Malware Analysis Report

2025-03-15 00:01

Sample ID 250221-ctjzyazqds
Target payload.exe
SHA256 7ecb2207b8e9e3e95700c1a0e8616995a07aecc3437d53705ba9dc6bf7ca18e0
Tags
dharma credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7ecb2207b8e9e3e95700c1a0e8616995a07aecc3437d53705ba9dc6bf7ca18e0

Threat Level: Known bad

The file payload.exe was found to be: Known bad.

Malicious Activity Summary

dharma credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer

Dharma family

Dharma

Deletes shadow copies

Renames multiple (660) files with added filename extension

Renames multiple (313) files with added filename extension

Checks computer location settings

Drops startup file

Credentials from Password Stores: Windows Credential Manager

Reads user/profile data of web browsers

Adds Run key to start application

Drops desktop.ini file(s)

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Browser Information Discovery

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Interacts with shadow copies

Modifies Internet Explorer settings

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-21 02:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-21 02:22

Reported

2025-02-21 02:24

Platform

win7-20240903-en

Max time kernel

150s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\payload.exe"

Signatures

Dharma

ransomware dharma

Dharma family

dharma

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (313) files with added filename extension

ransomware

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-58FB4D47.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-58FB4D47.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payload.exe C:\Users\Admin\AppData\Local\Temp\payload.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\payload.exe = "C:\\Windows\\System32\\payload.exe" C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" C:\Users\Admin\AppData\Local\Temp\payload.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2DZXJZH2\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\HUSZWRNT\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2872745919-2748461613-2989606286-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-2872745919-2748461613-2989606286-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\TUVLNS83\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8YJ7JBZ2\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\payload.exe C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Windows\System32\Info.hta C:\Users\Admin\AppData\Local\Temp\payload.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Slipstream.thmx.id-58FB4D47.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR28B.GIF.id-58FB4D47.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\libvlccore.dll.id-58FB4D47.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\vstoee.dll C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\MSOSTYLE.DLL.id-58FB4D47.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\jvmticmlr.h.id-58FB4D47.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21481_.GIF.id-58FB4D47.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115839.GIF.id-58FB4D47.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WNTER_01.MID.id-58FB4D47.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.xml C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00454_.WMF.id-58FB4D47.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_ja_4.4.0.v20140623020002.jar.id-58FB4D47.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0182888.WMF.id-58FB4D47.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Nome.id-58FB4D47.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE.id-58FB4D47.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\msdaprsr.dll.mui C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0188587.WMF C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\SEARCH.GIF.id-58FB4D47.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_uk.dll C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\as90.xsl.id-58FB4D47.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html.id-58FB4D47.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_gtk.css.id-58FB4D47.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB00673L.GIF.id-58FB4D47.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Choibalsan.id-58FB4D47.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00092_.GIF C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Linq.Resources.dll C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OSPP.HTM.id-58FB4D47.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Linq.dll C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\external_extensions.json C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files\Mozilla Firefox\api-ms-win-crt-locale-l1-1-0.dll.id-58FB4D47.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\PUSH.WAV.id-58FB4D47.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\BTOPENWORLD.COM.XML.id-58FB4D47.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Inuvik C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02291U.BMP.id-58FB4D47.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\ja-JP\sbdrop.dll.mui C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\THMBNAIL.PNG.id-58FB4D47.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\TAB_OFF.GIF.id-58FB4D47.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL110.XML C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libaudiobargraph_a_plugin.dll.id-58FB4D47.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Essential.eftx.id-58FB4D47.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler.xml.id-58FB4D47.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Black Tie.thmx.id-58FB4D47.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115843.GIF C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\about.html.id-58FB4D47.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0300862.WMF.id-58FB4D47.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\ODBCR.SAM.id-58FB4D47.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00223_.WMF.id-58FB4D47.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Windows Media Player\it-IT\wmlaunch.exe.mui C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\en-US\wmplayer.exe.mui C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files\Java\jre7\lib\deploy\messages_zh_HK.properties.id-58FB4D47.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Seoul.id-58FB4D47.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\RADIAL.ELM.id-58FB4D47.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK.DEV_K_COL.HXK C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\SystemV\HST10.id-58FB4D47.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\PAWPRINT.GIF.id-58FB4D47.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00192_.WMF C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Argentina\San_Juan.id-58FB4D47.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files\7-Zip\7z.exe.id-58FB4D47.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Colombo C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+4.id-58FB4D47.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libxa_plugin.dll.id-58FB4D47.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\correct.avi C:\Users\Admin\AppData\Local\Temp\payload.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\payload.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\System32\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\System32\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2764 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\payload.exe C:\Windows\system32\cmd.exe
PID 2764 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\payload.exe C:\Windows\system32\cmd.exe
PID 2764 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\payload.exe C:\Windows\system32\cmd.exe
PID 2764 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\payload.exe C:\Windows\system32\cmd.exe
PID 2688 wrote to memory of 3060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2688 wrote to memory of 3060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2688 wrote to memory of 3060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2688 wrote to memory of 2588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2688 wrote to memory of 2588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2688 wrote to memory of 2588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2764 wrote to memory of 5752 N/A C:\Users\Admin\AppData\Local\Temp\payload.exe C:\Windows\system32\cmd.exe
PID 2764 wrote to memory of 5752 N/A C:\Users\Admin\AppData\Local\Temp\payload.exe C:\Windows\system32\cmd.exe
PID 2764 wrote to memory of 5752 N/A C:\Users\Admin\AppData\Local\Temp\payload.exe C:\Windows\system32\cmd.exe
PID 2764 wrote to memory of 5752 N/A C:\Users\Admin\AppData\Local\Temp\payload.exe C:\Windows\system32\cmd.exe
PID 5752 wrote to memory of 6244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 5752 wrote to memory of 6244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 5752 wrote to memory of 6244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 5752 wrote to memory of 6340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 5752 wrote to memory of 6340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 5752 wrote to memory of 6340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2764 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\payload.exe C:\Windows\System32\mshta.exe
PID 2764 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\payload.exe C:\Windows\System32\mshta.exe
PID 2764 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\payload.exe C:\Windows\System32\mshta.exe
PID 2764 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\payload.exe C:\Windows\System32\mshta.exe
PID 2764 wrote to memory of 5360 N/A C:\Users\Admin\AppData\Local\Temp\payload.exe C:\Windows\System32\mshta.exe
PID 2764 wrote to memory of 5360 N/A C:\Users\Admin\AppData\Local\Temp\payload.exe C:\Windows\System32\mshta.exe
PID 2764 wrote to memory of 5360 N/A C:\Users\Admin\AppData\Local\Temp\payload.exe C:\Windows\System32\mshta.exe
PID 2764 wrote to memory of 5360 N/A C:\Users\Admin\AppData\Local\Temp\payload.exe C:\Windows\System32\mshta.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\payload.exe

"C:\Users\Admin\AppData\Local\Temp\payload.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\mode.com

mode con cp select=1251

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\mode.com

mode con cp select=1251

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"

Network

N/A

Files

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.id-58FB4D47.[[email protected]].SCRT

MD5 5c9c30fa0580eabfd16d25b1fe8cb82b
SHA1 e9788c23601c514abc84c235a05c87a53f4b8fdb
SHA256 9774eaf3bda306fe4025e64ea34b82ea9936e9a49b1357ece09cda676ed37eea
SHA512 6f00d8134053b259894cc84b4b3ad498c9aca7203c83cd85b0d28ae05fe539c3f92240db93ba06fdbb2146b4a0af099797923f45f3acf7347bce2ea889eb673f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

MD5 d6a4f8c6a637d3c3f2d3593fd34bacd6
SHA1 38d428a21a07364d57dad62f8bcae15ec8ca7853
SHA256 f6a98b09656146fc4089f347e3eb5b24ebf92950589b99355c6531d91a50c221
SHA512 735c94f37291ece9f746bb5aa2ede7c4763e77390e1508c5def4c84267605b4210e0e1365a89d0a43fb43c945a3eeecd1a1a238170ad652ef3dd3cb00a5ec8df

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-21 02:22

Reported

2025-02-21 02:24

Platform

win10v2004-20250217-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\payload.exe"

Signatures

Dharma

ransomware dharma

Dharma family

dharma

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (660) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\payload.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payload.exe C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-E9CDFE42.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-E9CDFE42.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta C:\Users\Admin\AppData\Local\Temp\payload.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\payload.exe = "C:\\Windows\\System32\\payload.exe" C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" C:\Users\Admin\AppData\Local\Temp\payload.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3181990009-820930284-137514597-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-3181990009-820930284-137514597-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\payload.exe C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Windows\System32\Info.hta C:\Users\Admin\AppData\Local\Temp\payload.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Dark.scale-200.png C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\hyph_en_US.dic.id-E9CDFE42.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Green.xml.id-E9CDFE42.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.UnmanagedMemoryStream.dll.id-E9CDFE42.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-36_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-24.png C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ja-jp\ui-strings.js C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\tr-tr\ui-strings.js.id-E9CDFE42.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_gridview.svg C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\splash.gif.id-E9CDFE42.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-80.png.id-E9CDFE42.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Uri.dll.id-E9CDFE42.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.scale-100.png C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\management-agent.jar C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-cn\ui-strings.js.id-E9CDFE42.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7ES.dub.id-E9CDFE42.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Cng.dll.id-E9CDFE42.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\css\main-selector.css.id-E9CDFE42.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemDrawing.dll C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ml.pak C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\media_poster.jpg.id-E9CDFE42.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libogg_plugin.dll C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Principal.dll.id-E9CDFE42.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_LogoSmall.targetsize-48.png C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Input.Manipulations.resources.dll.id-E9CDFE42.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\images\Wide310x150Logo.scale-100.png C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GADUGI.TTF C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.DataAnnotations.dll C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-48_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ppd.xrm-ms.id-E9CDFE42.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\font\CameraSymbols.ttf C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\hr.pak C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.PerformanceCounter.dll.id-E9CDFE42.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\create_stream.html.id-E9CDFE42.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\LargeTile.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sk-sk\ui-strings.js C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\csi.dll.id-E9CDFE42.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\NativeShim.dll.id-E9CDFE42.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MINSBPROXY.DLL.id-E9CDFE42.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons2x.png.id-E9CDFE42.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\SharePointPortalSite.ico.id-E9CDFE42.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_pa.dll C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-32_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\zh-cn\ui-strings.js C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\BIN\FPWEC.DLL.id-E9CDFE42.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Sigma\Other.DATA C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-200_contrast-high.png C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jstat.exe.id-E9CDFE42.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ppd.xrm-ms.id-E9CDFE42.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\[email protected].[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\PresentationBuildTasks.resources.dll C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Runtime.Serialization.dll C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Scientific.targetsize-16_contrast-white.png C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-multibyte-l1-1-0.dll.id-E9CDFE42.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\TellMePowerPoint.nrr.id-E9CDFE42.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.vsto.id-E9CDFE42.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\css\main.css C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\liblpcm_plugin.dll C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\TagAlbumDefinitions\8C918D9A-F447-4EBD-BD45-29F1D9209FC9.json C:\Users\Admin\AppData\Local\Temp\payload.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\payload.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4900 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\payload.exe C:\Windows\system32\cmd.exe
PID 4900 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\payload.exe C:\Windows\system32\cmd.exe
PID 4684 wrote to memory of 3860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 4684 wrote to memory of 3860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 4684 wrote to memory of 4608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4684 wrote to memory of 4608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4900 wrote to memory of 7364 N/A C:\Users\Admin\AppData\Local\Temp\payload.exe C:\Windows\system32\cmd.exe
PID 4900 wrote to memory of 7364 N/A C:\Users\Admin\AppData\Local\Temp\payload.exe C:\Windows\system32\cmd.exe
PID 7364 wrote to memory of 8772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 7364 wrote to memory of 8772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 7364 wrote to memory of 8508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 7364 wrote to memory of 8508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4900 wrote to memory of 7740 N/A C:\Users\Admin\AppData\Local\Temp\payload.exe C:\Windows\System32\mshta.exe
PID 4900 wrote to memory of 7740 N/A C:\Users\Admin\AppData\Local\Temp\payload.exe C:\Windows\System32\mshta.exe
PID 4900 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\payload.exe C:\Windows\System32\mshta.exe
PID 4900 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\payload.exe C:\Windows\System32\mshta.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\payload.exe

"C:\Users\Admin\AppData\Local\Temp\payload.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\mode.com

mode con cp select=1251

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\mode.com

mode con cp select=1251

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.id-E9CDFE42.[[email protected]].SCRT

MD5 53a9f5ac58ffadc103554d29743bc37b
SHA1 ac1787968613b130e3634f62144351cff5ba8ede
SHA256 50463907a05bf43d45880c9d9608e3b5298812785a75805483f3c2f132a80137
SHA512 6a5e474a5d6d83c41c2f93e38f0d68b2f4f9174d3a388eb6a544e652f2bd2d7680fd682eb06c35af2b25e9f6fbdb7c5dab1e9f4fb25b1dc39ef76b8ccade1f52

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

MD5 aec16ba52fe64eb1c5be5d1deea83e11
SHA1 f7524ff2d8be7730755c5fdb8f91519a41a8107b
SHA256 61e1efab90fa72e3deddf344ac47c2d5887f405816d6c8e97ad84d4cff249885
SHA512 49a4e6a415fd836673cdea5f584d008b7fc4594b8f76cca05db1ffaa3a93525e5cc7e8057301eb1f91c0d715ba4e10cad6710c6436ff090aaa5a78849fa731ba