Malware Analysis Report

2025-03-15 00:02

Sample ID 250221-edf98asnbq
Target payload.exe
SHA256 7ecb2207b8e9e3e95700c1a0e8616995a07aecc3437d53705ba9dc6bf7ca18e0
Tags
dharma credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7ecb2207b8e9e3e95700c1a0e8616995a07aecc3437d53705ba9dc6bf7ca18e0

Threat Level: Known bad

The file payload.exe was found to be: Known bad.

Malicious Activity Summary

dharma credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer

Dharma

Dharma family

Renames multiple (660) files with added filename extension

Renames multiple (321) files with added filename extension

Deletes shadow copies

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Drops startup file

Credentials from Password Stores: Windows Credential Manager

Drops desktop.ini file(s)

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Browser Information Discovery

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Interacts with shadow copies

Modifies Internet Explorer settings

Opens file in notepad (likely ransom note)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-21 03:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-21 03:49

Reported

2025-02-21 03:51

Platform

win7-20240729-en

Max time kernel

149s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\payload.exe"

Signatures

Dharma

ransomware dharma

Dharma family

dharma

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (321) files with added filename extension

ransomware

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-D8EE9149.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-D8EE9149.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payload.exe C:\Users\Admin\AppData\Local\Temp\payload.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\payload.exe = "C:\\Windows\\System32\\payload.exe" C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" C:\Users\Admin\AppData\Local\Temp\payload.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3K0NZPWJ\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\386UAANV\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RTJA0BV0\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JMFEWY8E\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FXDUII3O\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\25UY7HZX\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\payload.exe C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Windows\System32\Info.hta C:\Users\Admin\AppData\Local\Temp\payload.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\DataSet.zip.id-D8EE9149.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_200_percent.pak.id-D8EE9149.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Tarawa C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107496.WMF.id-D8EE9149.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\visualization\libvisual_plugin.dll C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEMANAGED.DLL.id-D8EE9149.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\core_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Niue C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLAPPTR.FAE C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLWVW.DLL.id-D8EE9149.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0158007.WMF.id-D8EE9149.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_foggy.png C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\tabskb.dll.mui C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\OFFLINE.ICO.id-D8EE9149.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Microsoft.Build.Engine.resources.dll C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\Microsoft.VisualStudio.Tools.Applications.Blueprints.tlb.id-D8EE9149.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR43F.GIF.id-D8EE9149.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGSIDEBR.XML.id-D8EE9149.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-execution.xml C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libtwolame_plugin.dll C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Help\Keywords.HxK.id-D8EE9149.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN086.XML.id-D8EE9149.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\Welcome.html C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\ipcclientcerts.dll.id-D8EE9149.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02022_.WMF.id-D8EE9149.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\Microsoft.Office.Infopath.dll.id-D8EE9149.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\da.txt C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\dt_shmem.dll.id-D8EE9149.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libscreen_plugin.dll.id-D8EE9149.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0304853.WMF C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0205582.WMF.id-D8EE9149.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\4.png C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099180.WMF.id-D8EE9149.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00809_.WMF.id-D8EE9149.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01330_.GIF C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Windows NT\TableTextService\TableTextServiceDaYi.txt C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-dialogs_ja.jar.id-D8EE9149.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\deploy\messages_zh_CN.properties.id-D8EE9149.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01838_.GIF C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\instrument.dll.id-D8EE9149.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-execution.xml.id-D8EE9149.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files\Internet Explorer\SIGNUP\install.ins.id-D8EE9149.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01039_.WMF.id-D8EE9149.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105410.WMF.id-D8EE9149.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\bckgzm.exe.mui.id-D8EE9149.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0211981.WMF.id-D8EE9149.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_divider_left.png C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02088_.WMF C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\id.txt C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-first-quarter_partly-cloudy.png C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143746.GIF.id-D8EE9149.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.properties C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT.DEV_F_COL.HXK.id-D8EE9149.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\XOCR3.PSP.id-D8EE9149.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Tabs.accdt C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util.xml.id-D8EE9149.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-full_partly-cloudy.png C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpegvideo_plugin.dll.id-D8EE9149.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATHEDITOR_COL.HXC.id-D8EE9149.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jmx.xml.id-D8EE9149.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\core_zh_CN.jar.id-D8EE9149.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-ui.xml.id-D8EE9149.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Aqtobe C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\PROFILE.ELM.id-D8EE9149.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI86B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF14.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIFEF.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f770532.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f77052f.mst C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f77052f.mst C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI908.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC53.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f770532.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIEC4.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIEF4.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI134A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI59C.tmp C:\Windows\system32\msiexec.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\System32\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\System32\mshta.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\DefaultIcon C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\edit C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\xmlfile\shell\edit\command C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\xmlfile\shell\open\command C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open\command\ = "\"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXMLED.EXE\" /verb open \"%1\"" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\xmlfile\ShellEx\IconHandler C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\ShellEx C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\ShellEx C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\xmlfile\shell\edit C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\edit\command\ = "\"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXMLED.EXE\" /verb edit \"%1\"" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\xmlfile\shell\open C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open\command C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\DefaultIcon\ = "\"%1\"" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\edit\command C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\xmlfile\DefaultIcon C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\ShellEx\IconHandler C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\ShellEx\IconHandler\ = "{AB968F1E-E20B-403A-9EB8-72EB0EB6797E}" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\ShellEx\IconHandler C:\Windows\system32\msiexec.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2016 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\payload.exe C:\Windows\system32\cmd.exe
PID 2016 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\payload.exe C:\Windows\system32\cmd.exe
PID 2016 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\payload.exe C:\Windows\system32\cmd.exe
PID 2016 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\payload.exe C:\Windows\system32\cmd.exe
PID 1960 wrote to memory of 2484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 1960 wrote to memory of 2484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 1960 wrote to memory of 2484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 1960 wrote to memory of 1856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1960 wrote to memory of 1856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1960 wrote to memory of 1856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1880 wrote to memory of 4056 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1880 wrote to memory of 4056 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1880 wrote to memory of 4056 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1880 wrote to memory of 4056 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1880 wrote to memory of 4056 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1880 wrote to memory of 4056 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1880 wrote to memory of 4056 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2016 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\payload.exe C:\Windows\system32\cmd.exe
PID 2016 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\payload.exe C:\Windows\system32\cmd.exe
PID 2016 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\payload.exe C:\Windows\system32\cmd.exe
PID 2016 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\payload.exe C:\Windows\system32\cmd.exe
PID 3212 wrote to memory of 2080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 3212 wrote to memory of 2080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 3212 wrote to memory of 2080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 3212 wrote to memory of 3628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3212 wrote to memory of 3628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3212 wrote to memory of 3628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2016 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\payload.exe C:\Windows\System32\mshta.exe
PID 2016 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\payload.exe C:\Windows\System32\mshta.exe
PID 2016 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\payload.exe C:\Windows\System32\mshta.exe
PID 2016 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\payload.exe C:\Windows\System32\mshta.exe
PID 2016 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\payload.exe C:\Windows\System32\mshta.exe
PID 2016 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\payload.exe C:\Windows\System32\mshta.exe
PID 2016 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\payload.exe C:\Windows\System32\mshta.exe
PID 2016 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\payload.exe C:\Windows\System32\mshta.exe
PID 1880 wrote to memory of 1416 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 1880 wrote to memory of 1416 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 1880 wrote to memory of 1416 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 1880 wrote to memory of 1416 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 1880 wrote to memory of 1416 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\payload.exe

"C:\Users\Admin\AppData\Local\Temp\payload.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\mode.com

mode con cp select=1251

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 57B65F52B2B1A85627C1FC1CD7A44D94

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\mode.com

mode con cp select=1251

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"

C:\Windows\system32\MsiExec.exe

C:\Windows\system32\MsiExec.exe -Embedding 31A79D22D40385F5B72BDBDE81BB24DC

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\info.txt

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\info.txt

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\info.txt

Network

N/A

Files

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.id-D8EE9149.[[email protected]].SCRT

MD5 f2ea71c4cbdc54623af55dd98b3307ec
SHA1 9b71b52b6ca2462e7311186fe5645c324b889eb5
SHA256 2191e8d6acf875f2b09782d8c68fbabba94f97ae6d5e06080cf71baf7ab9f9a6
SHA512 dac2480a302fac6eb8fb5285fa1045ee1d86172932147fcf8be5f47331c81c2ea1c3f0bab0a08e5c6886790569b3d388e11085dc278b336c110ecada9ac00ad5

C:\Windows\Installer\MSI59C.tmp

MD5 d1f5ce6b23351677e54a245f46a9f8d2
SHA1 0d5c6749401248284767f16df92b726e727718ca
SHA256 57cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc
SHA512 960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba

C:\Windows\Installer\MSI86B.tmp

MD5 4a843a97ae51c310b573a02ffd2a0e8e
SHA1 063fa914ccb07249123c0d5f4595935487635b20
SHA256 727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086
SHA512 905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2

C:\Windows\Installer\MSIEC4.tmp

MD5 85221b3bcba8dbe4b4a46581aa49f760
SHA1 746645c92594bfc739f77812d67cfd85f4b92474
SHA256 f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f
SHA512 060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d

C:\Windows\Installer\MSIF14.tmp

MD5 33908aa43ac0aaabc06a58d51b1c2cca
SHA1 0a0d1ce3435abe2eed635481bac69e1999031291
SHA256 4447faacefaba8f040822101e2a4103031660de9139e70ecff9aa3a89455a783
SHA512 d5216a53df9cfbe1a78629c103286eb17042f639149c46b6a1cd76498531ae82afd265462fbe0ba9baaff275fc95c66504804f107c449f3fc5833b1ed9c3da46

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

MD5 d4191628bbd4373fca1df8759d6fea5e
SHA1 74a397e264ef0c91dcccef618b015f8725a1c9a3
SHA256 88833e07c1f1c8acc419d5e7d8fa83ead8625be2e13f00ec1d3a58d3dad3d95a
SHA512 8d61e7756ca79d599c185fb16131561d319ce92a05ad202be9662ab2091709fc54f681d44f5319c4cbc39428c7205de4d49b35e66a213fb23593675f13d96e84

C:\Windows\Installer\MSI134A.tmp

MD5 ff58cd07bf4913ef899efd2dfb112553
SHA1 f14c1681de808543071602f17a6299f8b4ba2ae8
SHA256 1afafe9157ff5670bbec8ce622f45d1ce51b3ee77b7348d3a237e232f06c5391
SHA512 23e27444b6cdc17fe56f3a80d6325c2be61ae84213bc7cdaad7bb96daa7e8d2d3defc1b96c3cee4a3f32dc464b0e05720bcf1c0e99626bf83de1b6d5aac000a3

C:\Users\Admin\Desktop\info.txt

MD5 9b1b6b0e882a2a05872f3af5090067c2
SHA1 f07391cdf71e30a43d3833642bed47664087bdbc
SHA256 a4f247d8518669986919ee2b5389544340dce2fbc05b4a8ff04d835f90bdbb0b
SHA512 7d6db752efb6a0344767a2b2716c34f49209a274cd7e58b89123a81d4099bbdbfa1e23f4ff40d0803c457b19e4eb2522aaa138fc657434d0c4618005282b7731

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-21 03:49

Reported

2025-02-21 03:51

Platform

win10v2004-20250217-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\payload.exe"

Signatures

Dharma

ransomware dharma

Dharma family

dharma

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (660) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\payload.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payload.exe C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-E87FE265.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-E87FE265.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta C:\Users\Admin\AppData\Local\Temp\payload.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\payload.exe = "C:\\Windows\\System32\\payload.exe" C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" C:\Users\Admin\AppData\Local\Temp\payload.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-100612193-3312047696-905266872-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\payload.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\payload.exe C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Windows\System32\Info.hta C:\Users\Admin\AppData\Local\Temp\payload.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\VideoLAN\VLC\lua\http\mobile_browse.html.id-E87FE265.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupMedTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-40_contrast-white.png C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationProvider.resources.dll.id-E87FE265.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageWideTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\logo_retina.png C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Forms.resources.dll C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\css\main.css.id-E87FE265.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mn.txt C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sv-se\ui-strings.js.id-E87FE265.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\virgo-new-folder.svg.id-E87FE265.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxWideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\rhp_world_icon_hover_2x.png.id-E87FE265.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\AssetLibrary.ico C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xalan.md.id-E87FE265.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dummy\fake_logo.png C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_K_COL.HXK.id-E87FE265.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\sq.pak.id-E87FE265.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.NetworkInformation.dll.id-E87FE265.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Encoding.dll.id-E87FE265.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppStoreLogo.scale-200.png C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-400_contrast-black.png C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeMediumTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailSplashLogo.scale-250.png C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Controls.Ribbon.resources.dll.id-E87FE265.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\selection-actions.png C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\files_icons2x.png C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\en-gb\ui-strings.js.id-E87FE265.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Exchange.scale-250.png C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\WideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_ug.dll.id-E87FE265.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\animations\OneNoteAudio_RecordingPlayback.gif C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageLargeTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\spectrum_spinner.svg.id-E87FE265.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Xaml.resources.dll C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ja-jp\ui-strings.js.id-E87FE265.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-oob.xrm-ms.id-E87FE265.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\Interceptor.tlb C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\line.cur C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-hover.svg.id-E87FE265.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover_2x.png.id-E87FE265.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpegaudio_plugin.dll C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Calculator\Add-Numbers.Tests.ps1 C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\WideTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Logo.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\DeleteToastQuickAction.scale-80.png C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\css\main.css.id-E87FE265.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-runtime-l1-1-0.dll.id-E87FE265.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\mt.pak.DATA.id-E87FE265.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml.id-E87FE265.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Send2.16.White.png.id-E87FE265.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Input.Manipulations.resources.dll.id-E87FE265.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationCore.resources.dll.id-E87FE265.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_scale-100.png C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\stop_collection_data.gif.id-E87FE265.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ppd.xrm-ms.id-E87FE265.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\RICEPAPR.ELM.id-E87FE265.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-180.png C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationProvider.resources.dll C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Light.pdf.id-E87FE265.[[email protected]].SCRT C:\Users\Admin\AppData\Local\Temp\payload.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\payload.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\payload.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4804 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\payload.exe C:\Windows\system32\cmd.exe
PID 4804 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\payload.exe C:\Windows\system32\cmd.exe
PID 3228 wrote to memory of 6588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 3228 wrote to memory of 6588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 3228 wrote to memory of 6104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3228 wrote to memory of 6104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4804 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\payload.exe C:\Windows\system32\cmd.exe
PID 4804 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\payload.exe C:\Windows\system32\cmd.exe
PID 3076 wrote to memory of 9188 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 3076 wrote to memory of 9188 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 3076 wrote to memory of 9484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3076 wrote to memory of 9484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4804 wrote to memory of 7272 N/A C:\Users\Admin\AppData\Local\Temp\payload.exe C:\Windows\System32\mshta.exe
PID 4804 wrote to memory of 7272 N/A C:\Users\Admin\AppData\Local\Temp\payload.exe C:\Windows\System32\mshta.exe
PID 4804 wrote to memory of 6800 N/A C:\Users\Admin\AppData\Local\Temp\payload.exe C:\Windows\System32\mshta.exe
PID 4804 wrote to memory of 6800 N/A C:\Users\Admin\AppData\Local\Temp\payload.exe C:\Windows\System32\mshta.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\payload.exe

"C:\Users\Admin\AppData\Local\Temp\payload.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\mode.com

mode con cp select=1251

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\mode.com

mode con cp select=1251

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"

Network

Files

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-E87FE265.[[email protected]].SCRT

MD5 c80769b4bd6a7494eb0e195f62746730
SHA1 1a92ffaa6d8465fd9992283a3b5015caaeeceaab
SHA256 e84a0daeb7c6a498208b4dc72cad2f97aecd4c4efae390f87906b754b1381c7e
SHA512 806fd34d775b0c3dce24bd4d542e031952d5e0df224b786f97aa13c20d644cbdf0860a7353ee5ab1c40f306a24494627bc34b922ed352474a84e87d6d8864c67

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

MD5 79b1dbbd2fb87cd2006190b6e1d2cf62
SHA1 9237e6f4297b44b44105ff7410ac6bfa92234c5c
SHA256 8dc45adb06253c0abd69a2cf591f5e619d81931be17589f0002935b212d37324
SHA512 a3bbbdd75591518860559850948392b6a374ccb165f7dfe8f8613684cd9ce50ab115759153cdd2a5eb0c684c9a0bc5162e42baa169772c09fc68aa5e7c1db148