Malware Analysis Report

2024-09-11 01:05

Sample ID 240522-rmvkeseb8v
Target [email protected]
SHA256 5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f
Tags
phobos defense_evasion evasion execution impact persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f

Threat Level: Known bad

The file [email protected] was found to be: Known bad.

Malicious Activity Summary

phobos defense_evasion evasion execution impact persistence ransomware spyware stealer

Phobos

Deletes shadow copies

Renames multiple (310) files with added filename extension

Modifies boot configuration data using bcdedit

Renames multiple (516) files with added filename extension

Modifies Windows Firewall

Deletes backup catalog

Reads user/profile data of web browsers

Drops startup file

Checks computer location settings

Drops desktop.ini file(s)

Adds Run key to start application

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Uses Task Scheduler COM API

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Checks SCSI registry key(s)

Interacts with shadow copies

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Windows Management Instrumentation
T1047
Command and Scripting Interpreter
T1059
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Indicator Removal
T1070
File Deletion
T1070.004
Impair Defenses
T1562
Disable or Modify System Firewall
T1562.004
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-22 14:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 14:19

Reported

2024-05-22 14:21

Platform

win7-20240221-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (310) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\[email protected] C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[38106F05-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[email protected] = "C:\\Users\\Admin\\AppData\\Local\\[email protected]" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\[email protected] = "C:\\Users\\Admin\\AppData\\Local\\[email protected]" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LGZQH3SP\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\PY5FLSJ8\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\J3XTYXPF\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3J2LRC5A\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CYTS71XD\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\108YEMNS\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\divider-vertical.png C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libdvbsub_plugin.dll C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04206_.WMF C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Composite.thmx C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\NPSPWRAP.DLL C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WITHCOMP.XML.id[38106F05-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Kathmandu C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Kolkata.id[38106F05-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01585_.WMF.id[38106F05-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewAttachmentIconsMask.bmp C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153299.WMF C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\settings.css C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-output2.jar.id[38106F05-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\Java\jre7\lib\security\blacklist C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_settings.png C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01080_.WMF C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\calendars.properties C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Sofia C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00202_.WMF.id[38106F05-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-uihandler.xml C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe.id[38106F05-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageHistoryIconImages.jpg.id[38106F05-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_FormsHomePage.gif.id[38106F05-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Sts.css.id[38106F05-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.services_1.2.1.v20140808-1251.jar.id[38106F05-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\PREVIEW.GIF.id[38106F05-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02413_.WMF.id[38106F05-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0195384.WMF C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\AST4ADT C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL_COL.HXT C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CHECKER.POC.id[38106F05-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\localizedStrings.js C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02736G.GIF.id[38106F05-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PPINTL.REST.IDX_DLL.id[38106F05-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\SETLANG_COL.HXC.id[38106F05-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\sysinfo.bat.id[38106F05-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\PREVIEW.GIF.id[38106F05-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\MSB1STAR.DLL.id[38106F05-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099146.WMF C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\settings.js C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\settings.css C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\IpsMigrationPlugin.dll.mui C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Gibraltar C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.lucene.analysis_3.5.0.v20120725-1805.jar.id[38106F05-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_preferencestyle.css.id[38106F05-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf.id[38106F05-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099149.WMF C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281640.WMF.id[38106F05-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-keyring.jar C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files (x86)\desktop.ini.id[38106F05-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00414_.WMF.id[38106F05-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01074_.WMF.id[38106F05-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH02282_.WMF.id[38106F05-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Nauru C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01171_.WMF.id[38106F05-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099190.JPG C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\SBCGLOBAL.NET.XML.id[38106F05-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PULLQUOTEBB.DPV C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.ICO.id[38106F05-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DiscussionToolIconImagesMask.bmp C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\TAB_ON.GIF.id[38106F05-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2860 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\system32\cmd.exe
PID 2860 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\system32\cmd.exe
PID 2860 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\system32\cmd.exe
PID 2860 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\system32\cmd.exe
PID 2860 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\system32\cmd.exe
PID 2860 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\system32\cmd.exe
PID 2860 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\system32\cmd.exe
PID 2860 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\system32\cmd.exe
PID 2068 wrote to memory of 2796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2068 wrote to memory of 2796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2068 wrote to memory of 2796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1688 wrote to memory of 2580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1688 wrote to memory of 2580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1688 wrote to memory of 2580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2068 wrote to memory of 3020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2068 wrote to memory of 3020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2068 wrote to memory of 3020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1688 wrote to memory of 2096 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1688 wrote to memory of 2096 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1688 wrote to memory of 2096 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1688 wrote to memory of 2480 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1688 wrote to memory of 2480 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1688 wrote to memory of 2480 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1688 wrote to memory of 2420 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1688 wrote to memory of 2420 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1688 wrote to memory of 2420 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1688 wrote to memory of 1860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1688 wrote to memory of 1860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1688 wrote to memory of 1860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2860 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\mshta.exe
PID 2860 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\mshta.exe
PID 2860 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\mshta.exe
PID 2860 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\mshta.exe
PID 2860 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\mshta.exe
PID 2860 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\mshta.exe
PID 2860 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\mshta.exe
PID 2860 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\mshta.exe
PID 2860 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\mshta.exe
PID 2860 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\mshta.exe
PID 2860 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\mshta.exe
PID 2860 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\mshta.exe
PID 2860 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\mshta.exe
PID 2860 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\mshta.exe
PID 2860 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\mshta.exe
PID 2860 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\mshta.exe
PID 2860 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\system32\cmd.exe
PID 2860 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\system32\cmd.exe
PID 2860 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\system32\cmd.exe
PID 2860 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\system32\cmd.exe
PID 1804 wrote to memory of 2028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1804 wrote to memory of 2028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1804 wrote to memory of 2028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1804 wrote to memory of 1628 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1804 wrote to memory of 1628 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1804 wrote to memory of 1628 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1804 wrote to memory of 2496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1804 wrote to memory of 2496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1804 wrote to memory of 2496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1804 wrote to memory of 2672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1804 wrote to memory of 2672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1804 wrote to memory of 2672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1804 wrote to memory of 2124 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1804 wrote to memory of 2124 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1804 wrote to memory of 2124 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

N/A

Files

C:\info.hta

MD5 cb75a040dea84fbffa99dfe443c3dd62
SHA1 0d9ea17afd02907dfe2df1dadd269affceaf6d25
SHA256 d93216141250aec19eecf054849d347740e4d9e7c4810a7757fa4a25af03f615
SHA512 915227360240f669a26f187e752034e8a9a04ef758341b0de80612234cd92b2de8027da6b64c0f4bb97a052a5878fd23165ab82ffd93a9d454e4a391dac4cb12

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 14:19

Reported

2024-05-22 14:21

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (516) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\[email protected] C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[465A7C09-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[email protected] = "C:\\Users\\Admin\\AppData\\Local\\[email protected]" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[email protected] = "C:\\Users\\Admin\\AppData\\Local\\[email protected]" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-3558294865-3673844354-2255444939-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3558294865-3673844354-2255444939-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Intrinsics.dll.id[465A7C09-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sk-sk\ui-strings.js.id[465A7C09-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\s_opencarat_18.svg.id[465A7C09-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files\7-Zip\Lang\es.txt.id[465A7C09-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\GRLEX.DLL C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf.id[465A7C09-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Franklin Gothic.xml.id[465A7C09-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.id[465A7C09-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libwingdi_plugin.dll C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageWideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageWideTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.scale-125.png C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Dark.scale-100.png C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files\7-Zip\7z.sfx.id[465A7C09-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\WindowsFormsIntegration.resources.dll C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Dark.scale-400.png C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubStoreLogo.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Notifications\SoftLandingAssetDark.gif.DATA.id[465A7C09-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\x_2x.png.id[465A7C09-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationProvider.resources.dll C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationTypes.resources.dll C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-conio-l1-1-0.dll.id[465A7C09-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECHO\ECHO.INF C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-core-file-l1-2-0.dll.id[465A7C09-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\Mozilla Firefox\xul.dll.sig C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-ae\ui-strings.js.id[465A7C09-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\ko.pak C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XDocument.dll.id[465A7C09-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalAppList.targetsize-48_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Context.ps1 C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\BREEZE.WAV C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubMedTile.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\WideTile.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_EnterpriseSub_Bypass30-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-40_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe.id[465A7C09-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\joni.md.id[465A7C09-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\PeopleSplashScreen.scale-100.png C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files (x86)\Common Files\System\ado\adojavas.inc C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.DynamicData.Design.dll C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files\7-Zip\Lang\sq.txt.id[465A7C09-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Data.DataSetExtensions.dll C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\wordmui.msi.16.en-us.boot.tree.dat C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\msvcp140.dll C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\SmallTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Dark.scale-250.png C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_cancel_18.svg C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\main-selector.css.id[465A7C09-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\RTC.DLL.id[465A7C09-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\ICE.ELM.id[465A7C09-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupMedTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteWideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailMediumTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\msinfo32.exe.mui C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailWideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\MicrosoftEdgeUpdate.exe C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Drawing.Primitives.dll C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\PresentationUI.resources.dll.id[465A7C09-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2064 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\system32\cmd.exe
PID 2064 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\system32\cmd.exe
PID 2064 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\system32\cmd.exe
PID 2064 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\system32\cmd.exe
PID 1576 wrote to memory of 3440 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1576 wrote to memory of 3440 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3708 wrote to memory of 2816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3708 wrote to memory of 2816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1576 wrote to memory of 1600 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1576 wrote to memory of 1600 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3708 wrote to memory of 2792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3708 wrote to memory of 2792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1576 wrote to memory of 2996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1576 wrote to memory of 2996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1576 wrote to memory of 3668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1576 wrote to memory of 3668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1576 wrote to memory of 3468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1576 wrote to memory of 3468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2064 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\mshta.exe
PID 2064 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\mshta.exe
PID 2064 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\mshta.exe
PID 2064 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\mshta.exe
PID 2064 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\mshta.exe
PID 2064 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\mshta.exe
PID 2064 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\mshta.exe
PID 2064 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\mshta.exe
PID 2064 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\mshta.exe
PID 2064 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\mshta.exe
PID 2064 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\mshta.exe
PID 2064 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\mshta.exe
PID 2064 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\system32\cmd.exe
PID 2064 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\system32\cmd.exe
PID 3260 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3260 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3260 wrote to memory of 3644 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3260 wrote to memory of 3644 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3260 wrote to memory of 5020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3260 wrote to memory of 5020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3260 wrote to memory of 4936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3260 wrote to memory of 4936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3260 wrote to memory of 4920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3260 wrote to memory of 4920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 99.61.62.23.in-addr.arpa udp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.id[465A7C09-2930].[[email protected]].eking

MD5 793d813fa140ff4ae9725a5eb6e39716
SHA1 e42608a3c4fdce6286a7db22e7eac09685847852
SHA256 f5f43e3df0208dcbec249632d3fa02351d13c117799fe4d554a9bae982c3e039
SHA512 6ff7be939e189f43d3953df99639c2bc34d6aab98e08a67f0264338d2331af35d87cfd42a1af58514bd066fb52f3a03339eef1766f32f3e88cdce16af99364d7

C:\info.hta

MD5 6d0f1a14f5d42ea87a834e4bcde1cd5d
SHA1 8502f1742ebf32845dece99904b02f232698f606
SHA256 4ec7e1de32185b324515bfc2cc0b794766687ca88b886b60751eea3cb5348c36
SHA512 4bdc9e50e5b0a2e4b1ab258da3fe6cf0d64799b24c1b5b66136a9942e8d9888975a6bf42240df23f90870b15f756468568adccc4ba028acebab68ff67bce8dae