Malware Analysis Report

2024-09-23 05:41

Sample ID 240605-a6gn8shh37
Target 98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7
SHA256 98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7
Tags
gandcrab backdoor defense_evasion execution impact ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7

Threat Level: Known bad

The file 98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7 was found to be: Known bad.

Malicious Activity Summary

gandcrab backdoor defense_evasion execution impact ransomware spyware stealer

Gandcrab

Renames multiple (281) files with added filename extension

Renames multiple (290) files with added filename extension

Gandcrab Payload

Detects ransomware indicator

Deletes shadow copies

Drops startup file

Reads user/profile data of web browsers

Checks computer location settings

Enumerates connected drives

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies system certificate store

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-05 00:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-05 00:49

Reported

2024-06-05 00:51

Platform

win7-20240221-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe"

Signatures

Gandcrab

ransomware backdoor gandcrab

Deletes shadow copies

ransomware defense_evasion impact execution

Detects ransomware indicator

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gandcrab Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (281) files with added filename extension

ransomware

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\6adebe266adeb9cb4d.lock C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened for modification C:\Program Files\EnableEdit.midi C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened for modification C:\Program Files\ExpandCompare.vb C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened for modification C:\Program Files\RedoConvert.raw C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened for modification C:\Program Files\RemoveRestart.mpeg C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened for modification C:\Program Files\RequestRepair.vsdm C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened for modification C:\Program Files\SubmitSkip.MOD C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened for modification C:\Program Files\UseMerge.mid C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\KRAB-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\6adebe266adeb9cb4d.lock C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened for modification C:\Program Files\GrantClose.vbe C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened for modification C:\Program Files\SavePublish.vsd C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened for modification C:\Program Files\WatchDeny.mp4 C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened for modification C:\Program Files\MergeSuspend.3gp2 C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File created C:\Program Files (x86)\KRAB-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\KRAB-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\6adebe266adeb9cb4d.lock C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\KRAB-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened for modification C:\Program Files\ResetDebug.dib C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened for modification C:\Program Files\TestUnlock.aifc C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File created C:\Program Files (x86)\6adebe266adeb9cb4d.lock C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened for modification C:\Program Files\ClearGet.vbs C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened for modification C:\Program Files\ConnectRestart.m3u C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened for modification C:\Program Files\UnregisterSwitch.scf C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened for modification C:\Program Files\ClearSearch.vbe C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened for modification C:\Program Files\CompleteMerge.gif C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened for modification C:\Program Files\DebugInitialize.mpe C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened for modification C:\Program Files\ExitSplit.ram C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened for modification C:\Program Files\LockRestore.clr C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\6adebe266adeb9cb4d.lock C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File created C:\Program Files\KRAB-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened for modification C:\Program Files\CloseSkip.doc C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened for modification C:\Program Files\CopyCheckpoint.vbe C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe

"C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.billerimpex.com udp
US 8.8.8.8:53 www.macartegrise.eu udp
FR 13.37.6.203:80 www.macartegrise.eu tcp
FR 13.37.6.203:80 www.macartegrise.eu tcp
FR 13.37.6.203:443 www.macartegrise.eu tcp
US 8.8.8.8:53 ocsp.r2m02.amazontrust.com udp
FR 3.162.33.170:80 ocsp.r2m02.amazontrust.com tcp
US 8.8.8.8:53 www.poketeg.com udp
US 104.155.138.21:80 www.poketeg.com tcp
US 104.155.138.21:80 www.poketeg.com tcp
US 8.8.8.8:53 perovaphoto.ru udp
US 8.8.8.8:53 asl-company.ru udp
RU 87.236.16.243:80 asl-company.ru tcp
RU 87.236.16.243:80 asl-company.ru tcp
US 8.8.8.8:53 www.fabbfoundation.gm udp
US 66.235.200.146:80 www.fabbfoundation.gm tcp
US 66.235.200.146:443 www.fabbfoundation.gm tcp
US 8.8.8.8:53 apps.identrust.com udp
BE 2.17.107.226:80 apps.identrust.com tcp
US 8.8.8.8:53 x2.c.lencr.org udp
BE 23.55.97.11:80 x2.c.lencr.org tcp
US 8.8.8.8:53 www.perfectfunnelblueprint.com udp
US 8.8.8.8:53 www.perfectfunnelblueprint.com udp
US 8.8.8.8:53 www.wash-wear.com udp
US 172.67.188.72:80 www.wash-wear.com tcp
US 172.67.188.72:80 www.wash-wear.com tcp
US 8.8.8.8:53 pp-panda74.ru udp
US 8.8.8.8:53 cevent.net udp
US 107.178.223.183:80 cevent.net tcp
US 107.178.223.183:80 cevent.net tcp
US 104.155.138.21:80 cevent.net tcp
US 8.8.8.8:53 bellytobabyphotographyseattle.com udp
US 8.8.8.8:53 alem.be udp
DE 3.64.163.50:80 alem.be tcp
DE 3.64.163.50:443 alem.be tcp
DE 3.64.163.50:443 alem.be tcp
DE 3.64.163.50:443 alem.be tcp
DE 3.64.163.50:443 alem.be tcp
US 8.8.8.8:53 boatshowradio.com udp
US 107.178.223.183:80 boatshowradio.com tcp
US 104.155.138.21:80 boatshowradio.com tcp
US 104.155.138.21:80 boatshowradio.com tcp
US 8.8.8.8:53 dna-cp.com udp
US 104.21.61.34:80 dna-cp.com tcp
US 104.21.61.34:443 dna-cp.com tcp
US 8.8.8.8:53 acbt.fr udp
FR 213.186.33.3:80 acbt.fr tcp
FR 213.186.33.3:443 acbt.fr tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 udp
N/A 213.238.168.171:80 tcp

Files

memory/2132-0-0x0000000000400000-0x000000000044A000-memory.dmp

memory/2132-1-0x0000000000400000-0x000000000044A000-memory.dmp

memory/2132-3-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2132-7-0x0000000000400000-0x000000000044A000-memory.dmp

memory/2132-6-0x0000000000400000-0x000000000044A000-memory.dmp

memory/2132-5-0x0000000000401000-0x0000000000423000-memory.dmp

memory/2132-4-0x0000000000270000-0x00000000002AC000-memory.dmp

memory/2132-2-0x0000000000400000-0x000000000044A000-memory.dmp

memory/2132-10-0x0000000000400000-0x000000000044A000-memory.dmp

memory/2132-11-0x0000000000400000-0x000000000044A000-memory.dmp

C:\Users\KRAB-DECRYPT.txt

MD5 b8d62cf511953fa2827939541c1adc17
SHA1 d6fd83c014a3d3213b716bf0fe050f6474ff9dc9
SHA256 a6f00364785f5e9d70fc3b9f18472853377a54d439c79847f83ab957c54c3a59
SHA512 fc2af384f64c0521de8c928773ff4b7f407a7cb828ecec5539a00ad226471930289c1606fcd73a9b33d75335ffebe758b71fc43b9bd8274c88caf5884838006d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar2B9A.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 37c1c8fe72b9418cbcc7a52d664891a6
SHA1 103f4abe0f8601fce83fb2e48ee2e5d7f9d3a5b9
SHA256 040cb701781c4d7d7a2f43b11292281016ccd7cc3c19133f2a034402dbb9ca86
SHA512 be7afbd0125584d90490671c295711f9da81ede94d839c3e71c5087fe080056698059fcdf7bb0b247555fc9a169622b7c6f41bd102d199bed48d4f2539c70af6

memory/2132-911-0x0000000000400000-0x000000000044A000-memory.dmp

memory/2132-912-0x0000000000270000-0x00000000002AC000-memory.dmp

memory/2132-913-0x0000000000401000-0x0000000000423000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 024f5adb9f8cb091425c30fc19119502
SHA1 b590d0ed92abd16cb845973092ee4b9f9a328a2e
SHA256 d3ecd2f64671beb6fd4a3d856383d9b1614e5e92f2815bfa0b0ae2e958ed5ff0
SHA512 5f38edb7581891857cc20f829c401e9bb7eeed245e6a61bfd461a76e5fe49f0391670324eb076ba6b32db77954a643f735644b0cd4247a98ac328438d0144962

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ae667aa65f007db9714bd8c27241fe8a
SHA1 85fffdd8c19a0c0260b43980640454d59e55be28
SHA256 3ed469e2a94adfc15a7bcd47ea4ed7215662e606c260526eb659ef62c690a581
SHA512 5c9e8e827b228d91fb9b9e6a3c9e562ccdbf3e4b9c749fcdde44751d41436669107c6599122cbf2d801f55ee4e469b4d439a76318dd1899603b3679cc41c0fae

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-05 00:49

Reported

2024-06-05 00:51

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe"

Signatures

Gandcrab

ransomware backdoor gandcrab

Deletes shadow copies

ransomware defense_evasion impact execution

Detects ransomware indicator

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gandcrab Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (290) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\KRAB-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\ee990d12ee990aff4d.lock C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\MountExport.emf C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened for modification C:\Program Files\TestOut.ADT C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File created C:\Program Files\ee990d12ee990aff4d.lock C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened for modification C:\Program Files\PingProtect.tif C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened for modification C:\Program Files\SendStop.ppsm C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File created C:\Program Files (x86)\KRAB-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File created C:\Program Files\KRAB-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened for modification C:\Program Files\EnableDeny.wax C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened for modification C:\Program Files\GetResize.wmf C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened for modification C:\Program Files\MountImport.dxf C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened for modification C:\Program Files\UpdateNew.xps C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened for modification C:\Program Files\UpdateGrant.bin C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File created C:\Program Files (x86)\ee990d12ee990aff4d.lock C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened for modification C:\Program Files\CheckpointDismount.xltx C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened for modification C:\Program Files\ProtectUninstall.xltx C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened for modification C:\Program Files\RepairShow.3gp2 C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened for modification C:\Program Files\SwitchStop.mpp C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
File opened for modification C:\Program Files\UnprotectOptimize.raw C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe

"C:\Users\Admin\AppData\Local\Temp\98d96f9067b4b5a1c6beb699f8a1b24d3347b9d54bee43c99549d44ace01a9b7.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1324 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 www.billerimpex.com udp
US 8.8.8.8:53 www.macartegrise.eu udp
FR 13.37.6.203:80 www.macartegrise.eu tcp
FR 13.37.6.203:80 www.macartegrise.eu tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 203.6.37.13.in-addr.arpa udp
FR 13.37.6.203:443 www.macartegrise.eu tcp
US 8.8.8.8:53 ocsp.r2m02.amazontrust.com udp
FR 3.162.33.170:80 ocsp.r2m02.amazontrust.com tcp
US 8.8.8.8:53 90.193.84.52.in-addr.arpa udp
US 8.8.8.8:53 5.200.245.18.in-addr.arpa udp
US 8.8.8.8:53 170.33.162.3.in-addr.arpa udp
US 8.8.8.8:53 www.poketeg.com udp
US 104.155.138.21:80 www.poketeg.com tcp
US 104.155.138.21:80 www.poketeg.com tcp
US 8.8.8.8:53 perovaphoto.ru udp
US 8.8.8.8:53 21.138.155.104.in-addr.arpa udp
US 8.8.8.8:53 asl-company.ru udp
RU 87.236.16.243:80 asl-company.ru tcp
RU 87.236.16.243:80 asl-company.ru tcp
US 8.8.8.8:53 243.16.236.87.in-addr.arpa udp
US 8.8.8.8:53 www.fabbfoundation.gm udp
US 66.235.200.146:80 www.fabbfoundation.gm tcp
US 66.235.200.146:443 www.fabbfoundation.gm tcp
US 8.8.8.8:53 x2.c.lencr.org udp
BE 23.55.97.11:80 x2.c.lencr.org tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.200.235.66.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 www.perfectfunnelblueprint.com udp
US 8.8.8.8:53 www.wash-wear.com udp
US 172.67.188.72:80 www.wash-wear.com tcp
US 8.8.8.8:53 72.188.67.172.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
GB 142.250.187.202:443 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 172.67.188.72:80 www.wash-wear.com tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 pp-panda74.ru udp
US 8.8.8.8:53 cevent.net udp
US 104.155.138.21:80 cevent.net tcp
US 104.155.138.21:80 cevent.net tcp
US 8.8.8.8:53 bellytobabyphotographyseattle.com udp
US 8.8.8.8:53 alem.be udp
DE 3.64.163.50:80 alem.be tcp
DE 3.64.163.50:443 alem.be tcp
US 8.8.8.8:53 50.163.64.3.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
DE 3.64.163.50:443 alem.be tcp
DE 3.64.163.50:443 alem.be tcp
US 8.8.8.8:53 boatshowradio.com udp
US 107.178.223.183:80 boatshowradio.com tcp
US 8.8.8.8:53 183.223.178.107.in-addr.arpa udp
US 107.178.223.183:80 boatshowradio.com tcp
US 8.8.8.8:53 dna-cp.com udp
US 172.67.205.197:80 dna-cp.com tcp
US 172.67.205.197:443 dna-cp.com tcp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 197.205.67.172.in-addr.arpa udp
US 8.8.8.8:53 acbt.fr udp
FR 213.186.33.3:80 acbt.fr tcp
US 8.8.8.8:53 3.33.186.213.in-addr.arpa udp
FR 213.186.33.3:443 acbt.fr tcp
US 8.8.8.8:53 153.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 wpakademi.com udp
TR 213.238.168.171:80 wpakademi.com tcp
TR 213.238.168.171:443 wpakademi.com tcp
US 8.8.8.8:53 171.168.238.213.in-addr.arpa udp
US 8.8.8.8:53 www.cakav.hu udp
US 8.8.8.8:53 www.mimid.cz udp
CZ 62.109.154.30:80 www.mimid.cz tcp
CZ 62.109.154.30:80 www.mimid.cz tcp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

memory/2428-0-0x0000000000400000-0x000000000044A000-memory.dmp

memory/2428-1-0x00000000021E0000-0x000000000221C000-memory.dmp

memory/2428-2-0x0000000000400000-0x000000000044A000-memory.dmp

memory/2428-3-0x0000000000400000-0x000000000044A000-memory.dmp

memory/2428-5-0x0000000000400000-0x000000000044A000-memory.dmp

memory/2428-4-0x0000000000401000-0x0000000000423000-memory.dmp

memory/2428-6-0x0000000002220000-0x0000000002221000-memory.dmp

memory/2428-7-0x0000000000400000-0x000000000044A000-memory.dmp

memory/2428-10-0x0000000000400000-0x000000000044A000-memory.dmp

memory/2428-11-0x0000000000400000-0x000000000044A000-memory.dmp

C:\$Recycle.Bin\KRAB-DECRYPT.txt

MD5 a9093fa6ceae23cd4ccd684fe9537260
SHA1 e714bc6d7c153417e26e09cf7436550e0d9a547f
SHA256 6164f76da7b9d92fca4c695e802c5f6a5f887ca6aab9abbdbc15d6f09f18347e
SHA512 fe94c47b1e6ca9c9c4233813c0492497379c78d4418bff2155d82ef14718fdba90715b1c5fd9865deff68b3579236f60730ff425669fe61474130d0e148cd04b

memory/2428-73-0x0000000000400000-0x000000000044A000-memory.dmp

memory/2428-764-0x00000000021E0000-0x000000000221C000-memory.dmp

memory/2428-765-0x0000000000400000-0x000000000044A000-memory.dmp

memory/2428-766-0x0000000000401000-0x0000000000423000-memory.dmp