory/3788-10163-0x0000000000400000-0x0000000000413000-memory.dmp

C:\info.hta

MD5 cf297b77bca7f39a6f0aa6b40f2cfbaf
SHA1 1a4e60bba842bde89a585702ae82b1f6ef2a7433
SHA256 036a942d111e7127582cca221c5e4b5c1c3651506a3054c741ead6327c0a34a6
SHA512 c6943929afb15a4e3b802e0b62b7a53646474fbfa93b64d7e9fb114eb5950202ee66af35116eadaf2070b963a3580b6ba1a4bc65d4aef19cbc946b6532bd0326

memory/3788-12569-0x0000000000400000-0x000000000092B000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-01 16:55

Reported

2024-05-01 17:00

Platform

win7-20240419-en

Max time kernel

299s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (312) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[768B2207-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53 = "C:\\Users\\Admin\\AppData\\Local\\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe" C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53 = "C:\\Users\\Admin\\AppData\\Local\\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe" C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-481678230-3773327859-3495911762-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ASWW3GU0\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XHX8DMHP\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6KIMP0IT\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\B5JWTXJ4\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\334W6EWO\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21518_.GIF C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\uarrow.gif.id[768B2207-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\DataMatrix.pmp C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\PREVIEW.GIF.id[768B2207-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\PROFILE.INF C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0199036.WMF.id[768B2207-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0216588.WMF.id[768B2207-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0332268.WMF.id[768B2207-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18238_.WMF C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Easter C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Star_Half.png C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\xmlrwbin.dll C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099159.WMF.id[768B2207-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\es-ES\Sidebar.exe.mui C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Curacao.id[768B2207-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\JAVA_01.MID.id[768B2207-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_VelvetRose.gif C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\msadc\es-ES\msaddsr.dll.mui C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00559_.WMF C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01243_.GIF C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\TAB_ON.GIF C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Karachi.id[768B2207-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.dll.id[768B2207-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SMIMES.CFG C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TipsImage.jpg.id[768B2207-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGDOTS.DPV C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239941.WMF C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_Earthy.gif C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WEBLINK.POC.id[768B2207-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\localizedStrings.js C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Tunis.id[768B2207-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_zh_4.4.0.v20140623020002.jar.id[768B2207-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-applemenu_ja.jar.id[768B2207-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jmx.xml C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\org-netbeans-core-windows_visualvm.jar C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\WindowsBase.resources.dll C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\zh-CN.pak.id[768B2207-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Buenos_Aires C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cayman C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.properties C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21344_.GIF.id[768B2207-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REPLTMPL.CFG.id[768B2207-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CONTACTINFOBB.DPV.id[768B2207-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\gadget.xml C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-dialogs.xml C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-gibbous_partly-cloudy.png C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00184_.WMF C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Metro.eftx C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santarem.id[768B2207-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Norfolk.id[768B2207-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-profiler.jar.id[768B2207-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\Groove Starter Template.xsn.id[768B2207-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18254_.WMF.id[768B2207-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate.css C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\ECLIPSE.ELM C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04332_.WMF.id[768B2207-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198377.WMF.id[768B2207-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SAFRI_01.MID C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBBTN.XML C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1876 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe C:\Windows\system32\cmd.exe
PID 1876 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe C:\Windows\system32\cmd.exe
PID 1876 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe C:\Windows\system32\cmd.exe
PID 1876 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe C:\Windows\system32\cmd.exe
PID 1876 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe C:\Windows\system32\cmd.exe
PID 1876 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe C:\Windows\system32\cmd.exe
PID 1876 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe C:\Windows\system32\cmd.exe
PID 1876 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe C:\Windows\system32\cmd.exe
PID 2356 wrote to memory of 2732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2356 wrote to memory of 2732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2356 wrote to memory of 2732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2720 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2720 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2720 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2356 wrote to memory of 1308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2356 wrote to memory of 1308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2356 wrote to memory of 1308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2720 wrote to memory of 276 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2720 wrote to memory of 276 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2720 wrote to memory of 276 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2720 wrote to memory of 2240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2720 wrote to memory of 2240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2720 wrote to memory of 2240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2720 wrote to memory of 2044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2720 wrote to memory of 2044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2720 wrote to memory of 2044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2720 wrote to memory of 1416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2720 wrote to memory of 1416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2720 wrote to memory of 1416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1876 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe C:\Windows\SysWOW64\mshta.exe
PID 1876 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe C:\Windows\SysWOW64\mshta.exe
PID 1876 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe C:\Windows\SysWOW64\mshta.exe
PID 1876 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe C:\Windows\SysWOW64\mshta.exe
PID 1876 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe C:\Windows\SysWOW64\mshta.exe
PID 1876 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe C:\Windows\SysWOW64\mshta.exe
PID 1876 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe C:\Windows\SysWOW64\mshta.exe
PID 1876 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe C:\Windows\SysWOW64\mshta.exe
PID 1876 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe C:\Windows\SysWOW64\mshta.exe
PID 1876 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe C:\Windows\SysWOW64\mshta.exe
PID 1876 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe C:\Windows\SysWOW64\mshta.exe
PID 1876 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe C:\Windows\SysWOW64\mshta.exe
PID 1876 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe C:\Windows\SysWOW64\mshta.exe
PID 1876 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe C:\Windows\SysWOW64\mshta.exe
PID 1876 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe C:\Windows\SysWOW64\mshta.exe
PID 1876 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe C:\Windows\SysWOW64\mshta.exe
PID 1876 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe C:\Windows\system32\cmd.exe
PID 1876 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe C:\Windows\system32\cmd.exe
PID 1876 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe C:\Windows\system32\cmd.exe
PID 1876 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe C:\Windows\system32\cmd.exe
PID 3796 wrote to memory of 3568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3796 wrote to memory of 3568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3796 wrote to memory of 3568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3796 wrote to memory of 3236 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3796 wrote to memory of 3236 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3796 wrote to memory of 3236 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3796 wrote to memory of 3776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3796 wrote to memory of 3776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3796 wrote to memory of 3776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3796 wrote to memory of 3440 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3796 wrote to memory of 3440 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3796 wrote to memory of 3440 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3796 wrote to memory of 3404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3796 wrote to memory of 3404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3796 wrote to memory of 3404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe

"C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe"

C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe

"C:\Users\Admin\AppData\Local\Temp\b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

N/A

Files

C:\info.hta

MD5 1945f39900413b1dab64e83c71360712
SHA1 4e4b05eda40e2b9fdfb8e1c6c8dad6b0df1c28d2
SHA256 d868a97f8eed2a73227b038b908b2bd2919b9ba929a4f2a56e5c07290e30ac3a
SHA512 c1d29e69fee144574290c36c506aa6306edfa4e70464a04f1c42db8dcef17476d147944c2f73da276e4e8d5703ae7a514290acf72b1265c840e07de09a2e7065

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-01 16:55

Reported

2024-05-01 17:00

Platform

win7-20240221-en

Max time kernel

299s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (316) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[B7D69B66-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c = "C:\\Users\\Admin\\AppData\\Local\\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe" C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c = "C:\\Users\\Admin\\AppData\\Local\\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe" C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JSZQNXMR\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FXU0E4DR\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\6QIBR00Y\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CYXNIRQN\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\87XXOISN\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\HKGE1S7K\desktop.ini C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099185.JPG.id[B7D69B66-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif.id[B7D69B66-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SCHOL_02.MID C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\hprof.dll.id[B7D69B66-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libvcd_plugin.dll C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187851.WMF C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00190_.WMF C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18247_.WMF C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\MeetingIcon.jpg.id[B7D69B66-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL107.XML.id[B7D69B66-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Noumea.id[B7D69B66-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105238.WMF C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\GlobeButtonImage.jpg.id[B7D69B66-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\1033\MSGR3EN.DLL.id[B7D69B66-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090783.WMF.id[B7D69B66-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196364.WMF.id[B7D69B66-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309902.WMF C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382958.JPG C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\HEADER.GIF.id[B7D69B66-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.actionProvider.exsd C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT.id[B7D69B66-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239965.WMF C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH00601G.GIF.id[B7D69B66-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\MeetingIconMask.bmp C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\MpEvMsg.dll.mui C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File created C:\Program Files\Microsoft Office\Office14\1033\MAPISHELLR.DLL.id[B7D69B66-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libkate_plugin.dll.id[B7D69B66-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02028K.JPG.id[B7D69B66-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Origin.eftx.id[B7D69B66-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\currency.html C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\RSSFeeds.html C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\mobile_browse.html.id[B7D69B66-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\en-US\Mahjong.exe.mui C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02097_.GIF C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe.id[B7D69B66-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-desk.png C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14565_.GIF.id[B7D69B66-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPrintTemplateRTL.html.id[B7D69B66-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\de-DE\FreeCell.exe.mui C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\settings.html C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\OFFICE10.MML C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Tashkent.id[B7D69B66-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.lnk C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02124_.WMF C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02261_.WMF C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BAN98.POC.id[B7D69B66-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Runtime.dll C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\redStateIcon.png C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Noronha C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\dt_socket.dll.id[B7D69B66-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files\Windows Journal\de-DE\jnwdui.dll.mui C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-last-quarter_partly-cloudy.png C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AXE8SharedExpat.dll C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02758U.BMP C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ADD.GIF.id[B7D69B66-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\msdaps.dll C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libddummy_plugin.dll C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\VCTRN_01.MID C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2380 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe C:\Windows\system32\cmd.exe
PID 2380 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe C:\Windows\system32\cmd.exe
PID 2380 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe C:\Windows\system32\cmd.exe
PID 2380 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe C:\Windows\system32\cmd.exe
PID 2380 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe C:\Windows\system32\cmd.exe
PID 2380 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe C:\Windows\system32\cmd.exe
PID 2380 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe C:\Windows\system32\cmd.exe
PID 2380 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe C:\Windows\system32\cmd.exe
PID 3044 wrote to memory of 2608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3044 wrote to memory of 2608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3044 wrote to memory of 2608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1144 wrote to memory of 2736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1144 wrote to memory of 2736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1144 wrote to memory of 2736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3044 wrote to memory of 1592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3044 wrote to memory of 1592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3044 wrote to memory of 1592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1144 wrote to memory of 2712 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1144 wrote to memory of 2712 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1144 wrote to memory of 2712 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1144 wrote to memory of 3044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1144 wrote to memory of 3044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1144 wrote to memory of 3044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1144 wrote to memory of 2192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1144 wrote to memory of 2192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1144 wrote to memory of 2192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1144 wrote to memory of 2376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1144 wrote to memory of 2376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1144 wrote to memory of 2376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2380 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe C:\Windows\SysWOW64\mshta.exe
PID 2380 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe C:\Windows\SysWOW64\mshta.exe
PID 2380 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe C:\Windows\SysWOW64\mshta.exe
PID 2380 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe C:\Windows\SysWOW64\mshta.exe
PID 2380 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe C:\Windows\SysWOW64\mshta.exe
PID 2380 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe C:\Windows\SysWOW64\mshta.exe
PID 2380 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe C:\Windows\SysWOW64\mshta.exe
PID 2380 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe C:\Windows\SysWOW64\mshta.exe
PID 2380 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe C:\Windows\SysWOW64\mshta.exe
PID 2380 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe C:\Windows\SysWOW64\mshta.exe
PID 2380 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe C:\Windows\SysWOW64\mshta.exe
PID 2380 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe C:\Windows\SysWOW64\mshta.exe
PID 2380 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe C:\Windows\SysWOW64\mshta.exe
PID 2380 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe C:\Windows\SysWOW64\mshta.exe
PID 2380 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe C:\Windows\SysWOW64\mshta.exe
PID 2380 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe C:\Windows\SysWOW64\mshta.exe
PID 2380 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe C:\Windows\system32\cmd.exe
PID 2380 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe C:\Windows\system32\cmd.exe
PID 2380 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe C:\Windows\system32\cmd.exe
PID 2380 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe C:\Windows\system32\cmd.exe
PID 1144 wrote to memory of 2376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1144 wrote to memory of 2376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1144 wrote to memory of 2376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1144 wrote to memory of 2880 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1144 wrote to memory of 2880 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1144 wrote to memory of 2880 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1144 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1144 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1144 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1144 wrote to memory of 1112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1144 wrote to memory of 1112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1144 wrote to memory of 1112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1144 wrote to memory of 2492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1144 wrote to memory of 2492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1144 wrote to memory of 2492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe

"C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe"

C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe

"C:\Users\Admin\AppData\Local\Temp\518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

N/A

Files

memory/2380-0-0x00000000001B0000-0x00000000001C5000-memory.dmp

memory/2380-2-0x0000000000250000-0x000000000025F000-memory.dmp

memory/2380-1-0x00000000001B0000-0x00000000001C5000-memory.dmp

memory/2380-3-0x0000000000400000-0x0000000000413000-memory.dmp

memory/1944-7-0x0000000000400000-0x0000000000413000-memory.dmp

memory/1944-6-0x0000000000240000-0x000000000024F000-memory.dmp

memory/1944-5-0x0000000000400000-0x000000000092B000-memory.dmp

memory/1944-8-0x0000000000400000-0x000000000092B000-memory.dmp

memory/2380-3800-0x0000000000400000-0x000000000092B000-memory.dmp

C:\info.hta

MD5 c32287524ea7a385a95cdbe74de33d56
SHA1 4a6204a897d38c54efd3df9d5aed9bd58ba72f51
SHA256 af8e04cb30f6ff3d006ea3ff81384544a298622adb6604724d1c2580c9597a6a
SHA512 cbbf97ca4794c151cf448de8f437020a66020623686d2be881daefd81f9ee17b55e60fe2f5345e6eb1c5afd0423c7e5df43496086d703785a667daba947adccb

memory/2380-10262-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2380-10261-0x0000000000400000-0x000000000092B000-memory.dmp