Malware Analysis Report

2025-01-23 13:39

Sample ID 241124-2w7w8azpcn
Target aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe
SHA256 aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17
Tags
cryptone packer netwalker defense_evasion discovery execution impact ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17

Threat Level: Known bad

The file aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe was found to be: Known bad.

Malicious Activity Summary

cryptone packer netwalker defense_evasion discovery execution impact ransomware spyware stealer

Detected Netwalker Ransomware

Netwalker family

Netwalker Ransomware

CryptOne packer

Deletes shadow copies

Renames multiple (7385) files with added filename extension

Renames multiple (493) files with added filename extension

Deletes itself

Reads user/profile data of web browsers

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Interacts with shadow copies

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

Kills process with taskkill

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-24 22:57

Signatures

CryptOne packer

cryptone packer
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-24 22:57

Reported

2024-11-24 22:59

Platform

win7-20241010-en

Max time kernel

81s

Max time network

84s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe"

Signatures

Detected Netwalker Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwalker Ransomware

ransomware netwalker

Netwalker family

netwalker

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (7385) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107132.WMF C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\EST C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\background.gif C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-11 C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME17.CSS C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNoteNames.gpd C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Oral C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\charsets.jar C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341455.JPG C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02790_.WMF C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0182898.WMF C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21302_.GIF C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00932_.WMF C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00487_.WMF C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382950.JPG C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00441_.WMF C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PROGRAM.DPV C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sw.txt C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18255_.WMF C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HM00426_.WMF C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\BA3AAF-Readme.txt C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Trek.xml C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\BA3AAF-Readme.txt C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR43B.GIF C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.xml C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_ja.jar C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state_1.0.1.v20140709-1414.jar C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01236U.BMP C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\AddToViewArrowMask.bmp C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14754_.GIF C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CMNTY_01.MID C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mru_on_win7.css C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSEvents.man C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\BA3AAF-Readme.txt C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\BA3AAF-Readme.txt C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14578_.GIF C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\Windows Journal\Templates\blank.jtp C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\vlm_export.html C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\Buenos_Aires C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21482_.GIF C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench_1.2.1.v20140901-1244.jar C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00346_.WMF C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Library\Analysis\ATPVBAEN.XLAM C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BS2BARB.POC C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN026.XML C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FEZIP.POC C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143750.GIF C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactLow.jpg C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\CompressShow.xsl C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.NO.XML C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\BloodPressureTracker.xltx C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\org-netbeans-core-windows_visualvm.jar C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\MANIFEST.MF C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Tahiti C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvm_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15135_.GIF C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2236 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe C:\Windows\system32\vssadmin.exe
PID 2236 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe C:\Windows\system32\vssadmin.exe
PID 2236 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe C:\Windows\system32\vssadmin.exe
PID 2236 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe C:\Windows\system32\vssadmin.exe
PID 2236 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe C:\Windows\SysWOW64\notepad.exe
PID 2236 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe C:\Windows\SysWOW64\notepad.exe
PID 2236 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe C:\Windows\SysWOW64\notepad.exe
PID 2236 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe C:\Windows\SysWOW64\notepad.exe
PID 2236 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe C:\Windows\SysWOW64\cmd.exe
PID 2236 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe C:\Windows\SysWOW64\cmd.exe
PID 2236 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe C:\Windows\SysWOW64\cmd.exe
PID 2236 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe C:\Windows\SysWOW64\cmd.exe
PID 4428 wrote to memory of 6720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4428 wrote to memory of 6720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4428 wrote to memory of 6720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4428 wrote to memory of 6720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe

"C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe"

C:\Windows\system32\vssadmin.exe

C:\Windows\system32\vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\BA3AAF-Readme.txt"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\FC3A.tmp.bat"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /PID 2236

Network

N/A

Files

memory/2236-1-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2236-0-0x00000000001B0000-0x00000000001D6000-memory.dmp

memory/2236-6-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2236-15-0x0000000000400000-0x0000000000448000-memory.dmp

C:\Program Files (x86)\MSBuild\BA3AAF-Readme.txt

MD5 6a138ced4f4aa6fb80604fa3fc11b829
SHA1 b4ee892831ba33ad9d3c0feae05cf81c9208493c
SHA256 4b1c4914f34302c1d7d1df62c462a9e5726ab1b745cd014740e14a59126803fe
SHA512 80dc25f60a5825d7fe7ed489a03c939865444898becf61b42c7c7d52f6ed0dcf137128f6f565f03cc89b2785dbc6c67eca23ad83de14af01ef1c6d4cb9073253

memory/2236-804-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2236-1377-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2236-2194-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2236-3321-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2236-4988-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2236-7135-0x0000000000400000-0x0000000000448000-memory.dmp

C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_CValidator.H1D.ba3aaf

MD5 6a0423e0d1bc83d6b161a9174f89ed0c
SHA1 4a36fc9dfbf01f678e27a3a171e2261ce8f95bb1
SHA256 13f9c535275af19149310bff6d0536d1555f772e281950942bef3fa00436ccbe
SHA512 cb5f8dcf0043f2f4266cb9e71a11ffa84da8e01b93563d213e028cd4bebfe874c75093d2f223d1cb2125b25818ad62cfeea73095aca2a67c337353c41b2bed9f

C:\ProgramData\Microsoft\Assistance\Client\1.0\fr-FR\Help_MValidator.Lck.ba3aaf

MD5 031c82116a2ae3fe1c35feb8f76f54a5
SHA1 2c3fbc2a6b6bdc997ee1ed0d4d08e2767215c589
SHA256 209e0d92e906bb3ad246d9eab3bfd613515a7d4f55b933f20ebb1ee79bdf6c2a
SHA512 a595464bed78d9fbedcf2aa4e9045caefe68ab3b57a01e7cfaa08082bff5d0d5957cab2e21651d7fa8300617032c6e4846144d882a63dbc0945a8c0bf1c454f0

C:\Users\Admin\AppData\Local\Temp\FC3A.tmp.bat

MD5 8de2f7f6237739c4bbd86bea97e0bc47
SHA1 bf3e975104f9cce022a4897ac69ee7c341315dce
SHA256 1dbf1c918053c7d1040913ce5b7004cc5931d41b746ade4b87cef1fee2f5cf7a
SHA512 cd06856735fbaff24d12fde83eadaea231140b45663d796a047e80ee85f401c7b4f8f4516dca6d21c9ab3961de40763ab02590bcc98280519182049a11e1953a

memory/2236-8235-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2236-8234-0x0000000000400000-0x0000000000448000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-24 22:57

Reported

2024-11-24 22:57

Platform

win10v2004-20241007-en

Max time kernel

4s

Max time network

4s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe"

Signatures

Detected Netwalker Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwalker Ransomware

ransomware netwalker

Netwalker family

netwalker

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (493) files with added filename extension

ransomware

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageMedTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageSplashScreen.scale-150_contrast-white.png C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_es-AR.json C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageMedTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-48_contrast-white.png C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-24_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\MediumTile.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-40.png C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeAppList.targetsize-32_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Shutter.m4a C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderSplashScreen.contrast-black_scale-200.png C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeWideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreLogo.scale-100.png C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_1.m4a C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-150.png C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Hedge.dxt C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-40_contrast-black.png C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\Square150x150Logo.scale-125.png C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-48_altform-unplated_devicefamily-colorfulunplated.png C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraLargeTile.contrast-white_scale-125.png C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\Crashpad\metadata C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OutlookAccount.scale-100.png C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\LargeTile.scale-400_contrast-white.png C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\AdaptiveCards.Rendering.Uwp.winmd C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\Office.UI.Xaml.Core.winmd C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\201.png C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNewNoteSmallTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\LargeTile.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\Weather_LogoSmall.scale-100.png C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalSplashScreen.scale-200.png C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe.manifest C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-60_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\JumpListNewNote.png C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-96.png C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690.XSL C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\CA3D36-Readme.txt C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\Square150x150Logo.scale-400.png C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\manifest.json C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\39.jpg C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-gb\TellMeOneNote.nrr C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_TileWide.scale-200.png C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\39.jpg C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\LargeTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\WideTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\LargeTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ku.txt C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\skins\fonts\FreeSans.ttf C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-80.png C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.e35cc441.pri C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_PigEar.png C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\StopwatchSmallTile.contrast-white_scale-125.png C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\FilePowerPoint32x32.png C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-16.png C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART2.BDR C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\WideTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe

"C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe"

C:\Windows\system32\vssadmin.exe

C:\Windows\system32\vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

memory/3336-0-0x00000000021B0000-0x00000000021D6000-memory.dmp

memory/3336-1-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\CA3D36-Readme.txt

MD5 0fa3b208824da5607858c1fc8ee28fbf
SHA1 2fbe40bdb0e339f7831ffb3160c8831589ec5fc6
SHA256 f3f7a8ac039ca497be81702b1180c7e147cc2544529de42432c7325df308180d
SHA512 09f81092f3a31a20e8392cbb9667c58ac25eb363224a1cc7f80668b748a275613b9135bcb0942f6325930f351957b19512082821c10c92f57c9958fe39f9b891

C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml

MD5 8359496564107214cce359d501b11fc2
SHA1 3f7254b9d61126d664ab3ab8153b5cf631814f6a
SHA256 adc4311564c2604b8c09373b03c079a67737897838be1af7b2edf38d58845311
SHA512 9aa42ddf234017884ffbd65344f84664fa04a72c64c6666725b5e3eb8c91c7ab350bb732ec403f15da86a555e1f4f8621f441b37b192c49d77e0dd79c78a69ba

memory/3336-3432-0x0000000000400000-0x0000000000448000-memory.dmp

memory/3336-3958-0x0000000000400000-0x0000000000414000-memory.dmp