Analysis Overview
SHA256
ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd
Threat Level: Likely malicious
The file ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe was found to be: Likely malicious.
Malicious Activity Summary
Renames multiple (7719) files with added filename extension
Renames multiple (7822) files with added filename extension
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Checks computer location settings
Deletes itself
Enumerates connected drives
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Uses Volume Shadow Copy service COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-18 03:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-18 03:01
Reported
2024-10-18 03:04
Platform
win7-20240708-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Renames multiple (7822) files with added filename extension
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\LPW5.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Reads user/profile data of web browsers
Enumerates connected drives
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\CYLANCE_README.txt | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-api.xml.Cylance | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\INVITE11.POC.Cylance | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di_1.0.0.v20140328-2112.jar | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\updater_zh_CN.jar.Cylance | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_notes.wmv | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-tools.jar.Cylance | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\MANIFEST.MF | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\clock.js | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\plugins\access\CYLANCE_README.txt | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\IPMS.ICO | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\calendar.js | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\PSS10R.CHM.Cylance | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\TAB_OFF.GIF | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\org-netbeans-core-windows_visualvm.jar | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02068_.WMF | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02361_.WMF | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\THMBNAIL.PNG.Cylance | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Cayman | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\La_Paz | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099183.WMF.Cylance | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195254.WMF.Cylance | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00603_.WMF | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\flyout.html | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-annotations-common.xml | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\CYLANCE_README.txt | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01145_.WMF | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH00601G.GIF | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\SPLASH.WAV | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Rainy_River.Cylance | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL097.XML.Cylance | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB2B.BDR | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-awt.xml | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\CYLANCE_README.txt | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\tr.txt | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\Stucco.gif | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\ALARM.WAV | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Nauru.Cylance | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18181_.WMF.Cylance | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Pacific\Chuuk.Cylance | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\vlc.mo.Cylance | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\management-agent.jar | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_dot.png | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\ECLIPSE_.RSA | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File created | C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\CYLANCE_README.txt | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Asia\Pyongyang | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\CYLANCE_README.txt | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\InfoPathWelcomeImage.jpg | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\IPMS.ICO.Cylance | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\AddToViewArrow.jpg | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\CYLANCE_README.txt | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Americana\CYLANCE_README.txt | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\CGMIMP32.FNT.Cylance | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21313_.GIF | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\ChessIconImagesMask.bmp.Cylance | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.annotation_1.2.0.v201401042248.jar.Cylance | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine.nl_ja_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\ink\CYLANCE_README.txt | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\javafx.properties.Cylance | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\More Games\en-US\MoreGames.dll.mui.Cylance | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\msadc\fr-FR\msdaremr.dll.mui | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\LPW5.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe
"C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update BETA" /TR "C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe" /F
C:\Windows\SysWOW64\schtasks.exe
SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update BETA" /TR "C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe" /F
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\LPW5.tmp"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Update BETA" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 > nul & del "C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe"
C:\Windows\SysWOW64\schtasks.exe
SCHTASKS.exe /Delete /TN "Windows Update BETA" /F
C:\ProgramData\LPW5.tmp
C:\ProgramData\LPW5.tmp
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 -n 5 > nul & del "C:\ProgramData\LPW5.tmp"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
Network
Files
C:\ProgramData\CYLANCE_README.txt
| MD5 | 38aa4cc478c9256f32512e2e7ccbd9d2 |
| SHA1 | f54cc3fa07fea8d745e7c1a84935091f719e49c3 |
| SHA256 | 30a49b4694c9b68f8343714a69c3f9fc96ac24c1d275da4cae47115428ffbf2b |
| SHA512 | d94a315c0cefce6dab0687a4b0fcb18218b064ccdc300ea84ae07e48165b49c94f2c4ace54f214bec97af36336459f86806c7f8da0226299b85cabaa5378d464 |
C:\ProgramData\LPW5.tmp
| MD5 | ab65af4349e7c5b0872c8b808d036980 |
| SHA1 | 414b2a2748b7ea6176c1d2453f89fdc8a2d349d0 |
| SHA256 | a6c41f368f42a7c57c307a48ce2440a60a744226b6414fadb6517a80a5d160a2 |
| SHA512 | 2c61c56e8c299677bad4ce223e3187200c341aa4dd4503fac1217aa8e15687af03544a6d160bb2b1b131a56ea9df2967e00359aa622f12d1b82605c40cca6679 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-18 03:01
Reported
2024-10-18 03:04
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Renames multiple (7719) files with added filename extension
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\LPW5.tmp | N/A |
Reads user/profile data of web browsers
Enumerates connected drives
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\27.png | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\as90.xsl.Cylance | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-256_altform-unplated_contrast-black_devicefamily-colorfulunplated.png | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupLargeTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-256_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\LargeTile.scale-125_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\zh-cn\ui-strings.js.Cylance | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\eu-es\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48.png | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-16.png | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Latn-RS\msipc.dll.mui.Cylance | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_NinjaCat.png | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\AppxSignature.p7x | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_~_kzf8qxf38zg5c\AppxMetadata\AppxBundleManifest.xml.Cylance | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailSmallTile.scale-400.png | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MyriadPro-It.otf | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\PesterThrow.ps1.Cylance | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\eu-es\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pt-br\PlayStore_icon.svg | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\SmallTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-pl.xrm-ms.Cylance | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-16_altform-fullcolor.png | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\lib\classlist | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\Office.Runtime.js.Cylance | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\xaml\onenote\ShareErrorMessagePage.xaml | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\175.png | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\CYLANCE_README.txt | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-gb\CYLANCE_README.txt | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\lib\deploy\messages_ja.properties | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-30_altform-unplated_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_reject_18.svg | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_remove_18.svg | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql70.xsl.Cylance | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ca-es\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\he-il\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\home-view\plugin.js.Cylance | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File created | C:\Program Files\Internet Explorer\de-DE\CYLANCE_README.txt | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ca-es\CYLANCE_README.txt | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.dll.mui.Cylance | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ppd.xrm-ms.Cylance | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-32.png | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxAccountsLargeTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldContain.snippets.ps1xml | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Calculator\Add-Numbers.Tests.ps1.Cylance | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\CYLANCE_README.txt | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ca-es\CYLANCE_README.txt | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\pt.txt | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Media Player\it-IT\wmpnssci.dll.mui | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui.Cylance | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubStoreLogo.scale-200_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\it-IT\MSFT_PackageManagement.strings.psd1.Cylance | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\tr-tr\ui-strings.js.Cylance | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-gb\jsaddins\CYLANCE_README.txt | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\ja-JP\InkObj.dll.mui.Cylance | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_download_18.svg.Cylance | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x.Cylance | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\offsym.ttf | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailSmallTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\de-de\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\uk.txt.Cylance | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\LPW5.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe
"C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update BETA" /TR "C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe" /F
C:\Windows\SysWOW64\schtasks.exe
SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update BETA" /TR "C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe" /F
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\LPW5.tmp"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Update BETA" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 > nul & del "C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe"
C:\ProgramData\LPW5.tmp
C:\ProgramData\LPW5.tmp
C:\Windows\SysWOW64\schtasks.exe
SCHTASKS.exe /Delete /TN "Windows Update BETA" /F
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 -n 5 > nul & del "C:\ProgramData\LPW5.tmp"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
C:\ProgramData\CYLANCE_README.txt
| MD5 | 38aa4cc478c9256f32512e2e7ccbd9d2 |
| SHA1 | f54cc3fa07fea8d745e7c1a84935091f719e49c3 |
| SHA256 | 30a49b4694c9b68f8343714a69c3f9fc96ac24c1d275da4cae47115428ffbf2b |
| SHA512 | d94a315c0cefce6dab0687a4b0fcb18218b064ccdc300ea84ae07e48165b49c94f2c4ace54f214bec97af36336459f86806c7f8da0226299b85cabaa5378d464 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
| MD5 | e30a90024fb5d2689a2a788523783c3d |
| SHA1 | 669bb4c3ccae7934b5bc129da1703338ece5f344 |
| SHA256 | f3690c626887e31071b1a6b9a98e511dd0653d2160bd552464acf278044d74c7 |
| SHA512 | 8d636c87b5d541dc69c2fa683b696a479a9a433086b5e00b5c1c2d663c350380f7a5e70e44145228262cb9dabfc6935d611208ad47d3dae7504ddbb46f89161b |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
| MD5 | 2aa6ced24f1da6b5041592d9c4ac425a |
| SHA1 | 23d77a272dc42217d24ef15f3bbd2de04625bd25 |
| SHA256 | 7d7753c0d9090da3911b701a1094c7f313dbab948784bca584b62faf474a67bb |
| SHA512 | 846717046f3bd8982bd82a71dad3142c21970305dc949b2a43080259b52003fcedbba905246612b8551a8e345fc1f97bd3923443e5e17b9ad9d25c6fd876fde0 |
C:\ProgramData\LPW5.tmp
| MD5 | ab65af4349e7c5b0872c8b808d036980 |
| SHA1 | 414b2a2748b7ea6176c1d2453f89fdc8a2d349d0 |
| SHA256 | a6c41f368f42a7c57c307a48ce2440a60a744226b6414fadb6517a80a5d160a2 |
| SHA512 | 2c61c56e8c299677bad4ce223e3187200c341aa4dd4503fac1217aa8e15687af03544a6d160bb2b1b131a56ea9df2967e00359aa622f12d1b82605c40cca6679 |