Malware Analysis Report

2024-09-11 01:44

Sample ID 240523-rvffgaec81
Target 5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe
SHA256 5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f
Tags
phobos defense_evasion evasion execution impact persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f

Threat Level: Known bad

The file 5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe was found to be: Known bad.

Malicious Activity Summary

phobos defense_evasion evasion execution impact persistence ransomware spyware stealer

Phobos

Renames multiple (515) files with added filename extension

Modifies boot configuration data using bcdedit

Deletes shadow copies

Renames multiple (320) files with added filename extension

Deletes backup catalog

Modifies Windows Firewall

Reads user/profile data of web browsers

Checks computer location settings

Drops startup file

Drops desktop.ini file(s)

Adds Run key to start application

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Modifies Internet Explorer settings

Checks SCSI registry key(s)

Uses Volume Shadow Copy service COM API

Interacts with shadow copies

Modifies registry class

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Windows Management Instrumentation
T1047
Command and Scripting Interpreter
T1059
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Indicator Removal
T1070
File Deletion
T1070.004
Impair Defenses
T1562
Disable or Modify System Firewall
T1562.004
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-23 14:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-23 14:30

Reported

2024-05-23 14:33

Platform

win7-20240221-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (320) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[37D59BDB-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f = "C:\\Users\\Admin\\AppData\\Local\\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe" C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f = "C:\\Users\\Admin\\AppData\\Local\\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe" C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\BB4W7M7Z\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HUNEJ1HU\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6UZVS19T\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\2RM92H5V\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A9XVYA91\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JWM3U1DD\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MG62UP6H\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\EQ2PZD61\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.bidi_0.10.0.v20130327-1442.jar.id[37D59BDB-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif.id[37D59BDB-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\FDATE.DLL C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21320_.GIF C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Oasis\TAB_ON.GIF.id[37D59BDB-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate\TAB_ON.GIF.id[37D59BDB-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jsse.jar C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\buttons.png C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01848_.WMF C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Stationery\1033\PINELUMB.HTM.id[37D59BDB-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\7-Zip\Lang\et.txt.id[37D59BDB-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_PreComp_MATTE_PAL.wmv C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\default.jfc.id[37D59BDB-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_ja_4.4.0.v20140623020002.jar.id[37D59BDB-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libdav1d_plugin.dll.id[37D59BDB-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\VideoLAN Website.url C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\45.png C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\tesselate.x3d.id[37D59BDB-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02153_.WMF C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\31.png C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.MOF C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Ceuta C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21365_.GIF.id[37D59BDB-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLWVW.DLL C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TipsImage.jpg.id[37D59BDB-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SAEXT.DLL C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\icon.png C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\EPSIMP32.FLT C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01152_.WMF.id[37D59BDB-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10254_.GIF C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR27F.GIF C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\ENGIDX.DAT.id[37D59BDB-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\SHOT.WAV.id[37D59BDB-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.JP.XML C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\alt-rt.jar.id[37D59BDB-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\slideShow.html C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\REFINED.ELM.id[37D59BDB-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\Microsoft.VisualStudio.Tools.Applications.Blueprints.tlb.id[37D59BDB-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21364_.GIF C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10358_.GIF.id[37D59BDB-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsHomePage.html.id[37D59BDB-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSTH7EN.LEX.id[37D59BDB-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.DynamicData.Design.dll C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-services.xml C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\PREVIEW.GIF.id[37D59BDB-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0.dll C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OLAPPT.FAE.id[37D59BDB-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\SHOT.WAV C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\MeetingIcon.jpg.id[37D59BDB-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\PREVIEW.GIF.id[37D59BDB-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBCAL.XML.id[37D59BDB-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Atlantic\Reykjavik.id[37D59BDB-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03339_.WMF.id[37D59BDB-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.properties C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\picturePuzzle.js C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ext.txt C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\libvlccore.dll.id[37D59BDB-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\slideshow_glass_frame.png C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\cursors.properties C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_fdf5ce_1x400.png.id[37D59BDB-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\WindowsMedia.mpp C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04134_.WMF C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2132 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\system32\cmd.exe
PID 2132 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\system32\cmd.exe
PID 2132 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\system32\cmd.exe
PID 2132 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\system32\cmd.exe
PID 2132 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\system32\cmd.exe
PID 2132 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\system32\cmd.exe
PID 2132 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\system32\cmd.exe
PID 2132 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\system32\cmd.exe
PID 3008 wrote to memory of 2600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3008 wrote to memory of 2600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3008 wrote to memory of 2600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1580 wrote to memory of 1604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1580 wrote to memory of 1604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1580 wrote to memory of 1604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3008 wrote to memory of 1408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3008 wrote to memory of 1408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3008 wrote to memory of 1408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1580 wrote to memory of 2268 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1580 wrote to memory of 2268 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1580 wrote to memory of 2268 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1580 wrote to memory of 2848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1580 wrote to memory of 2848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1580 wrote to memory of 2848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1580 wrote to memory of 1456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1580 wrote to memory of 1456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1580 wrote to memory of 1456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1580 wrote to memory of 2808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1580 wrote to memory of 2808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1580 wrote to memory of 2808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2132 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\SysWOW64\mshta.exe
PID 2132 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\SysWOW64\mshta.exe
PID 2132 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\SysWOW64\mshta.exe
PID 2132 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\SysWOW64\mshta.exe
PID 2132 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\SysWOW64\mshta.exe
PID 2132 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\SysWOW64\mshta.exe
PID 2132 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\SysWOW64\mshta.exe
PID 2132 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\SysWOW64\mshta.exe
PID 2132 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\SysWOW64\mshta.exe
PID 2132 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\SysWOW64\mshta.exe
PID 2132 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\SysWOW64\mshta.exe
PID 2132 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\SysWOW64\mshta.exe
PID 2132 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\SysWOW64\mshta.exe
PID 2132 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\SysWOW64\mshta.exe
PID 2132 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\SysWOW64\mshta.exe
PID 2132 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\SysWOW64\mshta.exe
PID 2132 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\system32\cmd.exe
PID 2132 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\system32\cmd.exe
PID 2132 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\system32\cmd.exe
PID 2132 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\system32\cmd.exe
PID 2508 wrote to memory of 1592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2508 wrote to memory of 1592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2508 wrote to memory of 1592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2508 wrote to memory of 2692 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2508 wrote to memory of 2692 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2508 wrote to memory of 2692 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2508 wrote to memory of 2804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2508 wrote to memory of 2804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2508 wrote to memory of 2804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2508 wrote to memory of 1848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2508 wrote to memory of 1848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2508 wrote to memory of 1848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2508 wrote to memory of 2412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2508 wrote to memory of 2412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2508 wrote to memory of 2412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe

"C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe"

C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe

"C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

N/A

Files

C:\info.hta

MD5 f1c2d0dba9b080a9a2d81c45a3492df6
SHA1 326039721a61e13b44d1643c3be5c79dd5a6a694
SHA256 9bf83ab51106f84e008d9b2c56250f8bfa1356d2c761b17917e4d00be16af81d
SHA512 9e898f65cbb2eb81bbd4d31255f31aec630cd4a41e1a9914ef62561d8465d0cc9c4c428ce3227ca30c973a98ce4cfd0a5c6ca99959387a63bc85dc896af887f7

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-23 14:30

Reported

2024-05-23 14:33

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (515) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[EDCB8A5F-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f = "C:\\Users\\Admin\\AppData\\Local\\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe" C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f = "C:\\Users\\Admin\\AppData\\Local\\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe" C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XPath.XDocument.dll.id[EDCB8A5F-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Net.WebHeaderCollection.dll C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_hr.json C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\cloud_icon.png C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\santuario.md C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SLATE\PREVIEW.GIF.id[EDCB8A5F-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libmpc_plugin.dll C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsWideTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-timezone-l1-1-0.dll.id[EDCB8A5F-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\lua\liblua_plugin.dll C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-48_contrast-black.png C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\WindowsMedia.mpp.id[EDCB8A5F-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationTypes.resources.dll C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Input.Manipulations.resources.dll.id[EDCB8A5F-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_PrepidBypass-ul-oob.xrm-ms.id[EDCB8A5F-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_LogoSmall.scale-100.png C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.187.37\msedgeupdateres_fil.dll C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_invite_24.svg C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Http.dll.id[EDCB8A5F-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Forms.resources.dll.id[EDCB8A5F-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\WideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\Microsoft.PackageManagement.resources.dll C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\new_icons.png.id[EDCB8A5F-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1036\MSO.ACL C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\spectrum_spinner.svg C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\eu-es\ui-strings.js.id[EDCB8A5F-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-ae\ui-strings.js C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.id[EDCB8A5F-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ul-oob.xrm-ms.id[EDCB8A5F-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\mip_clienttelemetry.dll.id[EDCB8A5F-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarSmallTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsMedTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sk-sk\ui-strings.js.id[EDCB8A5F-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.Primitives.resources.dll.id[EDCB8A5F-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-string-l1-1-0.dll.id[EDCB8A5F-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\control\libntservice_plugin.dll C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons.png C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\glass.dll C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\es\Microsoft.PowerShell.PackageManagement.resources.dll C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\sw.pak C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.ConnectionUI.dll C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ru-ru\ui-strings.js C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\libpng.md.id[EDCB8A5F-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-us\wintlim.dll C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-fr\ui-strings.js C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\ui-strings.js C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Controls.Ribbon.resources.dll C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.Excel.dll.id[EDCB8A5F-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\msgrammar8.dll C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Reflection.TypeExtensions.dll C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-32.png C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-32_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-36_contrast-black.png C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\th_get.svg C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\nb-no\ui-strings.js C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\PSGet.Resource.psd1.id[EDCB8A5F-2930].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\It.snippets.ps1xml C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\multi-tab-file-view-2x.png C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4700 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\system32\cmd.exe
PID 4700 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\system32\cmd.exe
PID 4700 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\system32\cmd.exe
PID 4700 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\system32\cmd.exe
PID 2956 wrote to memory of 4544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2956 wrote to memory of 4544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4144 wrote to memory of 3644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4144 wrote to memory of 3644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2956 wrote to memory of 1120 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2956 wrote to memory of 1120 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4144 wrote to memory of 1680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4144 wrote to memory of 1680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2956 wrote to memory of 3248 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2956 wrote to memory of 3248 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2956 wrote to memory of 2544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2956 wrote to memory of 2544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2956 wrote to memory of 1528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2956 wrote to memory of 1528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 4700 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\SysWOW64\mshta.exe
PID 4700 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\SysWOW64\mshta.exe
PID 4700 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\SysWOW64\mshta.exe
PID 4700 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\SysWOW64\mshta.exe
PID 4700 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\SysWOW64\mshta.exe
PID 4700 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\SysWOW64\mshta.exe
PID 4700 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\SysWOW64\mshta.exe
PID 4700 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\SysWOW64\mshta.exe
PID 4700 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\SysWOW64\mshta.exe
PID 4700 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\SysWOW64\mshta.exe
PID 4700 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\SysWOW64\mshta.exe
PID 4700 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\SysWOW64\mshta.exe
PID 4700 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\system32\cmd.exe
PID 4700 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe C:\Windows\system32\cmd.exe
PID 1400 wrote to memory of 3644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1400 wrote to memory of 3644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1400 wrote to memory of 1036 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1400 wrote to memory of 1036 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1400 wrote to memory of 4476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1400 wrote to memory of 4476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1400 wrote to memory of 4344 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1400 wrote to memory of 4344 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1400 wrote to memory of 4612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1400 wrote to memory of 4612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe

"C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe"

C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe

"C:\Users\Admin\AppData\Local\Temp\5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 25.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.id[EDCB8A5F-2930].[[email protected]].eking

MD5 861b2019829d666ec4ed4ea88bc7365e
SHA1 3ced51b4abe0949d3837101e65137b3e196134e3
SHA256 bee5c8c7fafef9f8f6051a51e58ddc60e0520b4d72216b9c5c1a00d5a98fb11e
SHA512 3f1516b7a97046247ace10c912cb8670fb791dc01fe6c9c8d3562d066c2057563be12b2e94900fdc9b3ba682573b233b31a9766a71a2ed3c551bb9e1fd9ded1c

C:\info.hta

MD5 6b3037e14e288dbd5fd9f386b3697e54
SHA1 47814c481cc5a082910dbee4bb774165035c9cef
SHA256 5200f1f695020b21a788d3fd15d73abe2dbb180c10e4a9410975bb06b1c0e987
SHA512 822cde185947e26df0b9a6969eb695af655422485ff0264d533de9b880a6fc92c5abbe4a5cbfe9209c949b58bed71120abe3ec422702250e490e49ca78af9788