Malware Analysis Report

2024-09-11 00:56

Sample ID 240702-3jkftsvhlb
Target 560eb48d1b2104f4dc3b1607bf42b35e35dfe81272675040df305e0dc85ce33e
SHA256 560eb48d1b2104f4dc3b1607bf42b35e35dfe81272675040df305e0dc85ce33e
Tags
phobos defense_evasion evasion execution impact persistence privilege_escalation ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

560eb48d1b2104f4dc3b1607bf42b35e35dfe81272675040df305e0dc85ce33e

Threat Level: Known bad

The file 560eb48d1b2104f4dc3b1607bf42b35e35dfe81272675040df305e0dc85ce33e was found to be: Known bad.

Malicious Activity Summary

phobos defense_evasion evasion execution impact persistence privilege_escalation ransomware spyware stealer

Phobos

Modifies boot configuration data using bcdedit

Renames multiple (516) files with added filename extension

Renames multiple (313) files with added filename extension

Deletes shadow copies

Modifies Windows Firewall

Deletes backup catalog

Checks computer location settings

Reads user/profile data of web browsers

Drops startup file

Drops desktop.ini file(s)

Adds Run key to start application

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Uses Volume Shadow Copy service COM API

Interacts with shadow copies

Modifies Internet Explorer settings

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-07-02 23:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-02 23:32

Reported

2024-07-02 23:35

Platform

win7-20240419-en

Max time kernel

149s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (313) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[B47A1C67-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08 = "C:\\Users\\Admin\\AppData\\Local\\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe" C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08 = "C:\\Users\\Admin\\AppData\\Local\\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe" C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-481678230-3773327859-3495911762-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XHX8DMHP\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ASWW3GU0\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\334W6EWO\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-481678230-3773327859-3495911762-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\B5JWTXJ4\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6KIMP0IT\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_snow.png C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.properties C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\Microsoft.Build.Engine.resources.dll C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SCHOL_02.MID C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\VCTRN_01.MID C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Foundry.xml.id[B47A1C67-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Fortaleza.id[B47A1C67-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Copenhagen C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Couture.thmx.id[B47A1C67-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Flow.xml.id[B47A1C67-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\de-DE\WMPMediaSharing.dll.mui C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Zurich.id[B47A1C67-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.webapp.nl_ja_4.4.0.v20140623020002.jar.id[B47A1C67-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\MSOINTL.DLL.IDX_DLL.id[B47A1C67-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341475.JPG C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB11.BDR C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sampler_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\msdbg2.dll C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\BloodPressureTracker.xltx.id[B47A1C67-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.services_1.1.0.v20140328-1925.jar.id[B47A1C67-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\bckgzm.exe.mui C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107288.WMF C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02404_.WMF C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\ShapeCollector.exe.mui C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\weather.html C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\WATERMAR.INF.id[B47A1C67-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\calendar.html C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\service.js C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-dialogs_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-profiling.jar.id[B47A1C67-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm.id[B47A1C67-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTAREA.JPG C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationProvider.resources.dll C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0299763.WMF.id[B47A1C67-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsVersion1Warning.htm C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_up.png C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\indxicon.gif.id[B47A1C67-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color48.bmp C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\timeZones.js C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\COMPASS.INF C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\LAYERS.INF.id[B47A1C67-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File created C:\Program Files\7-Zip\Lang\fi.txt.id[B47A1C67-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\New_York C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-remote.xml C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0228959.WMF.id[B47A1C67-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Guam.id[B47A1C67-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services.nl_zh_4.4.0.v20140623020002.jar.id[B47A1C67-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384895.JPG C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00784_.WMF C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14579_.GIF C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-coredump.xml.id[B47A1C67-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Karachi C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\telnet.luac C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\settings.css C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\gadget.xml C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\excel.exe.manifest C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_left_disable.gif C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PULLQUOTEBB.DPV C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\en-US\WMPDMC.exe.mui C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_s.png C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2392 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe C:\Windows\system32\cmd.exe
PID 2392 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe C:\Windows\system32\cmd.exe
PID 2392 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe C:\Windows\system32\cmd.exe
PID 2392 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe C:\Windows\system32\cmd.exe
PID 2392 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe C:\Windows\system32\cmd.exe
PID 2392 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe C:\Windows\system32\cmd.exe
PID 2392 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe C:\Windows\system32\cmd.exe
PID 2392 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe C:\Windows\system32\cmd.exe
PID 1276 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1276 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1276 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2820 wrote to memory of 2656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2820 wrote to memory of 2656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2820 wrote to memory of 2656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2820 wrote to memory of 1148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2820 wrote to memory of 1148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2820 wrote to memory of 1148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1276 wrote to memory of 1296 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1276 wrote to memory of 1296 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1276 wrote to memory of 1296 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1276 wrote to memory of 1560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1276 wrote to memory of 1560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1276 wrote to memory of 1560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1276 wrote to memory of 1952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1276 wrote to memory of 1952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1276 wrote to memory of 1952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1276 wrote to memory of 2112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1276 wrote to memory of 2112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1276 wrote to memory of 2112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2392 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe C:\Windows\SysWOW64\mshta.exe
PID 2392 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe C:\Windows\SysWOW64\mshta.exe
PID 2392 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe C:\Windows\SysWOW64\mshta.exe
PID 2392 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe C:\Windows\SysWOW64\mshta.exe
PID 2392 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe C:\Windows\SysWOW64\mshta.exe
PID 2392 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe C:\Windows\SysWOW64\mshta.exe
PID 2392 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe C:\Windows\SysWOW64\mshta.exe
PID 2392 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe C:\Windows\SysWOW64\mshta.exe
PID 2392 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe C:\Windows\SysWOW64\mshta.exe
PID 2392 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe C:\Windows\SysWOW64\mshta.exe
PID 2392 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe C:\Windows\SysWOW64\mshta.exe
PID 2392 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe C:\Windows\SysWOW64\mshta.exe
PID 2392 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe C:\Windows\SysWOW64\mshta.exe
PID 2392 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe C:\Windows\SysWOW64\mshta.exe
PID 2392 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe C:\Windows\SysWOW64\mshta.exe
PID 2392 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe C:\Windows\SysWOW64\mshta.exe
PID 2392 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe C:\Windows\system32\cmd.exe
PID 2392 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe C:\Windows\system32\cmd.exe
PID 2392 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe C:\Windows\system32\cmd.exe
PID 2392 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe C:\Windows\system32\cmd.exe
PID 1040 wrote to memory of 1520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1040 wrote to memory of 1520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1040 wrote to memory of 1520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1040 wrote to memory of 868 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1040 wrote to memory of 868 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1040 wrote to memory of 868 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1040 wrote to memory of 1348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1040 wrote to memory of 1348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1040 wrote to memory of 1348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1040 wrote to memory of 2080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1040 wrote to memory of 2080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1040 wrote to memory of 2080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1040 wrote to memory of 272 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1040 wrote to memory of 272 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1040 wrote to memory of 272 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe

"C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe"

C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe

"C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

N/A

Files

C:\info.hta

MD5 8ab748c6871be62e85b1cc3bfc3f6cc5
SHA1 5dd9ee741e257079022914ece8a07739f9933462
SHA256 06afca935dadb8022872ba9e803520bdbb3841fa8e37862ea2fd680d54ac2c2b
SHA512 51f7c4cd9b690c9fb4295eeaf8ad319558d816bdb51f02d4a34a442c14ee205511d56c8cdbfdce2bbda90374c4612923ac19b567649b96399e479cdf8c021547

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-02 23:32

Reported

2024-07-02 23:35

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (516) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[FF0F096E-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08 = "C:\\Users\\Admin\\AppData\\Local\\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe" C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08 = "C:\\Users\\Admin\\AppData\\Local\\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe" C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-2539840389-1261165778-1087677076-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2539840389-1261165778-1087677076-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\SIST02.XSL.id[FF0F096E-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_TileWide.scale-100.png C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fr-CA\View3d\3DViewerProductDescription-universal.xml C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldNotExist.snippets.ps1xml C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\Windows Media Player\ja-JP\wmpnssci.dll.mui C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-40_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\selection-actions.png.id[FF0F096E-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebHeaderCollection.dll.id[FF0F096E-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\MSB1XTOR.DLL C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageSmallTile.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageBadgeLogo.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\tg.txt C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.ProtectedData.dll C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-pl.xrm-ms.id[FF0F096E-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-100.png.id[FF0F096E-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\Microsoft.VisualBasic.Forms.resources.dll C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\REFINED\REFINED.INF C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ppd.xrm-ms.id[FF0F096E-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-20_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.scale-125.png C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-libraryloader-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.Design.dll C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\apple-touch-icon-114x114-precomposed.png C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-convert-l1-1-0.dll.id[FF0F096E-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-30_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\stopwords.ENU C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\nub.png.id[FF0F096E-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsBadgeLogo.scale-100.png C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ca-es\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\core_icons.png.id[FF0F096E-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-24_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\it-it\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hi-in.dll.id[FF0F096E-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Printing.dll C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\BloodPressureTracker.xltx C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\pl-pl\ui-strings.js.id[FF0F096E-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\BreakAndContinue.Tests.ps1 C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\es-es\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookMedTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\resources.pri C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-white_targetsize-60.png C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\es\Microsoft.PowerShell.PSReadline.Resources.dll C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_nothumbnail_34.svg.id[FF0F096E-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\snooze.contrast-white.png C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\REFINED\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageSplashScreen.scale-150_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-200.png C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\PROFILE.ELM C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.DataContractSerialization.dll.id[FF0F096E-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL016.XML C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-180.png C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSO99LRES.DLL.id[FF0F096E-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-24.png C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\es-ES\wmpnssci.dll.mui C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationClient.resources.dll.id[FF0F096E-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-heap-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE.HXS C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libsubtitle_plugin.dll.id[FF0F096E-2822].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\example_icons2x.png C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\digsig_icons.png C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2296 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe C:\Windows\system32\cmd.exe
PID 2296 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe C:\Windows\system32\cmd.exe
PID 2296 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe C:\Windows\system32\cmd.exe
PID 2296 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe C:\Windows\system32\cmd.exe
PID 2976 wrote to memory of 1156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2976 wrote to memory of 1156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 5060 wrote to memory of 2084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5060 wrote to memory of 2084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5060 wrote to memory of 3360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5060 wrote to memory of 3360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2976 wrote to memory of 2352 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2976 wrote to memory of 2352 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2976 wrote to memory of 3932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2976 wrote to memory of 3932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2976 wrote to memory of 1808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2976 wrote to memory of 1808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2976 wrote to memory of 3220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2976 wrote to memory of 3220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2296 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe C:\Windows\SysWOW64\mshta.exe
PID 2296 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe C:\Windows\SysWOW64\mshta.exe
PID 2296 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe C:\Windows\SysWOW64\mshta.exe
PID 2296 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe C:\Windows\SysWOW64\mshta.exe
PID 2296 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe C:\Windows\SysWOW64\mshta.exe
PID 2296 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe C:\Windows\SysWOW64\mshta.exe
PID 2296 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe C:\Windows\SysWOW64\mshta.exe
PID 2296 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe C:\Windows\SysWOW64\mshta.exe
PID 2296 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe C:\Windows\SysWOW64\mshta.exe
PID 2296 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe C:\Windows\SysWOW64\mshta.exe
PID 2296 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe C:\Windows\SysWOW64\mshta.exe
PID 2296 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe C:\Windows\SysWOW64\mshta.exe
PID 2296 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe C:\Windows\system32\cmd.exe
PID 2296 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe C:\Windows\system32\cmd.exe
PID 2972 wrote to memory of 2736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2972 wrote to memory of 2736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2972 wrote to memory of 4912 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2972 wrote to memory of 4912 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2972 wrote to memory of 4444 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2972 wrote to memory of 4444 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2972 wrote to memory of 812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2972 wrote to memory of 812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2972 wrote to memory of 2440 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2972 wrote to memory of 2440 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe

"C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe"

C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe

"C:\Users\Admin\AppData\Local\Temp\2a8353551d099c78ac100b44718a691142f8cc7879b47e842ee8491426e15c08.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.id[FF0F096E-2822].[[email protected]].eight

MD5 46868eb8382c96e839d156035945b9ac
SHA1 52b281f7c09c809a7932d185ab4cbe91ffe28e05
SHA256 35270717be19d3e0d4206f64e448fde23fbb0170124f327269abf94e638164d0
SHA512 bdce4c727f6531269b649b9f0cbbca195ef7cb4e61a383223f1963bd9698374d3087d797b3b2e870551839921b242945ce732342925236c47ef3abe54f5c77f6

C:\info.hta

MD5 9e0f2aaf24acff89e3147abf322d2e2d
SHA1 25784b864e2a6f23e95aa873592b92ba8d61ab02
SHA256 9942af509098a6a9ffe541fb7e73871c9959b140d7e2aa838f28099ebbc38c20
SHA512 50ed8165eaf156712187e49c646b0c1c44825924a5092897420c6b1a368db99f0d0a295b8522815fd8904eb25677b1c19201112bc827da502d124fc11016f2b0