Malware Analysis Report

2024-09-11 00:57

Sample ID 240707-whk8eaybqh
Target 0f0b08b0a369c11d49d40565b420ab1a4be75d9ba8e7eb4736488f6eea991603
SHA256 0f0b08b0a369c11d49d40565b420ab1a4be75d9ba8e7eb4736488f6eea991603
Tags
phobos defense_evasion evasion execution impact persistence privilege_escalation ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0f0b08b0a369c11d49d40565b420ab1a4be75d9ba8e7eb4736488f6eea991603

Threat Level: Known bad

The file 0f0b08b0a369c11d49d40565b420ab1a4be75d9ba8e7eb4736488f6eea991603 was found to be: Known bad.

Malicious Activity Summary

phobos defense_evasion evasion execution impact persistence privilege_escalation ransomware spyware stealer

Phobos

Renames multiple (315) files with added filename extension

Modifies boot configuration data using bcdedit

Deletes shadow copies

Renames multiple (63) files with added filename extension

Modifies Windows Firewall

Deletes backup catalog

Drops startup file

Reads user/profile data of web browsers

Adds Run key to start application

Drops desktop.ini file(s)

Drops file in Program Files directory

Unsigned PE

Event Triggered Execution: Netsh Helper DLL

Enumerates physical storage devices

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Interacts with shadow copies

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-07-07 17:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-07 17:55

Reported

2024-07-07 17:59

Platform

win10v2004-20240704-en

Max time kernel

36s

Max time network

164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (63) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f = "C:\\Users\\Admin\\AppData\\Local\\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe" C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f = "C:\\Users\\Admin\\AppData\\Local\\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe" C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-2494989678-839960665-2515455429-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2494989678-839960665-2515455429-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.Primitives.resources.dll.id[C6692232-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Forms.Design.resources.dll C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Controls.Ribbon.resources.dll.id[C6692232-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\IpsMigrationPlugin.dll C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-datetime-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Drawing.Common.dll C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationClient.resources.dll.id[C6692232-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Uri.dll.id[C6692232-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Numerics.dll.id[C6692232-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ValueTuple.dll C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Forms.Primitives.resources.dll C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Configuration.dll.id[C6692232-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Controls.Ribbon.resources.dll.id[C6692232-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\eu.txt C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.InteropServices.dll C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\Microsoft.VisualBasic.Forms.resources.dll C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationClient.resources.dll C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\Microsoft.VisualBasic.Forms.resources.dll C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tabskb.dll.mui C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\lv-LV\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Uri.dll C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Drawing.Primitives.dll C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files\7-Zip\7zCon.sfx.id[C6692232-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationFramework.resources.dll C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationCore.resources.dll C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\WindowsFormsIntegration.resources.dll.id[C6692232-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationUI.resources.dll.id[C6692232-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\WindowsFormsIntegration.resources.dll C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationProvider.resources.dll.id[C6692232-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationClientSideProviders.resources.dll C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordaccore_amd64_amd64_6.0.2724.6912.dll.id[C6692232-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.TypeConverter.dll.id[C6692232-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscorlib.dll.id[C6692232-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Accessibility.dll.id[C6692232-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-utility-l1-1-0.dll.id[C6692232-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Xaml.resources.dll.id[C6692232-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Input.Manipulations.resources.dll.id[C6692232-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man.id[C6692232-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Numerics.Vectors.dll C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.AccessControl.dll C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.Brotli.dll C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.dll C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\Microsoft.VisualBasic.Forms.resources.dll.id[C6692232-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\PresentationCore.resources.dll C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationUI.dll C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ServiceModel.Web.dll.id[C6692232-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Transactions.dll C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\Microsoft.VisualBasic.Forms.resources.dll.id[C6692232-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\PresentationUI.resources.dll.id[C6692232-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files\7-Zip\Lang\it.txt.id[C6692232-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.en-us.dll.id[C6692232-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.UnmanagedMemoryStream.dll.id[C6692232-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files\7-Zip\Lang\bg.txt.id[C6692232-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fy.txt C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\it-IT\msadcor.dll.mui C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.Calendars.dll.id[C6692232-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationProvider.resources.dll C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\ja-JP\msadcer.dll.mui C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.Dataflow.dll C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationClientSideProviders.resources.dll C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\uz.txt C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebProxy.dll.id[C6692232-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2820 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe C:\Windows\system32\cmd.exe
PID 2820 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe C:\Windows\system32\cmd.exe
PID 2820 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe C:\Windows\system32\cmd.exe
PID 2820 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe C:\Windows\system32\cmd.exe
PID 1740 wrote to memory of 2468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1740 wrote to memory of 2468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1252 wrote to memory of 3548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1252 wrote to memory of 3548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1740 wrote to memory of 1048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1740 wrote to memory of 1048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1252 wrote to memory of 2672 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1252 wrote to memory of 2672 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1252 wrote to memory of 3324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1252 wrote to memory of 3324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1252 wrote to memory of 1468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1252 wrote to memory of 1468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1252 wrote to memory of 1552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1252 wrote to memory of 1552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe

"C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe"

C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe

"C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 8.167.79.40.in-addr.arpa udp

Files

C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.id[C6692232-3483].[[email protected]].8base

MD5 116d008a0f1e751d853f0f53ba148fe3
SHA1 bf4547ec4e8b0765b2d5852f04f4e81a04e3b66b
SHA256 2796973e3ba611826171cae6a782299bf1d0787a13cfa7cf46bad192759052de
SHA512 8d07503003a7b74f5c3664d2cf3b9b598c671c8090c8420c49972cd48fc2ed80a23ba7bd00d6ecad702a77012edb7dd51469f531d551fcd3b7e8a1b4eb772d01

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-07 17:55

Reported

2024-07-07 17:59

Platform

win7-20240704-en

Max time kernel

150s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (315) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[43E3E0CC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f = "C:\\Users\\Admin\\AppData\\Local\\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe" C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f = "C:\\Users\\Admin\\AppData\\Local\\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe" C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\CGY9ZAGI\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\OORJZY5Z\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\TWVGEE8A\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SX809FAK\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\UGUBWRQR\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4NH6FMWO\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VUPQHL12\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SEQCHK10.DLL C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\slideShow.css C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00273_.WMF.id[43E3E0CC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe AIR\sentinel.id[43E3E0CC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD19582_.GIF.id[43E3E0CC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00372_.WMF.id[43E3E0CC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-attach.xml C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\mset7ge.kic.id[43E3E0CC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\EMAIL.XML C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.DynamicData.dll C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\currency.css C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\BUTTON.GIF.id[43E3E0CC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui.zh_CN_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_ja_4.4.0.v20140623020002.jar.id[43E3E0CC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\RADIAL.INF.id[43E3E0CC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00231_.WMF.id[43E3E0CC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02389_.WMF.id[43E3E0CC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR35F.GIF.id[43E3E0CC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PUBTRAP.DLL.id[43E3E0CC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Vincennes.id[43E3E0CC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\EMAIL11.POC.id[43E3E0CC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\bckgRes.dll.mui.id[43E3E0CC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\drag.png C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15136_.GIF.id[43E3E0CC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\ENVELOPR.DLL C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR43F.GIF.id[43E3E0CC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR50F.GIF C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Brunei C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\ffjcext.zip.id[43E3E0CC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Indiana\Winamac C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0215210.WMF.id[43E3E0CC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Microsoft.Synchronization.Data.SqlServerCe.dll.id[43E3E0CC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\DVD Maker\ja-JP\DVDMaker.exe.mui C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libsubsdec_plugin.dll.id[43E3E0CC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0182689.JPG.id[43E3E0CC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0202045.JPG.id[43E3E0CC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02743G.GIF C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\MLSHEXT.DLL.id[43E3E0CC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.FR.XML C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluHandle.png.id[43E3E0CC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-editor-mimelookup-impl.jar.id[43E3E0CC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Guyana C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Antarctica\Casey.id[43E3E0CC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Essential.eftx.id[43E3E0CC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME18.CSS C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\init.js C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT.id[43E3E0CC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\buttons.png C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN02122_.WMF C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00726_.WMF C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01247U.BMP.id[43E3E0CC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21433_.GIF C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsPrintTemplate.html C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsFormTemplate.html C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\java.exe.id[43E3E0CC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\EssentialResume.dotx C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\COPYRIGHT C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libdirectory_demux_plugin.dll C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\PROOF\MSWDS_ES.LEX.id[43E3E0CC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0318448.WMF C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00734_.WMF C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1732 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe C:\Windows\system32\cmd.exe
PID 1732 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe C:\Windows\system32\cmd.exe
PID 1732 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe C:\Windows\system32\cmd.exe
PID 1732 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe C:\Windows\system32\cmd.exe
PID 1732 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe C:\Windows\system32\cmd.exe
PID 1732 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe C:\Windows\system32\cmd.exe
PID 1732 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe C:\Windows\system32\cmd.exe
PID 1732 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe C:\Windows\system32\cmd.exe
PID 1804 wrote to memory of 2900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1804 wrote to memory of 2900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1804 wrote to memory of 2900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1692 wrote to memory of 2716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1692 wrote to memory of 2716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1692 wrote to memory of 2716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1804 wrote to memory of 1220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1804 wrote to memory of 1220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1804 wrote to memory of 1220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1692 wrote to memory of 2824 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1692 wrote to memory of 2824 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1692 wrote to memory of 2824 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1692 wrote to memory of 2556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1692 wrote to memory of 2556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1692 wrote to memory of 2556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1692 wrote to memory of 2784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1692 wrote to memory of 2784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1692 wrote to memory of 2784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1692 wrote to memory of 1640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1692 wrote to memory of 1640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1692 wrote to memory of 1640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1732 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe C:\Windows\SysWOW64\mshta.exe
PID 1732 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe C:\Windows\SysWOW64\mshta.exe
PID 1732 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe C:\Windows\SysWOW64\mshta.exe
PID 1732 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe C:\Windows\SysWOW64\mshta.exe
PID 1732 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe C:\Windows\SysWOW64\mshta.exe
PID 1732 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe C:\Windows\SysWOW64\mshta.exe
PID 1732 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe C:\Windows\SysWOW64\mshta.exe
PID 1732 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe C:\Windows\SysWOW64\mshta.exe
PID 1732 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe C:\Windows\SysWOW64\mshta.exe
PID 1732 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe C:\Windows\SysWOW64\mshta.exe
PID 1732 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe C:\Windows\SysWOW64\mshta.exe
PID 1732 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe C:\Windows\SysWOW64\mshta.exe
PID 1732 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe C:\Windows\SysWOW64\mshta.exe
PID 1732 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe C:\Windows\SysWOW64\mshta.exe
PID 1732 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe C:\Windows\SysWOW64\mshta.exe
PID 1732 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe C:\Windows\SysWOW64\mshta.exe
PID 1732 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe C:\Windows\system32\cmd.exe
PID 1732 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe C:\Windows\system32\cmd.exe
PID 1732 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe C:\Windows\system32\cmd.exe
PID 1732 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe C:\Windows\system32\cmd.exe
PID 1476 wrote to memory of 2456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1476 wrote to memory of 2456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1476 wrote to memory of 2456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1476 wrote to memory of 2856 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1476 wrote to memory of 2856 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1476 wrote to memory of 2856 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1476 wrote to memory of 216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1476 wrote to memory of 216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1476 wrote to memory of 216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1476 wrote to memory of 2080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1476 wrote to memory of 2080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1476 wrote to memory of 2080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1476 wrote to memory of 204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1476 wrote to memory of 204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1476 wrote to memory of 204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe

"C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe"

C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe

"C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

N/A

Files

C:\info.hta

MD5 15cce9a01740e2c1289efced4df965b5
SHA1 1fa3bfb67f7dc5c66895fdd534cfeabc45b8f695
SHA256 298c0d0aa4329df80c64e2ff7c5cd6ed0b325e865322dd6886e95564b712d3e0
SHA512 cfcaf70809897b994d2cf9f30e47a3458ca2e7b3bd99a2d97deaa8aa1dbe89bea366f50f3409dcb710c878e93c92db2e11111ba034b318a1f86e29473c5cb618