Malware Analysis Report

2024-09-11 01:03

Sample ID 240725-b5xjqs1blm
Target LisectAVT_2403002C_161.exe
SHA256 f604723783fbd9d194418ff08b5b30a120bc69ba91c3d74ca7ee6be20cb28800
Tags
phobos aspackv2 credential_access defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f604723783fbd9d194418ff08b5b30a120bc69ba91c3d74ca7ee6be20cb28800

Threat Level: Known bad

The file LisectAVT_2403002C_161.exe was found to be: Known bad.

Malicious Activity Summary

phobos aspackv2 credential_access defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware spyware stealer

Phobos

Renames multiple (313) files with added filename extension

Modifies boot configuration data using bcdedit

Renames multiple (519) files with added filename extension

Credentials from Password Stores: Credentials from Web Browsers

Deletes shadow copies

Modifies Windows Firewall

Deletes backup catalog

Credentials from Password Stores: Windows Credential Manager

Reads user/profile data of web browsers

Executes dropped EXE

Drops startup file

Loads dropped DLL

ASPack v2.12-2.42

Checks computer location settings

Adds Run key to start application

Drops desktop.ini file(s)

Drops file in Program Files directory

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Event Triggered Execution: Netsh Helper DLL

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Interacts with shadow copies

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-07-25 01:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-25 01:44

Reported

2024-07-25 01:47

Platform

win7-20240704-en

Max time kernel

150s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe"

Signatures

Phobos

ransomware phobos

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (313) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\LisectAVT_2403002C_161.exe C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[DECBBE77-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\zGrw.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LisectAVT_2403002C_161 = "C:\\Users\\Admin\\AppData\\Local\\LisectAVT_2403002C_161.exe" C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\LisectAVT_2403002C_161 = "C:\\Users\\Admin\\AppData\\Local\\LisectAVT_2403002C_161.exe" C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3434294380-2554721341-1919518612-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\84790KOV\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BRLV7L3G\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\48RNM7SN\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JF1SL0MP\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\3CPCT0UC\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\XW1885AL\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\BUTTON.GIF C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\de-DE\Sidebar.exe.mui C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui_5.5.0.165303.jar.id[DECBBE77-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security.ui_1.1.200.v20130626-2037.jar.id[DECBBE77-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Kiev C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\OMSINTL.DLL.id[DECBBE77-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\msador15.dll C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives_1.1.100.v20140523-0116.jar.id[DECBBE77-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Antarctica\Vostok C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\blank.png C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\settings.html C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_cloudy.png C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jpeg.dll C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Argentina\Rio_Gallegos.id[DECBBE77-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02384_.WMF C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR47F.GIF.id[DECBBE77-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\AddToViewArrow.jpg C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\30.png C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CONFLICT.ICO.id[DECBBE77-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\1047x576black.png C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.xml.id[DECBBE77-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Antarctica\Macquarie C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Tallinn C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer.id[DECBBE77-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00319_.WMF.id[DECBBE77-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_06.MID.id[DECBBE77-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Library\Analysis\PROCDB.XLAM.id[DECBBE77-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\TYPE.WAV.id[DECBBE77-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\glow.png C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\helpmap.txt.id[DECBBE77-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\zGrw.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\management.dll C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Rangoon.id[DECBBE77-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\eclipse_1655.dll.id[DECBBE77-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\vlm.html.id[DECBBE77-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\gadget.xml C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\as90.xsl.id[DECBBE77-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387337.JPG C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe C:\Users\Admin\AppData\Local\Temp\zGrw.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_output\libafile_plugin.dll C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\ViewHeaderPreview.jpg C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsPreviewTemplate.html.id[DECBBE77-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewFrame.html.id[DECBBE77-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Cuiaba.id[DECBBE77-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_zh-TW.dll.id[DECBBE77-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01247U.BMP.id[DECBBE77-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00736_.WMF C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\COUPON.POC.id[DECBBE77-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME17.CSS.id[DECBBE77-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multitabs.xml C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Port_Moresby C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files\Mozilla Firefox\defaultagent.ini.id[DECBBE77-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02398_.WMF C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115839.GIF C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\TAB_OFF.GIF C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT.DEV.HXS.id[DECBBE77-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\SBCGLOBAL.NET.XML.id[DECBBE77-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files\7-Zip\Lang\nn.txt.id[DECBBE77-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384862.JPG C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02862_.WMF C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02074_.GIF.id[DECBBE77-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zGrw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2384 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe C:\Users\Admin\AppData\Local\Temp\zGrw.exe
PID 2384 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe C:\Users\Admin\AppData\Local\Temp\zGrw.exe
PID 2384 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe C:\Users\Admin\AppData\Local\Temp\zGrw.exe
PID 2384 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe C:\Users\Admin\AppData\Local\Temp\zGrw.exe
PID 2116 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\zGrw.exe C:\Windows\SysWOW64\cmd.exe
PID 2116 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\zGrw.exe C:\Windows\SysWOW64\cmd.exe
PID 2116 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\zGrw.exe C:\Windows\SysWOW64\cmd.exe
PID 2116 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\zGrw.exe C:\Windows\SysWOW64\cmd.exe
PID 2384 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe C:\Windows\system32\cmd.exe
PID 2384 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe C:\Windows\system32\cmd.exe
PID 2384 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe C:\Windows\system32\cmd.exe
PID 2384 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe C:\Windows\system32\cmd.exe
PID 2384 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe C:\Windows\system32\cmd.exe
PID 2384 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe C:\Windows\system32\cmd.exe
PID 2384 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe C:\Windows\system32\cmd.exe
PID 2384 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe C:\Windows\system32\cmd.exe
PID 656 wrote to memory of 1608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 656 wrote to memory of 1608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 656 wrote to memory of 1608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 680 wrote to memory of 2956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 680 wrote to memory of 2956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 680 wrote to memory of 2956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 656 wrote to memory of 1228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 656 wrote to memory of 1228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 656 wrote to memory of 1228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 680 wrote to memory of 2580 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 680 wrote to memory of 2580 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 680 wrote to memory of 2580 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 680 wrote to memory of 2180 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 680 wrote to memory of 2180 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 680 wrote to memory of 2180 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 680 wrote to memory of 108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 680 wrote to memory of 108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 680 wrote to memory of 108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 680 wrote to memory of 1600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 680 wrote to memory of 1600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 680 wrote to memory of 1600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2384 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe C:\Windows\SysWOW64\mshta.exe
PID 2384 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe C:\Windows\SysWOW64\mshta.exe
PID 2384 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe C:\Windows\SysWOW64\mshta.exe
PID 2384 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe C:\Windows\SysWOW64\mshta.exe
PID 2384 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe C:\Windows\SysWOW64\mshta.exe
PID 2384 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe C:\Windows\SysWOW64\mshta.exe
PID 2384 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe C:\Windows\SysWOW64\mshta.exe
PID 2384 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe C:\Windows\SysWOW64\mshta.exe
PID 2384 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe C:\Windows\SysWOW64\mshta.exe
PID 2384 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe C:\Windows\SysWOW64\mshta.exe
PID 2384 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe C:\Windows\SysWOW64\mshta.exe
PID 2384 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe C:\Windows\SysWOW64\mshta.exe
PID 2384 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe C:\Windows\SysWOW64\mshta.exe
PID 2384 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe C:\Windows\SysWOW64\mshta.exe
PID 2384 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe C:\Windows\SysWOW64\mshta.exe
PID 2384 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe C:\Windows\SysWOW64\mshta.exe
PID 2384 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe C:\Windows\system32\cmd.exe
PID 2384 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe C:\Windows\system32\cmd.exe
PID 2384 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe C:\Windows\system32\cmd.exe
PID 2384 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe C:\Windows\system32\cmd.exe
PID 1608 wrote to memory of 2732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1608 wrote to memory of 2732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1608 wrote to memory of 2732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1608 wrote to memory of 2656 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1608 wrote to memory of 2656 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1608 wrote to memory of 2656 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1608 wrote to memory of 2152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe

"C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe"

C:\Users\Admin\AppData\Local\Temp\zGrw.exe

C:\Users\Admin\AppData\Local\Temp\zGrw.exe

C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe

"C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\2cf67ce1.bat" "

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 ddos.dnsnb8.net udp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp

Files

memory/2384-1-0x0000000000CE0000-0x0000000000CF9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zGrw.exe

MD5 f7d21de5c4e81341eccd280c11ddcc9a
SHA1 d4e9ef10d7685d491583c6fa93ae5d9105d815bd
SHA256 4485df22c627fa0bb899d79aa6ff29bc5be1dbc3caa2b7a490809338d54b7794
SHA512 e4553b86b083996038bacfb979ad0b86f578f95185d8efac34a77f6cc73e491d4f70e1449bbc9eb1d62f430800c1574101b270e1cb0eeed43a83049a79b636a3

memory/2116-11-0x0000000001010000-0x0000000001019000-memory.dmp

memory/2384-10-0x00000000001E0000-0x00000000001E9000-memory.dmp

memory/2384-9-0x00000000001E0000-0x00000000001E9000-memory.dmp

memory/2016-14-0x0000000000CE0000-0x0000000000CF9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4BC03B24.exe

MD5 20879c987e2f9a916e578386d499f629
SHA1 c7b33ddcc42361fdb847036fc07e880b81935d5d
SHA256 9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31
SHA512 bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

C:\Users\Admin\AppData\Local\Temp\2cf67ce1.bat

MD5 10c3436aa833ba2af9afda17dca629c9
SHA1 61a195d514bda98af79e1e7c083dee502872419f
SHA256 5a143929918fd32de0a9c3ff7be309aef644a32e0d13a3fbd7fbe20a08a6a5c7
SHA512 e3e6afa8131761535f34725ca88b9022000596a0b37ee08e1bb9f73188df77519fae2286961090816bde7762390e01dc9a7f8c826cbdd1ff2022d822165b6a17

memory/2116-55-0x0000000001010000-0x0000000001019000-memory.dmp

C:\Program Files\7-Zip\Uninstall.exe

MD5 ff66541f8880814a3e1c3d8de6fb619b
SHA1 6950a7f2dd847a3132ef3dd1b1d173b820651448
SHA256 6a0ff93635853a719657b3f25da01b5d98b3ea4d6c36af408acb9824385532fa
SHA512 27717e305562262ded61ae5e24cc0a44cc20b3cd5a9ce825e12bb4b6eebdc6bbc3d7d2a1757c75419602e049ca0dfd3c880a865c70582beee6109c77c80a36f5

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe

MD5 43dd2d07eaa8fb655d14f1b1e6d3dad1
SHA1 635bcc8bba0e2989485436fe304be02593858478
SHA256 aac2c34317320ce0bdf49bb3267b2ac60ec25283a3e3f45518a6535c738a851f
SHA512 78df3d402d35f5f7874a20e1d93508084c068dfb5186079d6bc2917078c480405537963b702d04d08c44dad3c1bbbf9f4bd8a8446d624504a9062735119ed204

memory/2384-7801-0x0000000000CE0000-0x0000000000CF9000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OX8Z8GR5\k2[1].rar

MD5 d3b07384d113edec49eaa6238ad5ff00
SHA1 f1d2d2f924e986ac86fdf7b36c94bcdf32beec15
SHA256 b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c
SHA512 0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

C:\info.hta

MD5 d87de810d19b026c4875454f63eca017
SHA1 c94c524ef6e725447d4e4d3a049c5c7b249ce80f
SHA256 5b0b963693300be2a0bcaf69ea637a12cfa98f05eb5b7bbaa818a447f13faa7d
SHA512 0a228bfa0adb564ab82910417d6e5f8dde0053ed8d6051bd671e56dd331a2dc8ecfbf2d5a6ce992cf2d7ccff47ea081c386878bdf48aaa7d63541abc29eb0ff2

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-25 01:44

Reported

2024-07-25 01:47

Platform

win10v2004-20240709-en

Max time kernel

150s

Max time network

162s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe"

Signatures

Phobos

ransomware phobos

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (519) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\zGrw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\LisectAVT_2403002C_161.exe C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[3636C60D-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\zGrw.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LisectAVT_2403002C_161 = "C:\\Users\\Admin\\AppData\\Local\\LisectAVT_2403002C_161.exe" C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LisectAVT_2403002C_161 = "C:\\Users\\Admin\\AppData\\Local\\LisectAVT_2403002C_161.exe" C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-3419463127-3903270268-2580331543-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3419463127-3903270268-2580331543-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\pl_get.svg.id[3636C60D-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-ppd.xrm-ms.id[3636C60D-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinEditors.v8.1.dll.id[3636C60D-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Video_Msg_Record.m4a C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreWideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailBadge.scale-200.png C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\TURABIAN.XSL C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderLargeTile.contrast-black_scale-125.png C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ScreenSketchSplashScreen.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\contacts_variant1_v3.png C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.targetsize-32.png C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_opencarat_18.svg C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\offreg.dll.id[3636C60D-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ul-oob.xrm-ms.id[3636C60D-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.FileUtils.dll.id[3636C60D-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo.png C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\75.jpg C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_fillandsign_18.svg C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul-oob.xrm-ms.id[3636C60D-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-ul-oob.xrm-ms.id[3636C60D-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\ui-strings.js C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Drawing.Primitives.dll.id[3636C60D-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.Design.dll C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationTypes.resources.dll C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\LargeTile.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ul-oob.xrm-ms.id[3636C60D-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\vlc.mo.id[3636C60D-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Icons.ttf C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\de-de\ui-strings.js.id[3636C60D-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\ARROW.WAV.id[3636C60D-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\TimerWideTile.contrast-black_scale-100.png C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7dc.png C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\ui-strings.js C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ru-ru\ui-strings.js.id[3636C60D-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Mock.Tests.ps1 C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationFramework.resources.dll C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Input.Manipulations.resources.dll C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\da\msipc.dll.mui C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\OcHelperResource.dll.id[3636C60D-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\Assets\WideTile.png C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AGMGPUOptIn.ini.id[3636C60D-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\pl_get.svg C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-xstate-l2-1-0.dll C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Logo.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-36_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-ppd.xrm-ms.id[3636C60D-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Edge.dat.id[3636C60D-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.Resource\Xbox.Smartglass.Loc.xml C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\ja-JP\PSGet.Resource.psd1.id[3636C60D-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\bci.dll.id[3636C60D-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\wxpr.dll.id[3636C60D-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ESEN\MSB1ESEN.DLL.id[3636C60D-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\ReachFramework.resources.dll.id[3636C60D-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml.id[3636C60D-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hu-hu\ui-strings.js.id[3636C60D-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files\7-Zip\Lang\lv.txt.id[3636C60D-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Handles.dll C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationTypes.resources.dll C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ccloud.png.id[3636C60D-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\Doughboy.scale-300.png C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ko-kr\ui-strings.js.id[3636C60D-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zGrw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4416 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe C:\Users\Admin\AppData\Local\Temp\zGrw.exe
PID 4416 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe C:\Users\Admin\AppData\Local\Temp\zGrw.exe
PID 4416 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe C:\Users\Admin\AppData\Local\Temp\zGrw.exe
PID 4416 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe C:\Windows\system32\cmd.exe
PID 4416 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe C:\Windows\system32\cmd.exe
PID 4416 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe C:\Windows\system32\cmd.exe
PID 4416 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe C:\Windows\system32\cmd.exe
PID 4460 wrote to memory of 4472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4460 wrote to memory of 4472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4488 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4488 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4460 wrote to memory of 1636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4460 wrote to memory of 1636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 824 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\zGrw.exe C:\Windows\SysWOW64\cmd.exe
PID 824 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\zGrw.exe C:\Windows\SysWOW64\cmd.exe
PID 824 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\zGrw.exe C:\Windows\SysWOW64\cmd.exe
PID 4488 wrote to memory of 3012 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4488 wrote to memory of 3012 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4488 wrote to memory of 1172 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4488 wrote to memory of 1172 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4488 wrote to memory of 2852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4488 wrote to memory of 2852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4488 wrote to memory of 4560 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\RuntimeBroker.exe
PID 4488 wrote to memory of 4560 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\RuntimeBroker.exe
PID 4416 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe C:\Windows\SysWOW64\mshta.exe
PID 4416 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe C:\Windows\SysWOW64\mshta.exe
PID 4416 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe C:\Windows\SysWOW64\mshta.exe
PID 4416 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe C:\Windows\SysWOW64\mshta.exe
PID 4416 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe C:\Windows\SysWOW64\mshta.exe
PID 4416 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe C:\Windows\SysWOW64\mshta.exe
PID 4416 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe C:\Windows\SysWOW64\mshta.exe
PID 4416 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe C:\Windows\SysWOW64\mshta.exe
PID 4416 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe C:\Windows\SysWOW64\mshta.exe
PID 4416 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe C:\Windows\SysWOW64\mshta.exe
PID 4416 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe C:\Windows\SysWOW64\mshta.exe
PID 4416 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe C:\Windows\SysWOW64\mshta.exe
PID 4416 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe C:\Windows\system32\cmd.exe
PID 4416 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe C:\Windows\system32\cmd.exe
PID 3608 wrote to memory of 1156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3608 wrote to memory of 1156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3608 wrote to memory of 2936 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3608 wrote to memory of 2936 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3608 wrote to memory of 212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3608 wrote to memory of 212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3608 wrote to memory of 1424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3608 wrote to memory of 1424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3608 wrote to memory of 3676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3608 wrote to memory of 3676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe

"C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe"

C:\Users\Admin\AppData\Local\Temp\zGrw.exe

C:\Users\Admin\AppData\Local\Temp\zGrw.exe

C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe

"C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_161.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5b132252.bat" "

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 ddos.dnsnb8.net udp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 36.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp

Files

memory/4416-0-0x0000000000E40000-0x0000000000E59000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zGrw.exe

MD5 f7d21de5c4e81341eccd280c11ddcc9a
SHA1 d4e9ef10d7685d491583c6fa93ae5d9105d815bd
SHA256 4485df22c627fa0bb899d79aa6ff29bc5be1dbc3caa2b7a490809338d54b7794
SHA512 e4553b86b083996038bacfb979ad0b86f578f95185d8efac34a77f6cc73e491d4f70e1449bbc9eb1d62f430800c1574101b270e1cb0eeed43a83049a79b636a3

memory/824-4-0x00000000006B0000-0x00000000006B9000-memory.dmp

memory/2344-13-0x0000000000E40000-0x0000000000E59000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\79DC3B2C.exe

MD5 20879c987e2f9a916e578386d499f629
SHA1 c7b33ddcc42361fdb847036fc07e880b81935d5d
SHA256 9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31
SHA512 bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCRJMNF7\k2[1].rar

MD5 d3b07384d113edec49eaa6238ad5ff00
SHA1 f1d2d2f924e986ac86fdf7b36c94bcdf32beec15
SHA256 b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c
SHA512 0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

C:\Program Files\7-Zip\Uninstall.exe

MD5 fcac66242d7e0d043cb58534a65907ea
SHA1 ef117d334e33607804e8bace0098b6fc2c04105d
SHA256 76335a0549ee7281d5e8f2b5f452270e3d242f1c18863312a6e5c4921c545a4f
SHA512 8f665028300144a8027a4d0a864fb4905054420d87311e07b9f8e05844db1976624f312c6edaccdec3214d808597a8a81f04236b797d440c7a5b4de945c97015

C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.id[3636C60D-3542].[[email protected]].faust

MD5 8e8eae3a3a4be5b0e7bfb01362cd93a1
SHA1 2f4d2d3e969bebca99fb040c72848e1599b9da8d
SHA256 2290dec31a1eff82839d5b49b401928bd0b710fc64a9dbedb3be41efed3e3e31
SHA512 965b25f687c6b1dcf912889542969ddc6322e60060eb50e2a91b4d8eb8775fa635e6ad36a2534466a0ab07fabddc29327f98bab847c683748b3d89c736b3b517

memory/824-678-0x00000000006B0000-0x00000000006B9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5b132252.bat

MD5 64739f5fe6a6cddb0247f6789d06fb74
SHA1 4ed221626d3e13efe6cb303af5d506037690b4a9
SHA256 1cce141688e6625a8486f852814e22bdd11e9535d7f0da5d492aa0e2c253b16e
SHA512 ee5e5d09dd1c094151ab88c0b2cf2d846d1ec4ab5054c2d8a39a702c7a936284501e54b8b1e1bb06ba227e332d5a040d6d265f1742d63c4b0426944c11ee1149

memory/4416-4378-0x0000000000E40000-0x0000000000E59000-memory.dmp

C:\info.hta

MD5 4d74e4748b3ece32212db9f87637eddf
SHA1 7636ac1945ec7e407bd98513e63244bda39e6b2f
SHA256 b917c87913abab2acc57a04ddf4a15da777c32817d7076202f9c33d37eb4bd93
SHA512 3157709676a2b411a1294de1085c74aeb0dae3cc84b7df788068dbd287ae60a2dc5ce1109c5e809bcff4ff1afd0a4c0f63e65bccb25af67dccceffe89dbaf3ce