Malware Analysis Report

2024-09-11 01:46

Sample ID 240507-hbsf9agb25
Target 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
SHA256 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da
Tags
themida medusalocker defense_evasion evasion execution impact persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da

Threat Level: Known bad

The file 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe was found to be: Known bad.

Malicious Activity Summary

themida medusalocker defense_evasion evasion execution impact persistence ransomware spyware stealer trojan

MedusaLocker

MedusaLocker payload

Deletes shadow copies

Renames multiple (618) files with added filename extension

Renames multiple (648) files with added filename extension

Modifies boot configuration data using bcdedit

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Drops file in Drivers directory

Deletes System State backups

Reads user/profile data of web browsers

Checks computer location settings

Themida packer

Checks BIOS information in registry

Checks whether UAC is enabled

Drops desktop.ini file(s)

Enumerates connected drives

Adds Run key to start application

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Interacts with shadow copies

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

System policy modification

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Windows Management Instrumentation
T1047
Command and Scripting Interpreter
T1059
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Indicator Removal
T1070
File Deletion
T1070.004
Virtualization/Sandbox Evasion
T1497
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
Virtualization/Sandbox Evasion
T1497
System Information Discovery
T1082
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-07 06:34

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-07 06:34

Reported

2024-05-07 06:36

Platform

win10v2004-20240426-en

Max time kernel

146s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe"

Signatures

MedusaLocker

ransomware medusalocker

MedusaLocker payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes shadow copies

ransomware defense_evasion impact execution

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\bcdedit.exe N/A
N/A N/A C:\Windows\SYSTEM32\bcdedit.exe N/A

Renames multiple (618) files with added filename extension

ransomware

Deletes System State backups

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\wbadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\wbadmin.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\networks.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\protocol C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\protocol.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\services C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\networks C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\networks.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\protocol.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\services.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\services.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSFEEditor = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe\" e" C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\E:\$RECYCLE.BIN\S-1-5-21-3906287020-2915474608-1755617787-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\g: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened (read-only) \??\E: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened (read-only) \??\G: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened (read-only) \??\F: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\g: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened (read-only) \??\D: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened (read-only) \??\h: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\h: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened (read-only) \??\D: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened (read-only) \??\E: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File created C:\Windows\system32\CatRoot2\edbtmp.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File created C:\Windows\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\config\ELAM.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\65672a30-5161-4ee2-a883-fe13c9d7574b.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\BBI C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File created C:\Windows\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0D848F74F70BB2EAA93746D24D9749.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File created C:\Windows\system32\CatRoot2\edb.chk C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\BCD-Template.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\COMPONENTS.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\ELAM C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\2c7f5940-33e1-472c-92a2-972656209776.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0D848F74F70BB2EAA93746D24D9749 C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\DRIVERS C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\cd2e2e9a-8925-4e6f-be07-91b924de7188.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\65672a30-5161-4ee2-a883-fe13c9d7574b C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\AppContainerUserCertRead.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\DEFAULT C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\2c7f5940-33e1-472c-92a2-972656209776 C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Report policies C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\AppContainerUserCertRead C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\COMPONENTS.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\Preferred.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\system32\CatRoot2\edb.jcp C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\system32\CatRoot2\edb.chk C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\CatRoot2\edb.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0D848F74F70BB2EAA93746D24D9749 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\config\DRIVERS.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\cd2e2e9a-8925-4e6f-be07-91b924de7188.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0D848F74F70BB2EAA93746D24D9749.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File created C:\Windows\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb.jfm C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb.jfm C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File created C:\Windows\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb.jfm C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\ResPriHMImageListLowCost C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\BCD-Template.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\ELAM.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\UpdateModelTask C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\Preferred.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\removed-files.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050 C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006 C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011 C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014 C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\master_preferences C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\master_preferences.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007 C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009 C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\postSigningData C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\precomplete.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002 C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\precomplete.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033 C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005 C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\master_preferences.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\postSigningData.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\removed-files C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\precomplete C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008 C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125 C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003 C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\postSigningData.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\removed-files.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\SourceHash{90160000-008C-0000-1000-0000000FF1CE} C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{90160000-008C-0000-1000-0000000FF1CE}.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{E634F316-BEB6-4FB3-A612-F7102F576165} C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{71024AE4-039E-4CA4-87B4-2F64180401F0}.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{CB0836EC-B072-368D-82B2-D3470BF95707}.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{64A3A4F4-B792-11D6-A78A-00B0D0180381}.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{BD95A8CD-1D9F-35AD-981A-3E7925026EBB} C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{2BB73336-4F69-4141-9797-E9BD6FE3980A}.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{F6080405-9FA8-4CAA-9982-14E95D1A3DAC} C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Boot\PCAT\bootmgr C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{AC76BA86-7AD7-1033-7B44-AC0F074E4100} C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2} C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{2BB73336-4F69-4141-9797-E9BD6FE3980A}.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{6DB765A8-05AF-49A1-A71D-6F645EE3CE41} C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{90160000-008C-0000-1000-0000000FF1CE}.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{BF08E976-B92E-4336-B56F-2171179476C4} C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{37B8F9C7-03FB-3253-8781-2517C99D7C00}.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{64A3A4F4-B792-11D6-A78A-00B0D0180381}.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{90160000-007E-0000-1000-0000000FF1CE} C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{9BE518E6-ECC6-35A9-88E4-87755C07200F} C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\SharedFileCache\e1ea7b2e20a22fbee6e9dd5d883e9f3cc75fdee790ea383a755da4381088ec52 C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\SharedFileCache\e1ea7b2e20a22fbee6e9dd5d883e9f3cc75fdee790ea383a755da4381088ec52.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl C:\Windows\SYSTEM32\wbadmin.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{9F51D16B-42E8-4A4A-8228-75045541A2AE}.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{E634F316-BEB6-4FB3-A612-F7102F576165}.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{4A03706F-666A-4037-7777-5F2748764D10} C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{AC76BA86-7AD7-1033-7B44-AC0F074E4100}.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{CB0836EC-B072-368D-82B2-D3470BF95707}.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5} C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\AppContainerUserCertRead C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{71024AE4-039E-4CA4-87B4-2F64180401F0} C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\SharedFileCache\ffb218cb78a2ca5b027e463f2a6bbb9c7036730212098e4fb7c330c70dcdfda4 C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{662A0088-6FCD-45DD-9EA7-68674058AED5} C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{B175520C-86A2-35A7-8619-86DC379688B9}.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{BF08E976-B92E-4336-B56F-2171179476C4}.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\SharedFileCache\ffb218cb78a2ca5b027e463f2a6bbb9c7036730212098e4fb7c330c70dcdfda4.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Panther\setupinfo.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B} C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{64A3A4F4-B792-11D6-A78A-00B0D0180381} C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{4A03706F-666A-4037-7777-5F2748764D10}.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{71024AE4-039E-4CA4-87B4-2F64180401F0}.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797} C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{4A03706F-666A-4037-7777-5F2748764D10}.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\SharedFileCache\e1ea7b2e20a22fbee6e9dd5d883e9f3cc75fdee790ea383a755da4381088ec52.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl C:\Windows\SYSTEM32\wbadmin.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{90160000-008C-0409-1000-0000000FF1CE}.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{37B8F9C7-03FB-3253-8781-2517C99D7C00} C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{9F51D16B-42E8-4A4A-8228-75045541A2AE} C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 716 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 716 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 716 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 716 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 716 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 716 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 716 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 716 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 716 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 716 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 716 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 716 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 716 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 716 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 716 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 716 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 716 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 716 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 716 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 716 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 716 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 716 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 716 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 716 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 716 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 716 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 716 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 716 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 716 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 716 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 716 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\wbadmin.exe
PID 716 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\wbadmin.exe
PID 716 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\wbadmin.exe
PID 716 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\wbadmin.exe
PID 716 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\System32\Wbem\wmic.exe
PID 716 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\System32\Wbem\wmic.exe
PID 716 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\system32\cmd.exe
PID 716 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\system32\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe

"C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe"

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SYSTEM32\bcdedit.exe

bcdedit.exe /set {default} recoveryenabled No

C:\Windows\SYSTEM32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SYSTEM32\wbadmin.exe

wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\SYSTEM32\wbadmin.exe

wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest

C:\Windows\System32\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\0DD34E~1.EXE >> NUL

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/716-0-0x00007FF7EEBA0000-0x00007FF7EF3E1000-memory.dmp

memory/716-1-0x00007FFCFA150000-0x00007FFCFA152000-memory.dmp

memory/716-3-0x00007FF7EEBA0000-0x00007FF7EF3E1000-memory.dmp

memory/716-4-0x00007FF7EEBA0000-0x00007FF7EF3E1000-memory.dmp

memory/716-2-0x00007FF7EEBA0000-0x00007FF7EF3E1000-memory.dmp

memory/716-7-0x00007FF7EEBA0000-0x00007FF7EF3E1000-memory.dmp

memory/716-6-0x00007FF7EEBA0000-0x00007FF7EF3E1000-memory.dmp

memory/716-5-0x00007FF7EEBA0000-0x00007FF7EF3E1000-memory.dmp

memory/716-8-0x00007FF7EEBA0000-0x00007FF7EF3E1000-memory.dmp

memory/716-693-0x00007FF7EEBA0000-0x00007FF7EF3E1000-memory.dmp

memory/716-1576-0x00007FF7EEBA0000-0x00007FF7EF3E1000-memory.dmp

memory/1116-1583-0x0000018896F40000-0x0000018896F50000-memory.dmp

memory/1116-1589-0x0000018896FA0000-0x0000018896FB0000-memory.dmp

memory/1116-1598-0x000001889B3C0000-0x000001889B3C1000-memory.dmp

C:\Windows\System32\catroot2\edb.log

MD5 50c6fcd5932e09901c15e9245407b49a
SHA1 825397fe99871f3ebffb9488f63a074fd0443bb6
SHA256 1669a5a15fd17d5b14d2935828a069e394f0577e93e28161450f72db654233ca
SHA512 b181e7f956e4799769687aa2b0aaf2b78be4475571d5c95807d029455a52f771784314a9c8311bdb6c6605d7a0c13795b4c80d50b4032d9cec896186255096d0

memory/1116-1606-0x000001889B090000-0x000001889B091000-memory.dmp

memory/1116-1628-0x000001889B460000-0x000001889B461000-memory.dmp

memory/1116-1630-0x000001889B460000-0x000001889B461000-memory.dmp

memory/1116-1631-0x000001889B5A0000-0x000001889B5A1000-memory.dmp

memory/1116-1632-0x000001889B5C0000-0x000001889B5C1000-memory.dmp

memory/1116-1635-0x000001889B6A0000-0x000001889B6A1000-memory.dmp

memory/1116-1637-0x000001889B6A0000-0x000001889B6A1000-memory.dmp

memory/1116-1638-0x000001889B7D0000-0x000001889B7D1000-memory.dmp

memory/1116-1639-0x000001889B7F0000-0x000001889B7F1000-memory.dmp

C:\Windows\System32\catroot2\dberr.txt

MD5 66e443a84a690c9f74523543de25e55c
SHA1 c8816b701429dede131a482c400c7c947ea96aae
SHA256 d63284321aa2a9597412743d03c1cdb35e88c01a15cde5f5b64e6715120f4eac
SHA512 fcd033ade951b1b7fd3b406108d7a29f22eb7cfbe1877a268ed05c0dda3fb6a1c52cc601c0f9a39dc82107f27285f6f3617574cc36e0d138b3a8b8ba341f0589

memory/1116-1642-0x000001889B920000-0x000001889B921000-memory.dmp

memory/1116-1643-0x000001889C630000-0x000001889C631000-memory.dmp

memory/1116-1645-0x000001889B830000-0x000001889B831000-memory.dmp

memory/1116-1644-0x000001889B830000-0x000001889B831000-memory.dmp

memory/1116-1647-0x000001889D4D0000-0x000001889D4D1000-memory.dmp

memory/1116-1648-0x000001889E030000-0x000001889E031000-memory.dmp

memory/1116-1649-0x000001889E030000-0x000001889E031000-memory.dmp

memory/1116-1651-0x000001889E300000-0x000001889E301000-memory.dmp

memory/1116-1658-0x000001889F2F0000-0x000001889F2F1000-memory.dmp

memory/1116-1659-0x000001889F5F0000-0x000001889F5F1000-memory.dmp

memory/1116-1660-0x000001889F5F0000-0x000001889F5F1000-memory.dmp

memory/1116-1662-0x00000188A0290000-0x00000188A0291000-memory.dmp

memory/1116-1663-0x000001889BB70000-0x000001889BB71000-memory.dmp

memory/1116-1664-0x000001889BB70000-0x000001889BB71000-memory.dmp

memory/1116-1666-0x00000188A1380000-0x00000188A1381000-memory.dmp

memory/1116-1667-0x000001889BEA0000-0x000001889BEA1000-memory.dmp

memory/1116-1668-0x000001889BEA0000-0x000001889BEA1000-memory.dmp

memory/1116-1670-0x00000188A23A0000-0x00000188A23A1000-memory.dmp

C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749.ReadInstructions

MD5 bd4f70ac0f70fb5c5876eac7eaa47491
SHA1 ec223c46eb23db38e0aea4cfd9bd380615db2d49
SHA256 4f76efd7604ebe9c4466e18e40fa38cafd611a6659b10bd26d9f4ffc141d0eae
SHA512 2721d6c6382737f11455a8c7643cc68a183fbf36c628894476e8ae07236aa9f1f88086a5bcb51c2656e633e0e7fdb2bd900edc99c4f3e65e8c79452dc1f2be68

C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506.ReadInstructions

MD5 7d2168290aa9b2c6bd53b8c4576fc45a
SHA1 5f1bf6a5de742d425c30eeed9d526915d025f949
SHA256 4427c635602ff6929c1e14b8b8d6869deff5338a05a675f0319e86de067431f7
SHA512 84a7e3d37121b423fc68fe1dd08acf8f26d7be81fcdffe259d7f34e886d690366675fb5dc3eff439c3a88238c074ee0c1927330460afbc7116bc17f928924ef8

C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.ReadInstructions

MD5 4fbf9ffa915f43a8c710286bac6a0c10
SHA1 a90043d07490ca276f9156006ea981470677c69b
SHA256 30ba91769872bf7446a6a57819235a3cbdb9b521ce3af8b4e963eb94136cc43d
SHA512 b239bca574a290176577ed2803cd7cc3855138eca17718c4a9367da80a7e9c134cacc86baf528739f6c22b630c8ec62d045739433cb21f2bef270c13865075b6

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

MD5 aaca93b53104d66b6049f6b14d70a91e
SHA1 b3e771c12f821a24605f2af14dbecd6d6ce4b58b
SHA256 7bb9267382d7034cdbcdd6bfdd690bd3249511754a6e89dc07e31d78a640e71a
SHA512 122de909d2deb94d976141b1a50f75aa6450dc395b1ac6460542ab19b2efd03d2c4c8a1e06630a6f12a7959d82e88ca0304d552a802728a320110374330f18e2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB5E2F83CE9B8330B0590B7CD2E5FF2E.ReadInstructions

MD5 2dc1884465ad83e45ad78b22c5bd2aab
SHA1 30024b7e75ca5293343feffe89e96bf2a876c616
SHA256 485662eee0655b40632a4269f6e54fa0217ec4b034c79888a2e2232d70cc0c17
SHA512 f7cc40ce5b958d54a9d7e74af897185bea4a3387bf2b0781e4327f29a997752182f5fa1c15b8d916a040cbdcc837dec979c4ad9c625f6c03dc88a9321c003f46

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.ReadInstructions

MD5 0e485735271fe8f7d671786f8173a3fc
SHA1 2e3f6ab9758f30f115945a6f1b665bd2540e579a
SHA256 6af6f3ff19c3d3e980ad692fc18ea288d8c0c8c842a580313e3c133787af9869
SHA512 200fb6fc1e0ded2e52d7ce80721e327ed16ea6ac7efe883f3fbf7ae5002b6f5ac7884c18fba897007bf60024d074c6b70907b0d75f332254a3b66c2a8dcf4c81

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749.ReadInstructions

MD5 2c5a0a39a49601f70c30ff67b7c2e187
SHA1 61d68a719a93b6713d80fa30f0734ad1c446b3ed
SHA256 593164629be571503a82c0d97a945651d2be5ad3329b48fc60dbd83bfb8c8a42
SHA512 6efd34137223ba07153e7266a72d2650c705a2581fd7db69d82a5f92a7b68d28d72728c70fefa3d1068b2ed998f2eebf838ac651fc381e9d229d81a49ed46da2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C86BD7751D53F10F65AAAD66BBDF33C7.ReadInstructions

MD5 7105b279032119e3be20f4ca3b37c2ec
SHA1 6896627fcc813e4fdb4b819d4735b36398a766f6
SHA256 9c25cfe5af8556ef4fd6ca696507896cd2f31eeea6fb8a9bc6feddd84720708d
SHA512 d4c17bf9ff9d9cec9eda833ff8bb020c81499dcae93cf36910b2f2849ccf4741e6ed0ce5cb940ed2e50ba27798e2545ef9164fc7068ddbdfc5a215e34cf23c16

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F.ReadInstructions

MD5 a4f129d6d555dc8e1255e059e197b3f4
SHA1 97dd1a242cf235818fb8046df7ec3813c9007551
SHA256 d16181ae005e8c6c958df63fef8c06c85ea4c37d6bd1ea47e46f4615c87e7c95
SHA512 1a03010436fa98d9ae643847390c9ba0f9074af51801b64c13c17fdd0aa8988b67d7104f3bdee14577089c041192525c68558c3f3df40a1c2f37a6e7e75d2258

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506.ReadInstructions

MD5 7c45c8cda62383efd53a8c6a5df44249
SHA1 2870a6ab149bb875f06624b84f4dfbeb927919cf
SHA256 0c6e3c5e2e50109866ed0577e2a4fe385b9c02489d2a9114aeb2ade5cab6b5c2
SHA512 09ddd026e355da4c724aa64e37aa5d4dbc0b4d4d41b45ecc84bbd947f6a0313d64903f6e0e4035a9b1bef9377c3267711da727187623d761ed2a02213a622f6f

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-07 06:34

Reported

2024-05-07 06:36

Platform

win11-20240419-en

Max time kernel

92s

Max time network

93s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe"

Signatures

MedusaLocker

ransomware medusalocker

MedusaLocker payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes shadow copies

ransomware defense_evasion impact execution

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\bcdedit.exe N/A
N/A N/A C:\Windows\SYSTEM32\bcdedit.exe N/A

Renames multiple (648) files with added filename extension

ransomware

Deletes System State backups

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\wbadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\wbadmin.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\networks C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\networks.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\protocol C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\protocol.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\networks.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\protocol.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\services C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\services.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\services.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSFEEditor = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe\" e" C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\E:\$RECYCLE.BIN\S-1-5-21-293923083-2364846840-4256557006-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\h: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened (read-only) \??\E: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\E: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\g: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\g: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened (read-only) \??\F: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened (read-only) \??\h: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened (read-only) \??\D: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\e6a488c4-d766-4010-a655-76f0d55b82f3 C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\daf1fcaa-10a4-496f-9c63-c065a3f3fed3.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\DRIVERS.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\BCD-Template.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\COMPONENTS.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\daf1fcaa-10a4-496f-9c63-c065a3f3fed3 C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\ELAM C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\AppContainerUserCertRead.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\Preferred.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0D848F74F70BB2EAA93746D24D9749 C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\SYSTEM C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\417649e3-4db4-4636-815b-e3961d44e69e.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\ResPriLMImageList C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\BCD-Template.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\417649e3-4db4-4636-815b-e3961d44e69e C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\AppContainerUserCertRead C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\SECURITY C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\daf1fcaa-10a4-496f-9c63-c065a3f3fed3.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\COMPONENTS.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\SAM C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\2f3d9245-d6fd-4efd-a5be-c88ecac86a48 C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\e6a488c4-d766-4010-a655-76f0d55b82f3.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\ResPriHMImageList C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\ResPriUHMImageList C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\ELAM.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Diagnostic.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\e6a488c4-d766-4010-a655-76f0d55b82f3.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\ResPriHMImageListLowCost C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\417649e3-4db4-4636-815b-e3961d44e69e.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\2f3d9245-d6fd-4efd-a5be-c88ecac86a48.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\BBI C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\DRIVERS.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\System32\config\ELAM.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Mozilla Firefox\postSigningData.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\initial_preferences.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005 C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\removed-files.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\initial_preferences C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014 C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003 C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\postSigningData C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\precomplete C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050 C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125 C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007 C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\precomplete.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\precomplete.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\removed-files.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033 C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009 C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\initial_preferences.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002 C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\postSigningData.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\removed-files C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006 C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011 C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008 C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl C:\Windows\SYSTEM32\wbadmin.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{01B2627D-8443-41C0-97F0-9F72AC2FD6A0} C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{AC76BA86-7AD7-1033-7B44-AC0F074E4100}.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{B175520C-86A2-35A7-8619-86DC379688B9}.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{BF08E976-B92E-4336-B56F-2171179476C4} C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\SharedFileCache\053d063bc0bd73dcab349a3000df8955f9bfc54d2c963978102e1294546dbbc4 C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\AppContainerUserCertRead C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{71024AE4-039E-4CA4-87B4-2F64180401F0}.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{90160000-007E-0000-1000-0000000FF1CE} C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{90160000-008C-0409-1000-0000000FF1CE}.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{E634F316-BEB6-4FB3-A612-F7102F576165} C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{2BB73336-4F69-4141-9797-E9BD6FE3980A}.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Boot\PCAT\bootnxt C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl C:\Windows\SYSTEM32\wbadmin.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{79043ED0-7ED1-4227-A5E5-04C5594D21F7} C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{B175520C-86A2-35A7-8619-86DC379688B9} C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl C:\Windows\SYSTEM32\wbadmin.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{662A0088-6FCD-45DD-9EA7-68674058AED5}.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{6DB765A8-05AF-49A1-A71D-6F645EE3CE41} C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{90160000-007E-0000-1000-0000000FF1CE}.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{CB0836EC-B072-368D-82B2-D3470BF95707} C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\SystemTemp\Crashpad\metadata.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\AppContainerUserCertRead.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2} C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\SharedFileCache\053d063bc0bd73dcab349a3000df8955f9bfc54d2c963978102e1294546dbbc4.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_75c3ddb7-c9de-4243-85c4-4f244c31f3a9.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl C:\Windows\SYSTEM32\wbadmin.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{1D8E6291-B0D5-35EC-8441-6616F567A0F7} C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{79043ED0-7ED1-4227-A5E5-04C5594D21F7}.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{9BE518E6-ECC6-35A9-88E4-87755C07200F} C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_75c3ddb7-c9de-4243-85c4-4f244c31f3a9.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl C:\Windows\SYSTEM32\wbadmin.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5} C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Boot\DVD\EFI\BCD C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Boot\DVD\PCAT\BCD C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{71024AE4-039E-4CA4-87B4-2F64180401F0}.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{9F51D16B-42E8-4A4A-8228-75045541A2AE}.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{BD95A8CD-1D9F-35AD-981A-3E7925026EBB} C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B} C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{2BB73336-4F69-4141-9797-E9BD6FE3980A}.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{90160000-008C-0409-1000-0000000FF1CE} C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{662A0088-6FCD-45DD-9EA7-68674058AED5} C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{C7B73281-AB0A-4DAD-A09F-5C30D40679AC} C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{90160000-007E-0000-1000-0000000FF1CE}.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{9F51D16B-42E8-4A4A-8228-75045541A2AE}.inprocess C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}.ReadInstructions C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3824 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 3824 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 3824 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 3824 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 3824 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 3824 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 3824 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 3824 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 3824 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 3824 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 3824 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 3824 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 3824 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 3824 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 3824 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 3824 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 3824 wrote to memory of 244 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 3824 wrote to memory of 244 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 3824 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 3824 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 3824 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 3824 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 3824 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 3824 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 3824 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 3824 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 3824 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 3824 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 3824 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 3824 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 3824 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\wbadmin.exe
PID 3824 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\wbadmin.exe
PID 3824 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\wbadmin.exe
PID 3824 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\SYSTEM32\wbadmin.exe
PID 3824 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\System32\Wbem\wmic.exe
PID 3824 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\System32\Wbem\wmic.exe
PID 3824 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\system32\cmd.exe
PID 3824 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe C:\Windows\system32\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe

"C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe"

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SYSTEM32\bcdedit.exe

bcdedit.exe /set {default} recoveryenabled No

C:\Windows\SYSTEM32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SYSTEM32\wbadmin.exe

wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\SYSTEM32\wbadmin.exe

wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest

C:\Windows\System32\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\0DD34E~1.EXE >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/3824-1-0x00007FFAEE0E7000-0x00007FFAEE0E9000-memory.dmp

memory/3824-0-0x00007FF770EE0000-0x00007FF771721000-memory.dmp

memory/3824-2-0x00007FF770EE0000-0x00007FF771721000-memory.dmp

memory/3824-4-0x00007FF770EE0000-0x00007FF771721000-memory.dmp

memory/3824-3-0x00007FF770EE0000-0x00007FF771721000-memory.dmp

memory/3824-7-0x00007FF770EE0000-0x00007FF771721000-memory.dmp

memory/3824-8-0x00007FF770EE0000-0x00007FF771721000-memory.dmp

memory/3824-6-0x00007FF770EE0000-0x00007FF771721000-memory.dmp

memory/3824-5-0x00007FF770EE0000-0x00007FF771721000-memory.dmp

memory/3824-595-0x00007FF770EE0000-0x00007FF771721000-memory.dmp

memory/3824-1612-0x00007FF770EE0000-0x00007FF771721000-memory.dmp