Malware Analysis Report

2024-09-11 02:35

Sample ID 240705-lwa99ayejh
Target 18072968210.zip
SHA256 d5f2ff838910ac0122366f261be209021747b53e9f4e7e75aec59710696e34b2
Tags
defense_evasion evasion execution impact persistence ransomware spyware stealer medusalocker
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d5f2ff838910ac0122366f261be209021747b53e9f4e7e75aec59710696e34b2

Threat Level: Known bad

The file 18072968210.zip was found to be: Known bad.

Malicious Activity Summary

defense_evasion evasion execution impact persistence ransomware spyware stealer medusalocker

MedusaLocker payload

Medusalocker family

Modifies boot configuration data using bcdedit

Deletes shadow copies

Renames multiple (642) files with added filename extension

Renames multiple (897) files with added filename extension

Deletes System State backups

Drops file in Drivers directory

Checks computer location settings

Deletes itself

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Interacts with shadow copies

Suspicious behavior: EnumeratesProcesses

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

System policy modification

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Windows Management Instrumentation
T1047
Command and Scripting Interpreter
T1059
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Indicator Removal
T1070
File Deletion
T1070.004
Modify Registry
T1112
Direct Volume Access
T1006
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-05 09:52

Signatures

MedusaLocker payload

Description Indicator Process Target
N/A N/A N/A N/A

Medusalocker family

medusalocker

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-05 09:52

Reported

2024-07-05 09:55

Platform

win10v2004-20240704-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\bcdedit.exe N/A
N/A N/A C:\Windows\SYSTEM32\bcdedit.exe N/A

Renames multiple (642) files with added filename extension

ransomware

Deletes System State backups

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\wbadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\wbadmin.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\services C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\services.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\networks C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\protocol.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\protocol.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\services.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\networks.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\protocol C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\networks.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSFEEditor = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe\" e" C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\E:\$RECYCLE.BIN\S-1-5-21-2753856825-3907105642-1818461144-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\g: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\h: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened (read-only) \??\E: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\h: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened (read-only) \??\D: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\E: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened (read-only) \??\D: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened (read-only) \??\F: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\g: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\config\COMPONENTS.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\BCD-Template C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0D848F74F70BB2EAA93746D24D9749.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\7c991837-6009-486c-8163-046dffde8efe.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\b806ed25-0594-4197-bf26-d6f9eb061fb2 C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\ResPriImageListLowCost C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File created C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\SECURITY C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\ResPriImageList C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File created C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\AppContainerUserCertRead C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\COMPONENTS C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\DEFAULT C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File created C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File created C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\1e8fdd1f-67d4-4a86-8b43-69a7fb92d870 C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File created C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\d6620d2d-aa84-4224-9392-3bc69a48722f.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Report policies.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\ResPriHMImageList C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\BBI C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\1e8fdd1f-67d4-4a86-8b43-69a7fb92d870.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File created C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0D848F74F70BB2EAA93746D24D9749.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0D848F74F70BB2EAA93746D24D9749 C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File created C:\Windows\System32\config\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\BCD-Template.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\COMPONENTS.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File created C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\7c991837-6009-486c-8163-046dffde8efe C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File created C:\Windows\System32\Microsoft\Protect\S-1-5-18\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\b806ed25-0594-4197-bf26-d6f9eb061fb2.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009 C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File created C:\Program Files\Mozilla Firefox\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\precomplete.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File created C:\Program Files\Google\Chrome\Application\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011 C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008 C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\postSigningData C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_f14\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005 C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_f4\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\postSigningData.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\precomplete.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_f2\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050 C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125 C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\removed-files.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002 C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003 C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_f33\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\precomplete C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_f3\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\postSigningData.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\removed-files.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006 C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\master_preferences C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033 C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_w1\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\master_preferences.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_f7\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\removed-files C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007 C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SoftwareDistribution\Download\SharedFileCache\ffb218cb78a2ca5b027e463f2a6bbb9c7036730212098e4fb7c330c70dcdfda4.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl C:\Windows\SYSTEM32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl C:\Windows\SYSTEM32\wbadmin.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{4A03706F-666A-4037-7777-5F2748764D10}.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{662A0088-6FCD-45DD-9EA7-68674058AED5}.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{77924AE4-039E-4CA4-87B4-2F64180381F0}.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{B175520C-86A2-35A7-8619-86DC379688B9} C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{6DB765A8-05AF-49A1-A71D-6F645EE3CE41} C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{9F51D16B-42E8-4A4A-8228-75045541A2AE}.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{7DAD0258-515C-3DD4-8964-BD714199E0F7} C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{90160000-007E-0000-1000-0000000FF1CE} C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{90160000-008C-0000-1000-0000000FF1CE} C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{9BE518E6-ECC6-35A9-88E4-87755C07200F} C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{E634F316-BEB6-4FB3-A612-F7102F576165} C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Boot\DVD\EFI\BCD C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File created C:\Windows\SoftwareDistribution\Download\SharedFileCache\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{7DAD0258-515C-3DD4-8964-BD714199E0F7}.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{AC76BA86-7AD7-1033-7B44-AC0F074E4100}.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{CB0836EC-B072-368D-82B2-D3470BF95707} C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl C:\Windows\SYSTEM32\wbadmin.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24} C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5} C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{F6080405-9FA8-4CAA-9982-14E95D1A3DAC} C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797} C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{37B8F9C7-03FB-3253-8781-2517C99D7C00}.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{9BE518E6-ECC6-35A9-88E4-87755C07200F}.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{2BB73336-4F69-4141-9797-E9BD6FE3980A}.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{E634F316-BEB6-4FB3-A612-F7102F576165}.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Panther\setupinfo.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File created C:\Windows\Panther\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{90160000-008C-0000-1000-0000000FF1CE}.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{CB0836EC-B072-368D-82B2-D3470BF95707}.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File created C:\Windows\Installer\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{64A3A4F4-B792-11D6-A78A-00B0D0180381}.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{79043ED0-7ED1-4227-A5E5-04C5594D21F7} C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{90160000-008C-0409-1000-0000000FF1CE} C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{90160000-008C-0409-1000-0000000FF1CE}.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{1D8E6291-B0D5-35EC-8441-6616F567A0F7} C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3} C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{7DAD0258-515C-3DD4-8964-BD714199E0F7}.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{90160000-007E-0000-1000-0000000FF1CE}.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\AppContainerUserCertRead C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{37B8F9C7-03FB-3253-8781-2517C99D7C00}.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{AC76BA86-7AD7-1033-7B44-AC0F074E4100} C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1664 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 1664 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 1664 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 1664 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 1664 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 1664 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 1664 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 1664 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 1664 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 1664 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 1664 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 1664 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 1664 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 1664 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 1664 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 1664 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 1664 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 1664 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 1664 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 1664 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 1664 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 1664 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 1664 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 1664 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 1664 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 1664 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 1664 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 1664 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 1664 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 1664 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 1664 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\SYSTEM32\wbadmin.exe
PID 1664 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\SYSTEM32\wbadmin.exe
PID 1664 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\SYSTEM32\wbadmin.exe
PID 1664 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\SYSTEM32\wbadmin.exe
PID 1664 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\System32\Wbem\wmic.exe
PID 1664 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\System32\Wbem\wmic.exe
PID 1664 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\cmd.exe
PID 1664 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe

"C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe"

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SYSTEM32\bcdedit.exe

bcdedit.exe /set {default} recoveryenabled No

C:\Windows\SYSTEM32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SYSTEM32\wbadmin.exe

wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\SYSTEM32\wbadmin.exe

wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest

C:\Windows\System32\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\528502~1.EXE >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp

Files

\Device\HarddiskVolume1\Boot\da-DK\!!!HOW_TO_DECRYPT!!!.mht

MD5 bdd74698b4cc25f85123c01dd03e5f78
SHA1 02ed05d44e81469d3b39f8b788c3b1131b0cc9e8
SHA256 9afd656faeeb7ab16fea922bc28ec206deaaa8436479dc2ed373766b8d611dce
SHA512 c2f3c636a2ab50070191766487f0387316534def29789df9ad2228f597a42633090c97cd94aa72b068fb59455f77d6fcc3431a2b3e7fad862899ddbcbfdc95cf

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-05 09:52

Reported

2024-07-05 09:55

Platform

win7-20240508-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (897) files with added filename extension

ransomware

Deletes System State backups

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File created C:\Windows\System32\drivers\etc\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\protocol C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\protocol.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\services C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\protocol.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\services.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\networks C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\networks.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\networks.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\services.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSFEEditor = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe\" e" C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\E:\$RECYCLE.BIN\S-1-5-21-268080393-3149932598-1824759070-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\g: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened (read-only) \??\h: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\h: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\g: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened (read-only) \??\D: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened (read-only) \??\D: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\config\DEFAULT C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File created C:\Windows\System32\Microsoft\Protect\S-1-5-18\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9 C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\SOFTWARE C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\RegBack\DEFAULT C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\RegBack\SYSTEM C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\Preferred.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\f22e410f-f947-4e08-8f2a-8f65df603f8d C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\1e582198-061f-43f1-abdf-d4e9b606b035.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\1e582198-061f-43f1-abdf-d4e9b606b035.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\f22e410f-f947-4e08-8f2a-8f65df603f8d.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File created C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File created C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\BCD-Template.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File created C:\Windows\System32\config\RegBack\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\237b389d-8851-4f5d-ae3e-4365e8e78b9b C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\b889ab5d-f7d2-47ff-92a1-3ec877b7e01c.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\SYSTEM C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\RegBack\SECURITY C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\85fe6f29-f646-4efb-ade4-2ba61fcbb9b4.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9 C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\b889ab5d-f7d2-47ff-92a1-3ec877b7e01c C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\67e717b7-3bed-405c-9193-9e2881e30b96.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\85fe6f29-f646-4efb-ade4-2ba61fcbb9b4.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\RegBack\SOFTWARE C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File created C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\Preferred.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9 C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\BCD-Template C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\SAM C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File created C:\Windows\System32\LogFiles\Scm\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File created C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File created C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File created C:\Windows\System32\config\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\COMPONENTS.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\SECURITY C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\RegBack\SAM C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\Preferred C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\LogFiles\Scm\4c8b01a2-11ff-4c41-848f-508ef4f00cf7.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\COMPONENTS.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\237b389d-8851-4f5d-ae3e-4365e8e78b9b.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre7\lib\zi\EET.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\security\cacerts C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Shanghai.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Bogota.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Resolute.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Chatham C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Pago_Pago.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\LICENSE.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Algiers.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Antarctica\Syowa C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Qatar C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Riga.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe AIR\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\Faroe.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Etc\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\UTC.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Center C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+1 C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Indiana\Vevay.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\removed-files.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\COPYRIGHT.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Ashgabat.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Atikokan.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Havana.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Indian\Cocos.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Toronto C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Yellowknife.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Algiers.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Kathmandu C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Godthab.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Gibraltar.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Montreal.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Dublin C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Indiana\Knox C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\New_Salem C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\postSigningData.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Aqtobe.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Cayenne.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Manila.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-1 C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-10.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\release C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Antarctica\DumontDUrville.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Anadyr C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Cairo.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Kathmandu.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Easter.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\Mendoza.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Dubai.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Jayapura.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Tahiti.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\EST5EDT.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Gambier.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Almaty.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Kamchatka.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Cuiaba.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Metlakatla.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Funafuti.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\GMT.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\MST.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Copenhagen.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+9.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Enderbury.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Bissau C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Panther\setupinfo C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Boot\DVD\EFI\BCD C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Boot\DVD\PCAT\BCD C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\1cb2 C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl C:\Windows\system32\wbadmin.exe N/A
File created C:\Windows\Boot\DVD\EFI\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\2cb2 C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\1th1 C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\2th2 C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\alloc_2 C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Panther\setupinfo.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\state.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\1th0 C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\1th2 C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\2th0 C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\absthr_1 C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Panther\setupinfo.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\absthr_2 C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\alloc_0 C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\enwindow C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File created C:\Windows\Panther\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\alloc_3 C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Boot\PCAT\bootmgr C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\2th1 C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\alloc_1 C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\state.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\1cb1 C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File created C:\Windows\ehome\CreateDisc\Components\tables\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl C:\Windows\system32\wbadmin.exe N/A
File created C:\Windows\Boot\DVD\PCAT\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357.1btc C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\2cb1 C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\state C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357.inprocess C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File created C:\Windows\Boot\PCAT\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\1cb0 C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\2cb0 C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\absthr_0 C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\dewindow C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
File created C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2944 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\vssadmin.exe
PID 2944 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\vssadmin.exe
PID 2944 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\vssadmin.exe
PID 2944 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\vssadmin.exe
PID 2944 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\vssadmin.exe
PID 2944 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\vssadmin.exe
PID 2944 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\vssadmin.exe
PID 2944 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\vssadmin.exe
PID 2944 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\vssadmin.exe
PID 2944 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\vssadmin.exe
PID 2944 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\vssadmin.exe
PID 2944 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\vssadmin.exe
PID 2944 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\vssadmin.exe
PID 2944 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\vssadmin.exe
PID 2944 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\vssadmin.exe
PID 2944 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\vssadmin.exe
PID 2944 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\vssadmin.exe
PID 2944 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\vssadmin.exe
PID 2944 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\vssadmin.exe
PID 2944 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\vssadmin.exe
PID 2944 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\vssadmin.exe
PID 2944 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\vssadmin.exe
PID 2944 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\vssadmin.exe
PID 2944 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\vssadmin.exe
PID 2944 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\vssadmin.exe
PID 2944 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\vssadmin.exe
PID 2944 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\vssadmin.exe
PID 2944 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\vssadmin.exe
PID 2944 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\vssadmin.exe
PID 2944 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\vssadmin.exe
PID 2944 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\vssadmin.exe
PID 2944 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\vssadmin.exe
PID 2944 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\vssadmin.exe
PID 2944 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\vssadmin.exe
PID 2944 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\vssadmin.exe
PID 2944 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\vssadmin.exe
PID 2944 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\vssadmin.exe
PID 2944 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\vssadmin.exe
PID 2944 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\vssadmin.exe
PID 2944 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\bcdedit.exe
PID 2944 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\bcdedit.exe
PID 2944 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\bcdedit.exe
PID 2944 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\bcdedit.exe
PID 2944 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\bcdedit.exe
PID 2944 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\bcdedit.exe
PID 2944 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\wbadmin.exe
PID 2944 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\wbadmin.exe
PID 2944 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\wbadmin.exe
PID 2944 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\wbadmin.exe
PID 2944 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\wbadmin.exe
PID 2944 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\wbadmin.exe
PID 2944 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\System32\Wbem\wmic.exe
PID 2944 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\System32\Wbem\wmic.exe
PID 2944 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\System32\Wbem\wmic.exe
PID 2944 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\cmd.exe
PID 2944 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\cmd.exe
PID 2944 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe C:\Windows\system32\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe

"C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} recoveryenabled No

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\wbadmin.exe

wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\system32\wbadmin.exe

wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest

C:\Windows\System32\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\528502~1.EXE >> NUL

Network

N/A

Files

C:\Users\Admin\!!!HOW_TO_DECRYPT!!!.mht

MD5 893f01d2940485c52e402a2a75a2186b
SHA1 45861f33eec5e9c030687817b0e034d10d7f8d7e
SHA256 0d558373ce997137b5f4a1d487bca959c20092ce9da8a44fc3b297a19a6d69bc
SHA512 bc5545381380ba72b85d118817a0b200822f67e8c80325a5ed540f1254af511e5e21b723b2281e428ecdd3c380b7e4c1125eb8bfbadc1f11d38def6303510c62