Malware Analysis Report

2024-09-11 01:44

Sample ID 240523-byvrkaha36
Target 5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe
SHA256 5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f
Tags
phobos defense_evasion evasion execution impact persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f

Threat Level: Known bad

The file 5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe was found to be: Known bad.

Malicious Activity Summary

phobos defense_evasion evasion execution impact persistence ransomware spyware stealer

Phobos

Modifies boot configuration data using bcdedit

Renames multiple (103) files with added filename extension

Deletes shadow copies

Renames multiple (315) files with added filename extension

Modifies Windows Firewall

Deletes backup catalog

Drops startup file

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Adds Run key to start application

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Interacts with shadow copies

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Windows Management Instrumentation
T1047
Command and Scripting Interpreter
T1059
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Indicator Removal
T1070
File Deletion
T1070.004
Impair Defenses
T1562
Disable or Modify System Firewall
T1562.004
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-23 01:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-23 01:33

Reported

2024-05-23 01:36

Platform

win7-20231129-en

Max time kernel

149s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (315) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[8FDF99D0-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f = "C:\\Users\\Admin\\AppData\\Local\\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe" C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f = "C:\\Users\\Admin\\AppData\\Local\\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe" C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\BP3UABCB\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4XCMPANZ\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JJ7YKCO8\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\FW0P2MZH\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CMDLW4SJ\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\0U93YK0N\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\TAB_ON.GIF.id[8FDF99D0-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196354.WMF.id[8FDF99D0-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0149118.JPG.id[8FDF99D0-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01247U.BMP C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_decreaseindent.gif C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\settings.html C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_CopyDrop32x32.gif C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\Java\jre7\bin\net.dll.id[8FDF99D0-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml.id[8FDF99D0-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libjpeg_plugin.dll.id[8FDF99D0-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341557.JPG.id[8FDF99D0-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01239_.GIF C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCDRESPL.ICO.id[8FDF99D0-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-common_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\BCSLaunch.dll C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libdirectory_demux_plugin.dll C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0186346.WMF C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00050_.WMF C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01562U.BMP.id[8FDF99D0-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15184_.GIF.id[8FDF99D0-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\DELIMR.FAE.id[8FDF99D0-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-highlight.png C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Samarkand C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS01636_.WMF C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR36F.GIF.id[8FDF99D0-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue.css.id[8FDF99D0-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\gadget.xml C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Tijuana C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\METCONV.DLL.id[8FDF99D0-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0215070.WMF.id[8FDF99D0-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21342_.GIF C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\Microsoft.Build.Utilities.v3.5.resources.dll C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-explorer.xml C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_zh_CN.jar.id[8FDF99D0-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Bahia.id[8FDF99D0-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00178_.WMF C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\RCLRPT.CFG.id[8FDF99D0-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-7 C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue.css.id[8FDF99D0-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\ContactSelector.ico C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Services.Client.resources.dll C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\EET.id[8FDF99D0-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\en-US\FreeCell.exe.mui C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00449_.WMF.id[8FDF99D0-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0227558.JPG C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\OFFICE10.DLL C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GRINTL32.DLL C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSAIN.DLL C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-search_ja.jar.id[8FDF99D0-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_left_mouseout.png C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ccme_base.dll C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp.id[8FDF99D0-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099179.WMF C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0293240.WMF C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\Filters.xml C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Etc\GMT-7.id[8FDF99D0-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\SLATE.INF C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099201.GIF.id[8FDF99D0-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105376.WMF.id[8FDF99D0-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0229389.WMF C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB.DEV_F_COL.HXK.id[8FDF99D0-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\mpvis.DLL C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state_1.0.1.v20140709-1414.jar.id[8FDF99D0-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2820 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\system32\cmd.exe
PID 2820 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\system32\cmd.exe
PID 2820 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\system32\cmd.exe
PID 2820 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\system32\cmd.exe
PID 2820 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\system32\cmd.exe
PID 2820 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\system32\cmd.exe
PID 2820 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\system32\cmd.exe
PID 2820 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\system32\cmd.exe
PID 2208 wrote to memory of 2668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2208 wrote to memory of 2668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2208 wrote to memory of 2668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2180 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2180 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2180 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2208 wrote to memory of 1152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2208 wrote to memory of 1152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2208 wrote to memory of 1152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2180 wrote to memory of 2416 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2180 wrote to memory of 2416 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2180 wrote to memory of 2416 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2180 wrote to memory of 2760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2180 wrote to memory of 2760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2180 wrote to memory of 2760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2180 wrote to memory of 956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2180 wrote to memory of 956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2180 wrote to memory of 956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2180 wrote to memory of 1060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2180 wrote to memory of 1060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2180 wrote to memory of 1060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2820 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\SysWOW64\mshta.exe
PID 2820 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\SysWOW64\mshta.exe
PID 2820 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\SysWOW64\mshta.exe
PID 2820 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\SysWOW64\mshta.exe
PID 2820 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\SysWOW64\mshta.exe
PID 2820 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\SysWOW64\mshta.exe
PID 2820 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\SysWOW64\mshta.exe
PID 2820 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\SysWOW64\mshta.exe
PID 2820 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\SysWOW64\mshta.exe
PID 2820 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\SysWOW64\mshta.exe
PID 2820 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\SysWOW64\mshta.exe
PID 2820 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\SysWOW64\mshta.exe
PID 2820 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\SysWOW64\mshta.exe
PID 2820 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\SysWOW64\mshta.exe
PID 2820 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\SysWOW64\mshta.exe
PID 2820 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\SysWOW64\mshta.exe
PID 2820 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\system32\cmd.exe
PID 2820 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\system32\cmd.exe
PID 2820 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\system32\cmd.exe
PID 2820 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\system32\cmd.exe
PID 3064 wrote to memory of 1984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3064 wrote to memory of 1984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3064 wrote to memory of 1984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3064 wrote to memory of 948 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3064 wrote to memory of 948 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3064 wrote to memory of 948 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3064 wrote to memory of 1920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3064 wrote to memory of 1920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3064 wrote to memory of 1920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3064 wrote to memory of 1168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3064 wrote to memory of 1168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3064 wrote to memory of 1168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3064 wrote to memory of 1900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3064 wrote to memory of 1900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3064 wrote to memory of 1900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe

"C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe"

C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe

"C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

N/A

Files

C:\info.hta

MD5 73c587b9d29ac11ebcb5e0a5ea2ebd41
SHA1 6db4f0ba4149e063fa6037d6d9a94461cc586ef8
SHA256 ae71bcdcb018f283f510414df1b641f34ba3ae9bdcec72cbbd6930f76e178a60
SHA512 ad109e0b3d569b5e5ad10a13e5a4044e011718377e8b935753d0004c9e7f310cd45ecbe9f269a1b6bea7a30472ddb25a1913d675f638c5aab8a41e34747380a8

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-23 01:33

Reported

2024-05-23 01:36

Platform

win10v2004-20240226-en

Max time kernel

155s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (103) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f = "C:\\Users\\Admin\\AppData\\Local\\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe" C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f = "C:\\Users\\Admin\\AppData\\Local\\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe" C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.ComponentModel.TypeConverter.dll C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-localization-l1-2-0.dll C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml.id[A52C3154-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\dotnet\host\fxr\8.0.0\hostfxr.dll.id[A52C3154-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\System.Resources.Extensions.dll.id[A52C3154-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\am.pak.id[A52C3154-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\jfr.jar.id[A52C3154-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office16\OSPP.HTM C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man.id[A52C3154-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ja\PresentationCore.resources.dll C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-console-l1-2-0.dll C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\invalid32x32.gif.id[A52C3154-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\vstoee100.tlb.id[A52C3154-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.IO.dll.id[A52C3154-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Net.Http.Json.dll.id[A52C3154-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pt-BR\PresentationUI.resources.dll.id[A52C3154-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\106.0.5249.119.manifest C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-conio-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\gl.txt C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\7-Zip\Lang\pt-br.txt.id[A52C3154-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\clrgc.dll.id[A52C3154-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\PresentationFramework.Aero2.dll C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\glass.dll.id[A52C3154-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\kn.pak C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\jawt.h.id[A52C3154-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-file-l2-1-0.dll.id[A52C3154-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Net.Sockets.dll C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Memory.dll C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\es\System.Windows.Forms.Primitives.resources.dll.id[A52C3154-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fi.pak.id[A52C3154-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif.id[A52C3154-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVScripting.dll C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.IO.FileSystem.Watcher.dll C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hant\System.Windows.Forms.resources.dll C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\Microsoft.VisualBasic.Core.dll C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-stdio-l1-1-0.dll.id[A52C3154-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe.id[A52C3154-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\es\PresentationUI.resources.dll.id[A52C3154-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\it\PresentationFramework.resources.dll.id[A52C3154-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome.dll.id[A52C3154-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-runtime-l1-1-0.dll.id[A52C3154-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Net.WebProxy.dll C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Net.Quic.dll.id[A52C3154-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Text.Encoding.Extensions.dll.id[A52C3154-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.cpl.id[A52C3154-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOInstallerUI.dll.id[A52C3154-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\xerces.md C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-timezone-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ja.txt C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.IO.FileSystem.DriveInfo.dll C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\de\UIAutomationClient.resources.dll.id[A52C3154-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\cs\ReachFramework.resources.dll C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\ext\meta-index.id[A52C3154-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\7-Zip\7-zip.dll C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\7-Zip\Lang\be.txt.id[A52C3154-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-ES\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabIpsps.dll C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Xml.Linq.dll C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\Microsoft.VisualBasic.dll.id[A52C3154-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\tr\System.Windows.Forms.resources.dll C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1188 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\system32\cmd.exe
PID 1188 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\system32\cmd.exe
PID 1188 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\system32\cmd.exe
PID 1188 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\system32\cmd.exe
PID 1640 wrote to memory of 3496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1640 wrote to memory of 3496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1844 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1844 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1640 wrote to memory of 4472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1640 wrote to memory of 4472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1844 wrote to memory of 228 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1844 wrote to memory of 228 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1844 wrote to memory of 4316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1844 wrote to memory of 4316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1844 wrote to memory of 548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1844 wrote to memory of 548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1844 wrote to memory of 4088 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1844 wrote to memory of 4088 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe

"C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe"

C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe

"C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4240 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.212.202:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 202.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 138.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[A52C3154-2930].[[email protected]].eking

MD5 8d42b6f660feb03581304f5f43475c0a
SHA1 76b25298ce21c4ade3f4289afe153d8c4087d13c
SHA256 45e4f47dce6ed8df4767ce243a50b7f96c17da7e99175da1f51a79906844cb3c
SHA512 a7af3dc01697978e22fbdc7dfde7a16a3e8d029b4cf146c58cdba322723fe5fcb4ef18ee25eff4c37c76696f06c552feed447b5756bf145d29711729142b79dd