Analysis Overview
SHA256
ea13726399250935413444d0b7ed952064e970de7dc0cdca4fac7e0997245013
Threat Level: Known bad
The file JaffaCakes118_ea13726399250935413444d0b7ed952064e970de7dc0cdca4fac7e0997245013 was found to be: Known bad.
Malicious Activity Summary
Sodinokibi/Revil sample
Sodinokibi family
Sodin,Sodinokibi,REvil
Deletes shadow copies
Renames multiple (150) files with added filename extension
Renames multiple (213) files with added filename extension
Reads user/profile data of web browsers
Checks computer location settings
Enumerates connected drives
Sets desktop wallpaper using registry
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Interacts with shadow copies
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-24 21:36
Signatures
Sodinokibi family
Sodinokibi/Revil sample
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-24 21:36
Reported
2024-12-24 21:38
Platform
win7-20240903-en
Max time kernel
135s
Max time network
145s
Command Line
Signatures
Sodin,Sodinokibi,REvil
Sodinokibi family
Deletes shadow copies
Renames multiple (213) files with added filename extension
Reads user/profile data of web browsers
Enumerates connected drives
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\01y8l54z5m.bmp" | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-i..ltinstall.resources_31bf3856ad364e35_6.1.7600.16385_de-de_07c23c1fe40f7920_infdefaultinstall.exe.mui_ea4c5b8c | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-lsa_31bf3856ad364e35_6.1.7601.17514_none_04709031736ac277_ksecdd.sys_dfd5d421 | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-t..libraries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d869760728e52d38_iphlpapi.dll.mui_9531144c | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..ure-other.resources_31bf3856ad364e35_6.1.7600.16385_en-us_09d25d5db275f73d.manifest | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_eb5ec32f73606acf_umpnpmgr.dll.mui_d66aed17 | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_fi-fi_e802953b7bce56ec.manifest | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..lient-dll.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b1a74ee1d3e85ebf.manifest | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..ional-codepage-1254_31bf3856ad364e35_6.1.7600.16385_none_7ef3cefb236b12db.manifest | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-i..ltinstall.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b07e6efcd314768a.manifest | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..integrity.resources_31bf3856ad364e35_6.1.7600.16385_en-us_55297248670b8d54.manifest | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_6.1.7600.16385_none_db04d3f548508fd9_vgafixg.fon_de96ade3 | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_083761eb9020e571_mprdim.dll.mui_11b5ef08 | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-wmpdui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_793e1af47f480df5.manifest | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-e..rtingcore.resources_31bf3856ad364e35_6.1.7600.16385_en-us_02e9e13998201d43_wer.dll.mui_e68ddae7 | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-gdi-painting_31bf3856ad364e35_6.1.7600.16385_none_77422e3e7d5fa732_msimg32.dll_2a4e0bd8 | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-segoeui_31bf3856ad364e35_6.1.7600.16385_none_2cb0f5602bedb50f_seguisym.ttf_e095394a | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-sens-service.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7136d5a73bb63d77_sens.dll.mui_64739194 | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\wow64_microsoft-windows-rasserver_31bf3856ad364e35_6.1.7601.17514_none_1423e918b2cd2d4b_rasppp-repl.man_a0e2d53a | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-d..lient-dll.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_848d9eb0d8a9fb44_dhcpcsvc6.dll.mui_b45c7567 | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-v..skservice.resources_31bf3856ad364e35_6.1.7600.16385_it-it_2e91fbc017fd3a00_vdsutil.dll.mui_0caf9b0e | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-a..core-base.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0c849d99481f6720.manifest | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-m..ditevtlog.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e686c340855ae9c3_msaudite.dll.mui_dc90ce41 | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-w..per-tcpip.resources_31bf3856ad364e35_6.1.7600.16385_de-de_ba1385d2118223fb.manifest | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_es-es_53e89731b078cab8_sdbinst.exe.mui_258ad624 | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-grouppolicy-base_31bf3856ad364e35_6.1.7601.17514_none_8649674dfda23046_gpsvc.dll_970be02b | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-sendmail.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1e196194a0e8e07b_sendmail.dll.mui_cbac108c | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..uetype-malgungothic_31bf3856ad364e35_6.1.7600.16385_none_6144d01edfdac19c.manifest | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6f6ef85e234a7943.manifest | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e0c803777a7cc698_sdbinst.exe.mui_258ad624 | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-ntdll.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c45501a075f9ebe5.manifest | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_pl-pl_61e865cf65610452_comctl32.dll.mui_0da4e682 | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-usermodensi.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_6af7b482fe6cc74e.manifest | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-eventlog.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f9c71e1ddaa6fc61_wevtsvc.dll.mui_f41bf7b7 | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-utsaah_31bf3856ad364e35_6.1.7601.17514_none_8a6cbec4ba3b0202_utsaahi.ttf_0df5fad5 | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-winsock-core.resources_31bf3856ad364e35_6.1.7600.16385_it-it_34887b2c62428f13_afd.sys.mui_ff192075 | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-wmi-core-svc_31bf3856ad364e35_6.1.7601.17514_none_fed8c13f0d90a8cf_winmgmt.exe_8f8eb7b1 | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-shdocvw.resources_31bf3856ad364e35_6.1.7600.16385_es-es_23831012741396ef_shdocvw.dll.mui_9b8f26d5 | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_58531de323d90bc5_mlang.dll.mui_2904864a | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_e1be9bf92de1d800_expand.exe.mui_3f54e013 | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..pe-malgungothicbold_31bf3856ad364e35_6.1.7600.16385_none_41783c072f347b6d_malgunbd.ttf_6ad5519c | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-mprmsg.resources_31bf3856ad364e35_6.1.7600.16385_de-de_37e3f297f894f855_mprmsg.dll.mui_210d8c31 | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\wow64_microsoft-windows-user32.resources_31bf3856ad364e35_6.1.7601.17514_it-it_332370b5404873ce_user32.dll.mui_14652dbb | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-s..-usermode.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_411ad01ef696adaa.manifest | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-acledit.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b40b4fc097a11d8a_acledit.dll.mui_5f932ccb | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_6.1.7600.16385_none_70644a8bdb0d9303_app857.fon_e51c02f4 | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-vector_31bf3856ad364e35_6.1.7600.16385_none_91899a68016a48be_roman.fon_0ac1735a | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..ltinstall.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0cd1ad9c8b4af61b_infdefaultinstall.exe.mui_ea4c5b8c | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..ure-other.resources_31bf3856ad364e35_6.1.7600.16385_es-es_099dba41b29ce8e2_wshelper.dll.mui_be261ecd | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-acledit_31bf3856ad364e35_6.1.7600.16385_none_c3d671ef7642fced.manifest | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-advapi32_31bf3856ad364e35_6.1.7600.16385_none_3f3d4351a032bf57.manifest | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7601.17514_de-de_513edc990604dfb2_aelupsvc.dll.mui_5d6cb110 | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_961efb4172b82af7_scardsvr.dll.mui_5f6fb64f | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_6.1.7600.16385_de-de_87cba9e8f27bba0e_wmiapres.dll.mui_c1b8803f | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..ty-protectedstorage_31bf3856ad364e35_6.1.7600.16385_none_a43e06414a0fcb4b.manifest | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_6.1.7600.16385_none_70644a8bdb0d9303_ega80850.fon_6087927d | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\wow64_microsoft-windows-wmi-core-wbemcomn-dll_31bf3856ad364e35_6.1.7601.17514_none_6bf5ddbe6e32b8d7_wbemcomn.dll_e2337e3c | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..-usermode.resources_31bf3856ad364e35_6.1.7600.16385_it-it_fb13ec95bbd90d05_ntmarta.dll.mui_027ef4fc | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.1.7600.16385_it-it_17fdb6bbc887fde4_authui.dll.mui_19b92789 | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_c0efc2e183d1cad0.manifest | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..integrity.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e1d43b7231367ad9.manifest | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0eaa73e1c56d6827.manifest | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-dynamicvolumemanager_31bf3856ad364e35_6.1.7601.17514_none_3b28c7719cc8612d_volmgrx-ppdlic.xrm-ms_e171af06 | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-s..pp-client.resources_31bf3856ad364e35_6.1.7600.16385_it-it_c5cb371e0d8c117f_sppc.dll.mui_0a75786d | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-x..ollmentui.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_db3583cbee992252_certenrollui.dll.mui_e86ca64f | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe
"C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | schluesseldienste-hannover.de | udp |
| DE | 85.214.159.1:443 | schluesseldienste-hannover.de | tcp |
| US | 8.8.8.8:53 | alpesiberie.com | udp |
| US | 8.8.8.8:53 | bratek-immobilien.de | udp |
| AE | 88.99.121.253:443 | bratek-immobilien.de | tcp |
| AE | 88.99.121.253:443 | bratek-immobilien.de | tcp |
| US | 8.8.8.8:53 | bcmets.info | udp |
| US | 8.8.8.8:53 | log-barn.co.uk | udp |
| GB | 213.175.208.90:443 | log-barn.co.uk | tcp |
| GB | 213.175.208.90:443 | log-barn.co.uk | tcp |
| US | 8.8.8.8:53 | diverfiestas.com.es | udp |
| FR | 176.31.163.21:443 | diverfiestas.com.es | tcp |
| US | 8.8.8.8:53 | nexstagefinancial.com | udp |
| US | 8.8.8.8:53 | mundo-pieces-auto.fr | udp |
| US | 104.21.86.33:443 | mundo-pieces-auto.fr | tcp |
| US | 104.21.86.33:443 | mundo-pieces-auto.fr | tcp |
| US | 8.8.8.8:53 | marmarabasin.com | udp |
| US | 172.67.168.165:443 | marmarabasin.com | tcp |
| US | 8.8.8.8:53 | walterman.es | udp |
| BR | 195.35.41.81:443 | walterman.es | tcp |
| BR | 195.35.41.81:443 | walterman.es | tcp |
| US | 8.8.8.8:53 | juergenblaetz.de | udp |
| DE | 185.30.32.169:443 | juergenblaetz.de | tcp |
| DE | 185.30.32.169:443 | juergenblaetz.de | tcp |
| US | 8.8.8.8:53 | centuryvisionglobal.com | udp |
| US | 192.124.249.120:443 | centuryvisionglobal.com | tcp |
| US | 192.124.249.120:443 | centuryvisionglobal.com | tcp |
| US | 8.8.8.8:53 | witraz.pl | udp |
| PL | 93.157.100.80:443 | witraz.pl | tcp |
| PL | 93.157.100.80:443 | witraz.pl | tcp |
| US | 8.8.8.8:53 | aslog.fr | udp |
| US | 104.21.14.163:443 | aslog.fr | tcp |
| US | 104.21.14.163:443 | aslog.fr | tcp |
| US | 8.8.8.8:53 | www.aslog.fr | udp |
| US | 172.67.160.10:443 | www.aslog.fr | tcp |
| US | 8.8.8.8:53 | qandmmusiccenter.com | udp |
| US | 67.222.38.73:443 | qandmmusiccenter.com | tcp |
| US | 67.222.38.73:443 | qandmmusiccenter.com | tcp |
| US | 8.8.8.8:53 | awag-blog.de | udp |
| DE | 5.9.36.122:443 | awag-blog.de | tcp |
| US | 8.8.8.8:53 | domilivefurniture.com | udp |
| US | 8.8.8.8:53 | penumbuhrambutkeiskei.com | udp |
| US | 8.8.8.8:53 | from02pro.com | udp |
| DE | 148.251.151.121:443 | from02pro.com | tcp |
| DE | 148.251.151.121:443 | from02pro.com | tcp |
| US | 8.8.8.8:53 | teamsegeln.ch | udp |
| CH | 83.166.133.85:443 | teamsegeln.ch | tcp |
| CH | 83.166.133.85:443 | teamsegeln.ch | tcp |
| US | 8.8.8.8:53 | scholarquotes.com | udp |
| US | 8.8.8.8:53 | mind2muscle.nl | udp |
| DK | 185.95.24.111:443 | mind2muscle.nl | tcp |
| DK | 185.95.24.111:443 | mind2muscle.nl | tcp |
| US | 8.8.8.8:53 | karmeliterviertel.com | udp |
| US | 8.8.8.8:53 | rs-danmark.dk | udp |
| DK | 46.30.215.66:443 | rs-danmark.dk | tcp |
| DK | 46.30.215.66:443 | rs-danmark.dk | tcp |
| US | 8.8.8.8:53 | amco.net.au | udp |
| SG | 35.213.132.85:443 | amco.net.au | tcp |
| SG | 35.213.132.85:443 | amco.net.au | tcp |
| US | 8.8.8.8:53 | oro.ae | udp |
| IN | 217.21.85.72:443 | oro.ae | tcp |
| IN | 217.21.85.72:443 | oro.ae | tcp |
| US | 8.8.8.8:53 | jayfurnitureco.com | udp |
| US | 108.167.161.213:443 | jayfurnitureco.com | tcp |
| US | 108.167.161.213:443 | jayfurnitureco.com | tcp |
| US | 8.8.8.8:53 | bellesiniacademy.org | udp |
| US | 192.124.249.155:443 | bellesiniacademy.org | tcp |
| US | 192.124.249.155:443 | bellesiniacademy.org | tcp |
| US | 8.8.8.8:53 | georgemuncey.com | udp |
| IE | 52.215.137.200:443 | georgemuncey.com | tcp |
| IE | 52.215.137.200:443 | georgemuncey.com | tcp |
| US | 8.8.8.8:53 | catering.com | udp |
| US | 23.185.0.3:443 | catering.com | tcp |
| US | 23.185.0.3:443 | catering.com | tcp |
| US | 8.8.8.8:53 | limounie.com | udp |
| NL | 167.99.19.89:443 | limounie.com | tcp |
| US | 8.8.8.8:53 | www.limounie.com | udp |
| NL | 167.99.19.89:443 | www.limounie.com | tcp |
| US | 8.8.8.8:53 | cssp-mediation.org | udp |
| FR | 92.204.239.237:443 | cssp-mediation.org | tcp |
| FR | 92.204.239.237:443 | cssp-mediation.org | tcp |
| US | 8.8.8.8:53 | eyedoctordallas.com | udp |
| US | 104.18.4.83:443 | eyedoctordallas.com | tcp |
| US | 8.8.8.8:53 | locations.myeyedr.com | udp |
| US | 104.18.43.185:443 | locations.myeyedr.com | tcp |
| US | 104.18.43.185:443 | locations.myeyedr.com | tcp |
| US | 8.8.8.8:53 | craftingalegacy.com | udp |
| US | 50.87.137.113:443 | craftingalegacy.com | tcp |
| US | 50.87.137.113:443 | craftingalegacy.com | tcp |
| US | 8.8.8.8:53 | innervisions-id.com | udp |
| GB | 95.215.226.251:443 | innervisions-id.com | tcp |
| US | 8.8.8.8:53 | brunoimmobilier.com | udp |
| US | 8.8.8.8:53 | richardiv.com | udp |
| US | 35.212.113.200:443 | richardiv.com | tcp |
| US | 35.212.113.200:443 | richardiv.com | tcp |
| US | 8.8.8.8:53 | randyabrown.com | udp |
| US | 173.231.220.177:443 | randyabrown.com | tcp |
| US | 8.8.8.8:53 | buffdaddyblog.com | udp |
| US | 172.67.200.99:443 | buffdaddyblog.com | tcp |
| US | 8.8.8.8:53 | www.buffdaddyblog.com | udp |
| US | 172.67.200.99:443 | www.buffdaddyblog.com | tcp |
| US | 8.8.8.8:53 | kombi-dress.com | udp |
| UA | 185.68.16.38:443 | kombi-dress.com | tcp |
| US | 8.8.8.8:53 | chorusconsulting.net | udp |
| US | 45.45.216.250:443 | chorusconsulting.net | tcp |
| US | 45.45.216.250:443 | chorusconsulting.net | tcp |
| US | 8.8.8.8:53 | silverbird.dk | udp |
| US | 8.8.8.8:53 | oraweb.net | udp |
| FR | 185.100.5.235:443 | oraweb.net | tcp |
| FR | 185.100.5.235:443 | oraweb.net | tcp |
| US | 8.8.8.8:53 | burg-zelem.de | udp |
| FR | 92.205.48.46:443 | burg-zelem.de | tcp |
| FR | 92.205.48.46:443 | burg-zelem.de | tcp |
| US | 8.8.8.8:53 | rhino-turf.com | udp |
| GB | 35.179.36.215:443 | rhino-turf.com | tcp |
| US | 8.8.8.8:53 | www.rhino-turf.com | udp |
| GB | 35.179.36.215:443 | www.rhino-turf.com | tcp |
| US | 8.8.8.8:53 | paardcentraal.nl | udp |
| NL | 195.211.72.10:443 | paardcentraal.nl | tcp |
| NL | 195.211.72.10:443 | paardcentraal.nl | tcp |
| US | 8.8.8.8:53 | kellengatton.com | udp |
| US | 8.8.8.8:53 | larchwoodmarketing.com | udp |
| US | 141.193.213.11:443 | larchwoodmarketing.com | tcp |
| US | 141.193.213.11:443 | larchwoodmarketing.com | tcp |
| US | 8.8.8.8:53 | terraflair.de | udp |
| US | 8.8.8.8:53 | redpebblephotography.com | udp |
| GB | 91.238.164.138:443 | redpebblephotography.com | tcp |
| GB | 91.238.164.138:443 | redpebblephotography.com | tcp |
| US | 8.8.8.8:53 | alabamaroofingllc.com | udp |
| US | 52.71.222.18:443 | alabamaroofingllc.com | tcp |
| US | 52.71.222.18:443 | alabamaroofingllc.com | tcp |
| US | 8.8.8.8:53 | ludoil.it | udp |
| IT | 15.161.115.44:443 | ludoil.it | tcp |
| IT | 15.161.115.44:443 | ludoil.it | tcp |
| US | 8.8.8.8:53 | outstandingminialbums.com | udp |
| US | 138.197.17.80:443 | outstandingminialbums.com | tcp |
| US | 138.197.17.80:443 | outstandingminialbums.com | tcp |
| US | 8.8.8.8:53 | efficiencyconsulting.es | udp |
| ES | 91.146.100.126:443 | efficiencyconsulting.es | tcp |
| ES | 91.146.100.126:443 | efficiencyconsulting.es | tcp |
| US | 8.8.8.8:53 | 9nar.com | udp |
| US | 8.8.8.8:53 | jlwilsonbooks.com | udp |
| US | 159.223.131.215:443 | jlwilsonbooks.com | tcp |
| US | 8.8.8.8:53 | tellthebell.website | udp |
| US | 76.223.54.146:443 | tellthebell.website | tcp |
| US | 76.223.54.146:443 | tellthebell.website | tcp |
| US | 8.8.8.8:53 | carolynfriedlander.com | udp |
| CA | 23.227.38.65:443 | carolynfriedlander.com | tcp |
| CA | 23.227.38.65:443 | carolynfriedlander.com | tcp |
| US | 8.8.8.8:53 | aheadloftladders.co.uk | udp |
| GB | 91.204.209.16:443 | aheadloftladders.co.uk | tcp |
| GB | 91.204.209.16:443 | aheadloftladders.co.uk | tcp |
| US | 8.8.8.8:53 | eafx.pro | udp |
| US | 8.8.8.8:53 | otpusk.zp.ua | udp |
| US | 8.8.8.8:53 | jdscenter.com | udp |
| FR | 149.202.215.17:443 | jdscenter.com | tcp |
| FR | 149.202.215.17:443 | jdscenter.com | tcp |
| US | 8.8.8.8:53 | mariajosediazdemera.com | udp |
| DE | 85.10.200.44:443 | mariajosediazdemera.com | tcp |
| DE | 85.10.200.44:443 | mariajosediazdemera.com | tcp |
| US | 8.8.8.8:53 | so-sage.fr | udp |
| FR | 178.33.104.6:443 | so-sage.fr | tcp |
| FR | 178.33.104.6:443 | so-sage.fr | tcp |
| US | 8.8.8.8:53 | quitescorting.com | udp |
| US | 8.8.8.8:53 | ayudaespiritualtamara.com | udp |
| US | 8.8.8.8:53 | mikegoodfellow.co.uk | udp |
| US | 172.67.144.41:443 | mikegoodfellow.co.uk | tcp |
| US | 8.8.8.8:53 | peninggibadan.co.id | udp |
| ID | 103.30.147.42:443 | peninggibadan.co.id | tcp |
| US | 8.8.8.8:53 | ivancacu.com | udp |
| DE | 217.160.0.237:443 | ivancacu.com | tcp |
| DE | 217.160.0.237:443 | ivancacu.com | tcp |
| US | 8.8.8.8:53 | lyricalduniya.com | udp |
| US | 13.248.169.48:443 | lyricalduniya.com | tcp |
| US | 13.248.169.48:443 | lyricalduniya.com | tcp |
| US | 8.8.8.8:53 | zumrutkuyutemel.com | udp |
| US | 8.8.8.8:53 | dibli.store | udp |
| US | 8.8.8.8:53 | ziliak.com | udp |
| US | 184.154.118.34:443 | ziliak.com | tcp |
| US | 184.154.118.34:443 | ziliak.com | tcp |
| US | 8.8.8.8:53 | circlecitydj.com | udp |
| US | 162.159.135.42:443 | circlecitydj.com | tcp |
| US | 162.159.135.42:443 | circlecitydj.com | tcp |
| US | 8.8.8.8:53 | forumsittard.nl | udp |
| NL | 93.119.0.141:443 | forumsittard.nl | tcp |
| NL | 93.119.0.141:443 | forumsittard.nl | tcp |
| US | 8.8.8.8:53 | collegetennis.info | udp |
| US | 8.8.8.8:53 | g2mediainc.com | udp |
| DE | 78.46.1.42:443 | g2mediainc.com | tcp |
| US | 8.8.8.8:53 | ufovidmag.com | udp |
| US | 75.151.98.76:443 | ufovidmag.com | tcp |
| US | 75.151.98.76:443 | ufovidmag.com | tcp |
| US | 8.8.8.8:53 | luvinsburger.fr | udp |
| US | 8.8.8.8:53 | jimprattmediations.com | udp |
| US | 63.250.43.4:443 | jimprattmediations.com | tcp |
| US | 63.250.43.4:443 | jimprattmediations.com | tcp |
| US | 8.8.8.8:53 | skoczynski.eu | udp |
| US | 8.8.8.8:53 | projektparkiet.pl | udp |
| US | 172.67.167.41:443 | projektparkiet.pl | tcp |
| US | 8.8.8.8:53 | miscbo.it | udp |
| DE | 167.86.90.231:443 | miscbo.it | tcp |
| DE | 167.86.90.231:443 | miscbo.it | tcp |
| US | 8.8.8.8:53 | switch-made.com | udp |
| US | 8.8.8.8:53 | laaisterplakky.nl | udp |
| NL | 85.10.159.49:443 | laaisterplakky.nl | tcp |
Files
C:\Users\Default\98p1n9-readme.txt
| MD5 | dad0144c0aa8cfb82da9431023c7deed |
| SHA1 | df0151a96ae7ffa3dc769011e7232c12af26412a |
| SHA256 | f70485d5612f05dca83b0682da51d8f5e57c0699cab6b48fdbb3bf24c69bf261 |
| SHA512 | cc87193e8249ad5609555379e3da8f126710df4fcf861d0df04e0e3cf579b7fa3885484213c7974d9803f7df956d3fcd94b1185a981a74d0dca34da1d6fd3d7f |
C:\Users\Admin\AppData\Local\Temp\CabC4A8.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarC4CA.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-24 21:36
Reported
2024-12-24 21:38
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Sodin,Sodinokibi,REvil
Sodinokibi family
Renames multiple (150) files with added filename extension
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
Reads user/profile data of web browsers
Enumerates connected drives
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\63x2884p5.bmp" | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rpc-local_31bf3856ad364e35_10.0.19041.1288_none_28c245a0fa440b78_rpcrt4.dll_5aa847dd | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_de-de_70c254192b5ba65d_dsreg.dll.mui_5d9efc7e | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_de-de_e1c7c5c5782839e2_ncprov.dll.mui_40240de1 | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-shcore_31bf3856ad364e35_10.0.19041.1266_none_458e5adc0ac7b84a_shcore.dll_c9cc19cc | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ucrt_31bf3856ad364e35_10.0.19041.789_none_93e6eb93accdac11.manifest | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase_31bf3856ad364e35_10.0.19041.746_none_ebd9b2add93e89de_rasctrnm.h_17610c72 | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-gdi_31bf3856ad364e35_10.0.19041.1165_none_1ea3d2b20faf7de3_lpk.dll_ebdc1de9 | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_10.0.19041.153_none_204dfb4c6c5656d4.manifest | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_hu-hu_92e52d62550995c1_comctl32.dll.mui_0da4e682 | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-usermodensi_31bf3856ad364e35_10.0.19041.610_none_5075d9ce26303c63_nsi.dll_e72df756 | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1202_en-us_e2d6f3ca6473453d_userdeviceregistration.ngc.dll.mui_d2c6ca95 | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_pl-pl_1256afb9f5d1a29a_comctl32.dll.mui_0da4e682 | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_23fd2654379d802f_gpsvc.dll.mui_0c160ac2 | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft.windows.winhttp_31bf3856ad364e35_5.1.19041.264_none_7f6ca9c048dc8aa4.manifest | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.964_lt-lt_15f508d8d9b8a291.manifest | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-c..r-library.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_b8b9693c8ab3775e.manifest | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.19041.1_none_ca60666860ba12d7_app936.fon_ea7f5612 | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-keyiso.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_62fee1a8066741a1.manifest | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_fr-ca_c03f9b83b540a678_msimsg.dll.mui_72e8994f | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase-core_31bf3856ad364e35_10.0.19041.546_none_0fdfc09722e8c30a_ndistapi.sys_8cfad169 | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-ngc-kspsvc_31bf3856ad364e35_10.0.19041.84_none_5f9dd4d3686528a6.manifest | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-directmanipulation_31bf3856ad364e35_10.0.19041.1202_none_cc30ef1d8b2537d2.manifest | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-gdi_31bf3856ad364e35_10.0.19041.1165_none_1ea3d2b20faf7de3.manifest | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wbiosrvc.resources_31bf3856ad364e35_10.0.19041.1_de-de_f88fd8d1e0995d78_wbiosrvc.dll.mui_d5b8b2b8 | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-efs-service.resources_31bf3856ad364e35_10.0.19041.1_it-it_8f7ee59fb65a0495.manifest | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-a..on-authui-component_31bf3856ad364e35_10.0.19041.906_none_c5508380a2e74b53_authui.dll_05ff9fd2 | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-windowsuiimmersive_31bf3856ad364e35_10.0.19041.264_none_1a061e55674b5901.manifest | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.19041.1_en-us_68a68fbe4b19e7fb_iscsiexe.dll.mui_7d81b1cc | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-keyiso.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ef4c56fbd0b438fa.manifest | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_networking-mpssvc-drv.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_a6382fa8181d9ef8_mpsdrv.sys.mui_b2aea3b6 | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_ko-kr_4b8e60a7bca7d650.manifest | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_19a87c02033cbe34_gpsvc.dll.mui_0c160ac2 | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-truetype-ebrima_31bf3856ad364e35_10.0.19041.1_none_846cdc31fb668b8c_ebrima.ttf_8897b9ba | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lua-onecore.resources_31bf3856ad364e35_10.0.19041.1_de-de_848402175f135dad_appinfo.dll.mui_cfd93456 | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_10.0.19041.1_de-de_88414bd06cbad686_iprtrmgr.dll.mui_eb023b92 | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_lv-lv_ab9bc1d129a747ed_bootmgfw.efi.mui_a6e78cfa | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.19041.1_de-de_bfb5b9c55c3bdc36_iscsidsc.dll.mui_6acb64a6 | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_10.0.19041.1_it-it_a0b367f31f29d0aa.manifest | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-win32kbase.resources_31bf3856ad364e35_10.0.19041.1_en-us_d6afa8b21943e171.manifest | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1023_sr-..-rs_646331312131f0de.manifest | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-branding-engine_31bf3856ad364e35_10.0.19041.1202_none_5e2a05871a9a6485.manifest | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-com-base.resources_31bf3856ad364e35_10.0.19041.1202_en-us_2d3fe908f2def5d1_combase.dll.mui_6db10b33 | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase-raspppoe_31bf3856ad364e35_10.0.19041.1_none_0c2491a439f55f8f_raspppoe.sys_5bc9d88d | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_2d3b6ea159ff4dae_wmiapres.dll.mui_c1b8803f | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..istration.resources_31bf3856ad364e35_10.0.19041.1_en-us_9f803ef667071665_deviceregistration.dll.mui_5b79527a | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasautodial_31bf3856ad364e35_10.0.19041.546_none_edd345b6c42269da_rasacd.sys_43640ee7 | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-security-spp_31bf3856ad364e35_10.0.19041.1_none_daa70f4df4b13b5c.manifest | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..ndactivitymoderator_31bf3856ad364e35_10.0.19041.1_none_8b4593ccb753f4e5.manifest | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-msauditevtlog_31bf3856ad364e35_10.0.19041.610_none_a556313cd729d07d_msobjs.dll_052c8a60 | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase-core_31bf3856ad364e35_10.0.19041.546_none_0fdfc09722e8c30a.manifest | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ui-xaml-maps_31bf3856ad364e35_10.0.19041.264_none_752f4df028ff40af.manifest | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-a..structure.resources_31bf3856ad364e35_10.0.19041.1_it-it_4518c9a6348a0867.manifest | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_hid-user.resources_31bf3856ad364e35_10.0.19041.1_it-it_a83e66a954bae1fd.manifest | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_lt-lt_9b4bcf435f4dca5e_msimsg.dll.mui_72e8994f | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lsa.resources_31bf3856ad364e35_10.0.19041.1_es-es_3c643eb9361fcf47.manifest | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-smbminirdr_31bf3856ad364e35_10.0.19041.153_none_5d7cdbd3aff794ea.manifest | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmpdui.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d2104853b0241561.manifest | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1023_fr-ca_2a30712948bc8e20_comctl32.dll.mui_0da4e682 | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_sr-..-rs_58dfd3602ef5b7be.manifest | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_dce99e60f3445847_apphelp.dll.mui_59096153 | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..istration.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ce50872d244d15c5.manifest | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-appid.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_98f313bc73921546.manifest | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_b988e3f5244c4507_mofcomp.exe.mui_35badf56 | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.19041.1_none_ca60666860ba12d7_ega40850.fon_5e8f5479 | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2896 wrote to memory of 2708 | N/A | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2896 wrote to memory of 2708 | N/A | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2896 wrote to memory of 2708 | N/A | C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe
"C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | schluesseldienste-hannover.de | udp |
| DE | 85.214.159.1:443 | schluesseldienste-hannover.de | tcp |
| US | 8.8.8.8:53 | alpesiberie.com | udp |
| US | 8.8.8.8:53 | bratek-immobilien.de | udp |
| AE | 88.99.121.253:443 | bratek-immobilien.de | tcp |
| US | 8.8.8.8:53 | www.bratek-immobilien.de | udp |
| DE | 91.107.203.3:443 | www.bratek-immobilien.de | tcp |
| US | 8.8.8.8:53 | bcmets.info | udp |
| US | 8.8.8.8:53 | 1.159.214.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.121.99.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.203.107.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | log-barn.co.uk | udp |
| GB | 213.175.208.90:443 | log-barn.co.uk | tcp |
| US | 8.8.8.8:53 | diverfiestas.com.es | udp |
| FR | 176.31.163.21:443 | diverfiestas.com.es | tcp |
| US | 8.8.8.8:53 | 90.208.175.213.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nexstagefinancial.com | udp |
| US | 8.8.8.8:53 | mundo-pieces-auto.fr | udp |
| US | 172.67.214.103:443 | mundo-pieces-auto.fr | tcp |
| US | 8.8.8.8:53 | 21.163.31.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.214.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | marmarabasin.com | udp |
| US | 172.67.168.165:443 | marmarabasin.com | tcp |
| US | 8.8.8.8:53 | walterman.es | udp |
| US | 8.8.8.8:53 | 165.168.67.172.in-addr.arpa | udp |
| BR | 195.35.41.81:443 | walterman.es | tcp |
| US | 8.8.8.8:53 | 81.41.35.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | juergenblaetz.de | udp |
| DE | 185.30.32.169:443 | juergenblaetz.de | tcp |
| US | 8.8.8.8:53 | www.juergenblaetz.de | udp |
| DE | 185.30.32.169:443 | www.juergenblaetz.de | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.32.30.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | centuryvisionglobal.com | udp |
| US | 192.124.249.120:443 | centuryvisionglobal.com | tcp |
| US | 8.8.8.8:53 | witraz.pl | udp |
| PL | 93.157.100.80:443 | witraz.pl | tcp |
| US | 8.8.8.8:53 | aslog.fr | udp |
| US | 172.67.160.10:443 | aslog.fr | tcp |
| US | 8.8.8.8:53 | 80.100.157.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 120.249.124.192.in-addr.arpa | udp |
| US | 172.67.160.10:443 | aslog.fr | tcp |
| US | 8.8.8.8:53 | www.aslog.fr | udp |
| US | 172.67.160.10:443 | www.aslog.fr | tcp |
| US | 8.8.8.8:53 | 10.160.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | qandmmusiccenter.com | udp |
| US | 67.222.38.73:443 | qandmmusiccenter.com | tcp |
| US | 8.8.8.8:53 | awag-blog.de | udp |
| DE | 5.9.36.122:443 | awag-blog.de | tcp |
| US | 8.8.8.8:53 | 73.38.222.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | domilivefurniture.com | udp |
| US | 8.8.8.8:53 | penumbuhrambutkeiskei.com | udp |
| US | 8.8.8.8:53 | from02pro.com | udp |
| DE | 148.251.151.121:443 | from02pro.com | tcp |
| US | 8.8.8.8:53 | teamsegeln.ch | udp |
| CH | 83.166.133.85:443 | teamsegeln.ch | tcp |
| US | 8.8.8.8:53 | 122.36.9.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.151.251.148.in-addr.arpa | udp |
| US | 8.8.8.8:53 | scholarquotes.com | udp |
| US | 8.8.8.8:53 | mind2muscle.nl | udp |
| DK | 185.95.24.111:443 | mind2muscle.nl | tcp |
| US | 8.8.8.8:53 | 85.133.166.83.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 111.24.95.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | karmeliterviertel.com | udp |
| US | 8.8.8.8:53 | rs-danmark.dk | udp |
| DK | 46.30.215.66:443 | rs-danmark.dk | tcp |
| US | 8.8.8.8:53 | 66.215.30.46.in-addr.arpa | udp |
| US | 8.8.8.8:53 | amco.net.au | udp |
| SG | 35.213.132.85:443 | amco.net.au | tcp |
| US | 8.8.8.8:53 | 85.132.213.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | oro.ae | udp |
| IN | 217.21.85.72:443 | oro.ae | tcp |
| US | 8.8.8.8:53 | 72.85.21.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | jayfurnitureco.com | udp |
| US | 108.167.161.213:443 | jayfurnitureco.com | tcp |
| US | 8.8.8.8:53 | bellesiniacademy.org | udp |
| US | 192.124.249.155:443 | bellesiniacademy.org | tcp |
| US | 8.8.8.8:53 | 213.161.167.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | georgemuncey.com | udp |
| IE | 52.215.137.200:443 | georgemuncey.com | tcp |
| US | 8.8.8.8:53 | www.georgemuncey.com | udp |
| IE | 52.215.137.200:443 | www.georgemuncey.com | tcp |
| US | 8.8.8.8:53 | catering.com | udp |
| US | 23.185.0.3:443 | catering.com | tcp |
| US | 8.8.8.8:53 | 155.249.124.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.137.215.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | limounie.com | udp |
| NL | 167.99.19.89:443 | limounie.com | tcp |
| US | 8.8.8.8:53 | www.limounie.com | udp |
| NL | 167.99.19.89:443 | www.limounie.com | tcp |
| US | 8.8.8.8:53 | cssp-mediation.org | udp |
| FR | 92.204.239.237:443 | cssp-mediation.org | tcp |
| US | 8.8.8.8:53 | www.cssp-mediation.org | udp |
| US | 8.8.8.8:53 | 3.0.185.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.19.99.167.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.239.204.92.in-addr.arpa | udp |
| FR | 92.204.239.237:443 | www.cssp-mediation.org | tcp |
| US | 8.8.8.8:53 | eyedoctordallas.com | udp |
| US | 104.18.5.83:443 | eyedoctordallas.com | tcp |
| US | 8.8.8.8:53 | locations.myeyedr.com | udp |
| US | 172.64.144.71:443 | locations.myeyedr.com | tcp |
| US | 8.8.8.8:53 | 83.5.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | craftingalegacy.com | udp |
| US | 50.87.137.113:443 | craftingalegacy.com | tcp |
| US | 8.8.8.8:53 | innervisions-id.com | udp |
| GB | 95.215.226.251:443 | innervisions-id.com | tcp |
| US | 8.8.8.8:53 | 71.144.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.137.87.50.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | brunoimmobilier.com | udp |
| US | 8.8.8.8:53 | richardiv.com | udp |
| US | 35.212.113.200:443 | richardiv.com | tcp |
| US | 8.8.8.8:53 | 200.113.212.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | randyabrown.com | udp |
| US | 173.231.220.177:443 | randyabrown.com | tcp |
| US | 8.8.8.8:53 | 177.220.231.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | buffdaddyblog.com | udp |
| US | 104.21.90.114:443 | buffdaddyblog.com | tcp |
| US | 8.8.8.8:53 | www.buffdaddyblog.com | udp |
| US | 104.21.90.114:443 | www.buffdaddyblog.com | tcp |
| US | 8.8.8.8:53 | 114.90.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kombi-dress.com | udp |
| UA | 185.68.16.38:443 | kombi-dress.com | tcp |
| US | 8.8.8.8:53 | chorusconsulting.net | udp |
| US | 45.45.216.250:443 | chorusconsulting.net | tcp |
| US | 8.8.8.8:53 | silverbird.dk | udp |
| US | 8.8.8.8:53 | oraweb.net | udp |
| FR | 185.100.5.235:443 | oraweb.net | tcp |
| US | 8.8.8.8:53 | 38.16.68.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.216.45.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | burg-zelem.de | udp |
| FR | 92.205.48.46:443 | burg-zelem.de | tcp |
| US | 8.8.8.8:53 | 235.5.100.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.48.205.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rhino-turf.com | udp |
| GB | 35.179.36.215:443 | rhino-turf.com | tcp |
| US | 8.8.8.8:53 | www.rhino-turf.com | udp |
| GB | 35.179.36.215:443 | www.rhino-turf.com | tcp |
| US | 8.8.8.8:53 | 215.36.179.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | paardcentraal.nl | udp |
| NL | 195.211.72.10:443 | paardcentraal.nl | tcp |
| US | 8.8.8.8:53 | kellengatton.com | udp |
| US | 8.8.8.8:53 | larchwoodmarketing.com | udp |
| US | 141.193.213.11:443 | larchwoodmarketing.com | tcp |
| US | 8.8.8.8:53 | 10.72.211.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | terraflair.de | udp |
| US | 8.8.8.8:53 | redpebblephotography.com | udp |
| GB | 91.238.164.138:443 | redpebblephotography.com | tcp |
| US | 8.8.8.8:53 | alabamaroofingllc.com | udp |
| US | 52.71.222.18:443 | alabamaroofingllc.com | tcp |
| US | 8.8.8.8:53 | www.alabamaroofingllc.com | udp |
| US | 172.67.214.37:443 | www.alabamaroofingllc.com | tcp |
| US | 8.8.8.8:53 | 11.213.193.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.164.238.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.222.71.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ludoil.it | udp |
| IT | 15.161.115.44:443 | ludoil.it | tcp |
| US | 8.8.8.8:53 | 37.214.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.ludoil.it | udp |
| IT | 15.161.115.44:443 | www.ludoil.it | tcp |
| US | 8.8.8.8:53 | outstandingminialbums.com | udp |
| US | 138.197.17.80:443 | outstandingminialbums.com | tcp |
| US | 8.8.8.8:53 | efficiencyconsulting.es | udp |
| ES | 91.146.100.126:443 | efficiencyconsulting.es | tcp |
| US | 8.8.8.8:53 | 44.115.161.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.17.197.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.100.146.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9nar.com | udp |
| US | 8.8.8.8:53 | jlwilsonbooks.com | udp |
| US | 159.223.131.215:443 | jlwilsonbooks.com | tcp |
| US | 8.8.8.8:53 | tellthebell.website | udp |
| US | 13.248.169.48:443 | tellthebell.website | tcp |
| US | 8.8.8.8:53 | carolynfriedlander.com | udp |
| CA | 23.227.38.65:443 | carolynfriedlander.com | tcp |
| US | 8.8.8.8:53 | 48.169.248.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | aheadloftladders.co.uk | udp |
| GB | 91.204.209.16:443 | aheadloftladders.co.uk | tcp |
| US | 8.8.8.8:53 | 65.38.227.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.209.204.91.in-addr.arpa | udp |
Files
C:\Users\Default\8yo0ez39o6-readme.txt
| MD5 | d9a8212c8ebb32a2ab9526b6fa466017 |
| SHA1 | 47fcb26ef47dce784f41519e7f12313aefb7f793 |
| SHA256 | d2eebd4844fa85e0cc8887b9029b2eb21a7353ec21f2ea50eba4afa8796b8a50 |
| SHA512 | 1d17ee5b8419c1997bf20526e992cec6c40166919653a06eb6bcda14f1362ca5e4688efd7a2250a07f55dcbb57a7f0a425fd63fcc14dfc39b24911272123029c |