Malware Analysis Report

2024-11-16 12:14

Sample ID 241106-b2ke1avnhn
Target 18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff
SHA256 18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff
Tags
phobos credential_access defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff

Threat Level: Known bad

The file 18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff was found to be: Known bad.

Malicious Activity Summary

phobos credential_access defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware spyware stealer

Phobos

Phobos family

Renames multiple (520) files with added filename extension

Modifies boot configuration data using bcdedit

Renames multiple (324) files with added filename extension

Deletes shadow copies

Modifies Windows Firewall

Drops startup file

Reads user/profile data of web browsers

Checks computer location settings

Credentials from Password Stores: Windows Credential Manager

Adds Run key to start application

Drops desktop.ini file(s)

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Browser Information Discovery

System Location Discovery: System Language Discovery

Event Triggered Execution: Netsh Helper DLL

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Uses Volume Shadow Copy service COM API

Modifies Internet Explorer settings

Interacts with shadow copies

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-06 01:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-06 01:38

Reported

2024-11-06 01:40

Platform

win7-20241010-en

Max time kernel

149s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe"

Signatures

Phobos

ransomware phobos

Phobos family

phobos

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (324) files with added filename extension

ransomware

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[E3B50C9F-1030].[[email protected]].phobos C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff = "C:\\Users\\Admin\\AppData\\Local\\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe" C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff = "C:\\Users\\Admin\\AppData\\Local\\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe" C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2039016743-699959520-214465309-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\V50G20NG\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-2039016743-699959520-214465309-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\QHWRVUKQ\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\65NE61TJ\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\BJINZE1S\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2Q9CV5JV\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NQYB9FVA\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8U3B82NZ\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.jpg C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\manifest.json C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\service.js C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Rangoon.id[E3B50C9F-1030].[[email protected]].phobos C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Kerguelen.id[E3B50C9F-1030].[[email protected]].phobos C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Magadan.id[E3B50C9F-1030].[[email protected]].phobos C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPrintTemplate.html C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\tabskb.dll.mui C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-charts.xml C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer.id[E3B50C9F-1030].[[email protected]].phobos C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107488.WMF C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\WindowsBase.resources.dll C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00668_.WMF C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-core.xml C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\weather.js C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository_1.2.100.v20131209-2144.jar C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File created C:\Program Files\Java\jre7\bin\awt.dll.id[E3B50C9F-1030].[[email protected]].phobos C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Cuiaba.id[E3B50C9F-1030].[[email protected]].phobos C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libscreen_plugin.dll.id[E3B50C9F-1030].[[email protected]].phobos C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-gibbous.png C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Microsoft.stdformat.dll.id[E3B50C9F-1030].[[email protected]].phobos C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File created C:\Program Files\UnblockClose.dib.id[E3B50C9F-1030].[[email protected]].phobos C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\glass.png C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-windows_ja.jar.id[E3B50C9F-1030].[[email protected]].phobos C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\sqlite.dll C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\rtf_spellcheck.gif.id[E3B50C9F-1030].[[email protected]].phobos C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\StatusAway.ico C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\14.png C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.annotation_1.2.0.v201401042248.jar C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Khandyga C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Yakutsk C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Paris.id[E3B50C9F-1030].[[email protected]].phobos C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115841.GIF.id[E3B50C9F-1030].[[email protected]].phobos C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveDrop32x32.gif C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\gadget.xml C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00526_.WMF C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105336.WMF.id[E3B50C9F-1030].[[email protected]].phobos C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Net.Resources.dll C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libcache_block_plugin.dll C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN081.XML C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGMARQ.XML.id[E3B50C9F-1030].[[email protected]].phobos C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup-impl.xml.id[E3B50C9F-1030].[[email protected]].phobos C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-execution.xml.id[E3B50C9F-1030].[[email protected]].phobos C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tokyo C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\msjet.xsl C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD19828_.WMF C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00233_.WMF C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21400_.GIF C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll.id[E3B50C9F-1030].[[email protected]].phobos C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessApplications.RuntimeUi.xml.id[E3B50C9F-1030].[[email protected]].phobos C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-annotations-common.xml C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Menominee.id[E3B50C9F-1030].[[email protected]].phobos C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File created C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\SpiderSolitaire.exe.mui.id[E3B50C9F-1030].[[email protected]].phobos C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuy2_i422_plugin.dll C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKUPD.CFG C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cancun.id[E3B50C9F-1030].[[email protected]].phobos C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341447.JPG C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\CodeFile.zip C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-output2.xml.id[E3B50C9F-1030].[[email protected]].phobos C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File created C:\Program Files\PushSearch.jfif.id[E3B50C9F-1030].[[email protected]].phobos C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2716 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe C:\Windows\system32\cmd.exe
PID 2716 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe C:\Windows\system32\cmd.exe
PID 2716 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe C:\Windows\system32\cmd.exe
PID 2716 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe C:\Windows\system32\cmd.exe
PID 2716 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe C:\Windows\system32\cmd.exe
PID 2716 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe C:\Windows\system32\cmd.exe
PID 2716 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe C:\Windows\system32\cmd.exe
PID 2716 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe C:\Windows\system32\cmd.exe
PID 2572 wrote to memory of 2872 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2572 wrote to memory of 2872 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2572 wrote to memory of 2872 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2844 wrote to memory of 2960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2844 wrote to memory of 2960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2844 wrote to memory of 2960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2844 wrote to memory of 2152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2844 wrote to memory of 2152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2844 wrote to memory of 2152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2572 wrote to memory of 1572 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2572 wrote to memory of 1572 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2572 wrote to memory of 1572 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2572 wrote to memory of 2900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2572 wrote to memory of 2900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2572 wrote to memory of 2900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2572 wrote to memory of 1968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2572 wrote to memory of 1968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2572 wrote to memory of 1968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2716 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe C:\Windows\SysWOW64\mshta.exe
PID 2716 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe C:\Windows\SysWOW64\mshta.exe
PID 2716 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe C:\Windows\SysWOW64\mshta.exe
PID 2716 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe C:\Windows\SysWOW64\mshta.exe
PID 2716 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe C:\Windows\SysWOW64\mshta.exe
PID 2716 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe C:\Windows\SysWOW64\mshta.exe
PID 2716 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe C:\Windows\SysWOW64\mshta.exe
PID 2716 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe C:\Windows\SysWOW64\mshta.exe
PID 2716 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe C:\Windows\SysWOW64\mshta.exe
PID 2716 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe C:\Windows\SysWOW64\mshta.exe
PID 2716 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe C:\Windows\SysWOW64\mshta.exe
PID 2716 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe C:\Windows\SysWOW64\mshta.exe
PID 2716 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe C:\Windows\SysWOW64\mshta.exe
PID 2716 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe C:\Windows\SysWOW64\mshta.exe
PID 2716 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe C:\Windows\SysWOW64\mshta.exe
PID 2716 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe C:\Windows\SysWOW64\mshta.exe
PID 2716 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe C:\Windows\system32\cmd.exe
PID 2716 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe C:\Windows\system32\cmd.exe
PID 2716 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe C:\Windows\system32\cmd.exe
PID 2716 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe C:\Windows\system32\cmd.exe
PID 2688 wrote to memory of 2736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2688 wrote to memory of 2736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2688 wrote to memory of 2736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2688 wrote to memory of 2764 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2688 wrote to memory of 2764 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2688 wrote to memory of 2764 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2688 wrote to memory of 2844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2688 wrote to memory of 2844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2688 wrote to memory of 2844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2688 wrote to memory of 2492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2688 wrote to memory of 2492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2688 wrote to memory of 2492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe

"C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe"

C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe

"C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

Network

N/A

Files

C:\info.hta

MD5 cb0b9769fe602694f7caf38d25d739ec
SHA1 da387b51c8c30028e6b0592bc9f9ef9524a8a4b8
SHA256 eb36bbf901e169193ae1486ee724bad11caad1f30a364a25c5463d4eb102ac16
SHA512 1d008a73d3f6ad37005e3b6a7333b0ba4826c6fa2c8e4a2c5bcd34ab0dab90bfdaae0d332dc8bc500391b10a0e2a7bb86bed5aae0167c280f77beb3a760e0b9c

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-06 01:38

Reported

2024-11-06 01:40

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe"

Signatures

Phobos

ransomware phobos

Phobos family

phobos

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (520) files with added filename extension

ransomware

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[D2A5D5EC-1030].[[email protected]].phobos C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff = "C:\\Users\\Admin\\AppData\\Local\\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe" C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff = "C:\\Users\\Admin\\AppData\\Local\\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe" C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-4050598569-1597076380-177084960-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-4050598569-1597076380-177084960-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_1_Loud.m4a C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBGTaskHelper.winmd C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\cldr.md.id[D2A5D5EC-1030].[[email protected]].phobos C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Xaml.resources.dll.id[D2A5D5EC-1030].[[email protected]].phobos C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.Primitives.resources.dll.id[D2A5D5EC-1030].[[email protected]].phobos C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailSmallTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_splitter\libwall_plugin.dll C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_pt-PT.dll.id[D2A5D5EC-1030].[[email protected]].phobos C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\vlc.mo.id[D2A5D5EC-1030].[[email protected]].phobos C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\PSGet.Resource.psd1.id[D2A5D5EC-1030].[[email protected]].phobos C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\TestResults.Tests.ps1 C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailLargeTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\WideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\x_2x.png.id[D2A5D5EC-1030].[[email protected]].phobos C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT.id[D2A5D5EC-1030].[[email protected]].phobos C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationClient.resources.dll.id[D2A5D5EC-1030].[[email protected]].phobos C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-30_contrast-black.png C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\es-es\ui-strings.js C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\WindowsFormsIntegration.resources.dll C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\msadc\de-DE\msdaremr.dll.mui C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Primitives.dll.id[D2A5D5EC-1030].[[email protected]].phobos C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscorrc.dll.id[D2A5D5EC-1030].[[email protected]].phobos C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBHW6.CHM C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-ppd.xrm-ms.id[D2A5D5EC-1030].[[email protected]].phobos C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\move.svg.id[D2A5D5EC-1030].[[email protected]].phobos C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ta.txt C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-140.png.id[D2A5D5EC-1030].[[email protected]].phobos C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp10.scale-100.png C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNewNoteWideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeSmallTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_shared.gif.id[D2A5D5EC-1030].[[email protected]].phobos C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WideTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosMedTile.contrast-white_scale-125.png C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\tinytile.targetsize-48_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-fr\ui-strings.js C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-tw\PlayStore_icon.svg.id[D2A5D5EC-1030].[[email protected]].phobos C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-heap-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filterselected-dark-focus_32.svg C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\WidescreenPresentation.potx.id[D2A5D5EC-1030].[[email protected]].phobos C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons_retina_thumb.png C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Security.Cryptography.Primitives.dll C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\hi.pak.id[D2A5D5EC-1030].[[email protected]].phobos C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\Windows Media Player\de-DE\wmlaunch.exe.mui C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeLikeExactly.Tests.ps1 C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Intrinsics.dll.id[D2A5D5EC-1030].[[email protected]].phobos C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_listview-hover.svg C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ro-ro\ui-strings.js.id[D2A5D5EC-1030].[[email protected]].phobos C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libnoseek_plugin.dll C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.Design.dll C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File created C:\Program Files\Microsoft Office\root\vreg\powerview.x-none.msi.16.x-none.vreg.dat.id[D2A5D5EC-1030].[[email protected]].phobos C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png.id[D2A5D5EC-1030].[[email protected]].phobos C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorWideTile.contrast-black_scale-200.png C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_anonymoususer_18.svg.id[D2A5D5EC-1030].[[email protected]].phobos C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\hyph_en_GB.dic C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_ta.dll.id[D2A5D5EC-1030].[[email protected]].phobos C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RMNSQUE\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptyView.scale-400.png C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-ppd.xrm-ms.id[D2A5D5EC-1030].[[email protected]].phobos C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019DemoR_BypassTrial180-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeNullOrEmpty.Tests.ps1 C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-125_contrast-high.png C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4276 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe C:\Windows\system32\cmd.exe
PID 4276 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe C:\Windows\system32\cmd.exe
PID 4276 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe C:\Windows\system32\cmd.exe
PID 4276 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe C:\Windows\system32\cmd.exe
PID 4624 wrote to memory of 3800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4624 wrote to memory of 3800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1608 wrote to memory of 2472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1608 wrote to memory of 2472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1608 wrote to memory of 2708 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1608 wrote to memory of 2708 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1608 wrote to memory of 4112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1608 wrote to memory of 4112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4624 wrote to memory of 1408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4624 wrote to memory of 1408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1608 wrote to memory of 4760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1608 wrote to memory of 4760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4276 wrote to memory of 5364 N/A C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe C:\Windows\SysWOW64\mshta.exe
PID 4276 wrote to memory of 5364 N/A C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe C:\Windows\SysWOW64\mshta.exe
PID 4276 wrote to memory of 5364 N/A C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe C:\Windows\SysWOW64\mshta.exe
PID 4276 wrote to memory of 6900 N/A C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe C:\Windows\SysWOW64\mshta.exe
PID 4276 wrote to memory of 6900 N/A C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe C:\Windows\SysWOW64\mshta.exe
PID 4276 wrote to memory of 6900 N/A C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe C:\Windows\SysWOW64\mshta.exe
PID 4276 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe C:\Windows\SysWOW64\mshta.exe
PID 4276 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe C:\Windows\SysWOW64\mshta.exe
PID 4276 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe C:\Windows\SysWOW64\mshta.exe
PID 4276 wrote to memory of 6480 N/A C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe C:\Windows\SysWOW64\mshta.exe
PID 4276 wrote to memory of 6480 N/A C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe C:\Windows\SysWOW64\mshta.exe
PID 4276 wrote to memory of 6480 N/A C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe C:\Windows\SysWOW64\mshta.exe
PID 4276 wrote to memory of 6724 N/A C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe C:\Windows\system32\cmd.exe
PID 4276 wrote to memory of 6724 N/A C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe C:\Windows\system32\cmd.exe
PID 6724 wrote to memory of 6376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 6724 wrote to memory of 6376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 6724 wrote to memory of 3188 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 6724 wrote to memory of 3188 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 6724 wrote to memory of 1588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 6724 wrote to memory of 1588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 6724 wrote to memory of 3436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 6724 wrote to memory of 3436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe

"C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe"

C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe

"C:\Users\Admin\AppData\Local\Temp\18637c278083785d8c5cafdcbf819407182fc554c90c75d02bd10d6a9c6feaff.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[D2A5D5EC-1030].[[email protected]].phobos

MD5 de07a38104347d30179302b709c59eba
SHA1 32de4b151d4990e148d19b411f8220b30276fb72
SHA256 86799c22bc38dc508626fa394f0069a25c89327fca0323662920c763c6411116
SHA512 31b03f88ec059ecd2186c8d7e10be5499dc964e622fbef4ff7c6980b82c43dc4b3bb406fdac64cd263e1a4745dbb288e56b436a3168cfdf7b2c4928490989869

C:\info.hta

MD5 dfe094befbdbe6cbb6f77bea9f6f99c7
SHA1 4dca2edf31571f729816ad6698f6c6c7b7cb8683
SHA256 1cff75d2d8066696dd7104760137d7417ea9cc9fe52525e400b90f922fd54351
SHA512 d18d05e0593d7eb2a6563dd7a31068db5abea2b0f34657644f9657b2769d0dfcb7f8651c69449f7020bad3ea1d0026d66da241c06fc9686ec6a4d754113c5da4