Malware Analysis Report

2025-03-14 23:59

Sample ID 250226-2w8thswvaz
Target c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0
SHA256 c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0
Tags
dharma credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0

Threat Level: Known bad

The file c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0 was found to be: Known bad.

Malicious Activity Summary

dharma credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer

Dharma family

Dharma

Renames multiple (666) files with added filename extension

Renames multiple (321) files with added filename extension

Deletes shadow copies

Drops startup file

Credentials from Password Stores: Windows Credential Manager

Reads user/profile data of web browsers

Checks computer location settings

Adds Run key to start application

Drops desktop.ini file(s)

Drops file in System32 directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Browser Information Discovery

Unsigned PE

Interacts with shadow copies

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Uses Volume Shadow Copy service COM API

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-26 22:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-26 22:57

Reported

2025-02-26 22:59

Platform

win7-20241010-en

Max time kernel

150s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe"

Signatures

Dharma

ransomware dharma

Dharma family

dharma

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (321) files with added filename extension

ransomware

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-5DE67989.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-5DE67989.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe = "C:\\Windows\\System32\\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe" C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\1U7Y9BT8\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\4KNYJNXZ\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ADWO43R6\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\5O2ZS8DL\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4TDQSVWU\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G0UQMQ1C\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BBWU148F\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File created C:\Windows\System32\Info.hta C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe.id-5DE67989.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01242_.WMF.id-5DE67989.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\Microsoft Games\More Games\de-DE\MoreGames.dll.mui C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\ContactSelector.ico.id-5DE67989.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\vulkan-1.dll C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02754U.BMP C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00224_.WMF.id-5DE67989.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Slipstream.thmx.id-5DE67989.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DiscussionToolIconImagesMask.bmp.id-5DE67989.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BS2BARB.POC C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Tehran.id-5DE67989.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15059_.GIF C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE05930_.WMF.id-5DE67989.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18199_.WMF.id-5DE67989.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18209_.WMF.id-5DE67989.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PEOPLEDATAHANDLER.DLL.id-5DE67989.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvm_ja.jar C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libgain_plugin.dll.id-5DE67989.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)notConnectedStateIcon.png C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\EET.id-5DE67989.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Services.Client.resources.dll C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\new-trigger-wiz.gif.id-5DE67989.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-options_ja.jar.id-5DE67989.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Clarity.xml.id-5DE67989.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\localizedStrings.js C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\40.png C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\PREVIEW.GIF.id-5DE67989.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_zh_CN.jar.id-5DE67989.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\CGMIMP32.FNT.id-5DE67989.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR2B.GIF.id-5DE67989.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_LightSpirit.gif C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosecolor.gif C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_divider_right.png C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\include\win32\jawt_md.h.id-5DE67989.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\El_Aaiun C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287024.WMF.id-5DE67989.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libdirect3d11_plugin.dll.id-5DE67989.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca.id-5DE67989.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\en-US\jsdbgui.dll.mui C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21303_.GIF.id-5DE67989.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.MY.XML C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-applemenu.xml.id-5DE67989.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_right.png C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\search_background.png C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00932_.WMF.id-5DE67989.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21310_.GIF.id-5DE67989.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\server\classes.jsa C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341742.JPG.id-5DE67989.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpeg4video_plugin.dll C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.id-5DE67989.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\ChkrRes.dll.mui C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\ReachFramework.resources.dll C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACERCLR.DLL.id-5DE67989.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\status.xml C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\settings.html C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00130_.GIF.id-5DE67989.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0205466.WMF.id-5DE67989.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10300_.GIF C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Sts2.css C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-coredump.xml C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\System32\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\System32\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1764 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe C:\Windows\system32\cmd.exe
PID 1764 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe C:\Windows\system32\cmd.exe
PID 1764 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe C:\Windows\system32\cmd.exe
PID 1764 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe C:\Windows\system32\cmd.exe
PID 2016 wrote to memory of 2936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2016 wrote to memory of 2936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2016 wrote to memory of 2936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2016 wrote to memory of 3048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2016 wrote to memory of 3048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2016 wrote to memory of 3048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1764 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe C:\Windows\system32\cmd.exe
PID 1764 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe C:\Windows\system32\cmd.exe
PID 1764 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe C:\Windows\system32\cmd.exe
PID 1764 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe C:\Windows\system32\cmd.exe
PID 944 wrote to memory of 1796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 944 wrote to memory of 1796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 944 wrote to memory of 1796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 944 wrote to memory of 212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 944 wrote to memory of 212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 944 wrote to memory of 212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1764 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe C:\Windows\System32\mshta.exe
PID 1764 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe C:\Windows\System32\mshta.exe
PID 1764 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe C:\Windows\System32\mshta.exe
PID 1764 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe C:\Windows\System32\mshta.exe
PID 1764 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe C:\Windows\System32\mshta.exe
PID 1764 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe C:\Windows\System32\mshta.exe
PID 1764 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe C:\Windows\System32\mshta.exe
PID 1764 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe C:\Windows\System32\mshta.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe

"C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\mode.com

mode con cp select=1251

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\mode.com

mode con cp select=1251

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"

Network

N/A

Files

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.id-5DE67989.[[email protected]].V

MD5 fbb90a6e7d50fe1b0912405584623466
SHA1 0f8bdeea803dbf8ba04c3b7feaf7efb619845ee6
SHA256 b85ce61806a3c6b807ac13ba75d56654c60d931fbc1bdd8b78c1a7bfa079afb5
SHA512 0bafd91b365062571da67570a66528b17f1868139bde9ea95b4c030e5c53b771f021d66b792c806e78615b15e0fd6a127687fd9908855854b54454eaa11ac7c0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

MD5 d254bbb6368a55acab63fdfe80077a29
SHA1 7cb3d72bdec89ec27df52272b91b7b3d3c4d3ad9
SHA256 f8ea1c5efed637769c577f787ff5f4fb7769fd6b3718716bbc48574accebc6a0
SHA512 6e7291ea12a25c560ed5b19d97f3c42743c6c99ff7a0679cfeb83959e0b3a56721327dac43ac8ecce830cf86626496f27233db6a47c88eee707f59726b420949

memory/1596-20109-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-26 22:57

Reported

2025-02-26 22:59

Platform

win10v2004-20250217-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe"

Signatures

Dharma

ransomware dharma

Dharma family

dharma

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (666) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-A41869B9.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-A41869B9.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe = "C:\\Windows\\System32\\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe" C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-3181990009-820930284-137514597-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3181990009-820930284-137514597-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File created C:\Windows\System32\Info.hta C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\example_icons.png.id-A41869B9.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\SUMIPNTG.INF.id-A41869B9.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libantiflicker_plugin.dll C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\en_US.aff C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\internal.identity_helper.exe.manifest.id-A41869B9.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_folder-focus_32.svg.id-A41869B9.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll.id-A41869B9.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\icudt40.dll.id-A41869B9.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationClient.resources.dll C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE.id-A41869B9.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\msedgeupdateres_ru.dll.id-A41869B9.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\CommonCapabilities.json.id-A41869B9.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.scale-150.png C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Permissions.dll.id-A41869B9.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-cn\ui-strings.js C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar\msipc.dll.mui C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libsubsdec_plugin.dll C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.ViewModel.winmd C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.EventBasedAsync.dll C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-us\xlsrvintl.dll C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\internal.identity_helper.exe.manifest C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\db2v0801.xsl C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\mozavutil.dll C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Microsoft.Support.SDK.dll C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\sk.pak.id-A41869B9.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-64_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.id-A41869B9.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ul-oob.xrm-ms.id-A41869B9.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009.id-A41869B9.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-stdio-l1-1-0.dll.id-A41869B9.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ky.txt.id-A41869B9.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WorldClockWideTile.contrast-black_scale-100.png C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\WideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\COPYRIGHT C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\es-es\ui-strings.js C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\vlc.mo.id-A41869B9.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Extensions.dll.id-A41869B9.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File created C:\Program Files\ReadTest.m1v.id-A41869B9.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\nb-no\ui-strings.js C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\cs-cz\ui-strings.js.id-A41869B9.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-pl.xrm-ms.id-A41869B9.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ru-ru\ui-strings.js C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_lv.dll C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected].[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Top Shadow.eftx.id-A41869B9.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ul-phn.xrm-ms.id-A41869B9.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Edge.dat.LOG1.id-A41869B9.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeLessThan.ps1 C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\vcruntime140_1.dll C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-oob.xrm-ms.id-A41869B9.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Grace-ppd.xrm-ms.id-A41869B9.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailBadge.scale-150.png C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Input.Manipulations.resources.dll C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\uk-ua\ui-strings.js C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\sfs_icons.png C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-30_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\MedTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l1-2-0.dll.id-A41869B9.[[email protected]].V C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4348 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe C:\Windows\system32\cmd.exe
PID 4348 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe C:\Windows\system32\cmd.exe
PID 3544 wrote to memory of 3872 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 3544 wrote to memory of 3872 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 3544 wrote to memory of 5924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3544 wrote to memory of 5924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4348 wrote to memory of 6656 N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe C:\Windows\system32\cmd.exe
PID 4348 wrote to memory of 6656 N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe C:\Windows\system32\cmd.exe
PID 6656 wrote to memory of 5652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 6656 wrote to memory of 5652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 4348 wrote to memory of 8236 N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe C:\Windows\System32\mshta.exe
PID 4348 wrote to memory of 8236 N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe C:\Windows\System32\mshta.exe
PID 6656 wrote to memory of 5956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 6656 wrote to memory of 5956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4348 wrote to memory of 7180 N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe C:\Windows\System32\mshta.exe
PID 4348 wrote to memory of 7180 N/A C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe C:\Windows\System32\mshta.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe

"C:\Users\Admin\AppData\Local\Temp\c4816edacf346f207e7f3fdd5f519fefd2465d21e08cad1936a1bde32d7faea0.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\mode.com

mode con cp select=1251

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\mode.com

mode con cp select=1251

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"

Network

Country Destination Domain Proto
US 150.171.27.10:443 tcp
US 150.171.27.10:443 tcp

Files

C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.id-A41869B9.[[email protected]].V

MD5 4258c52b4ffc8da883ec73257703d6dd
SHA1 9f8dd11e30acee3b7299b813c56840c1a5f579a0
SHA256 67413b5c40c3c1e739c9b062bec6c5a4e25b556cffd5bbc1fb507aeaadcf9df1
SHA512 24eca5fdcfa9c641c77babb3b1e6ec01cc03fe63b481edb78936023c7325ff561c1640fb8bd17411cb80d519e91b9baecbb93cf7f21d779e7b4ea01b2d4a6916

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

MD5 1e5cb12ffe6dcf7693018ca7063e2b3b
SHA1 8a54cd2c97e09d334944ce40ad019778e5f9a08f
SHA256 6f37204de2a45f0789c803e99217e3195b8b495e062605725d47072d4fe0363a
SHA512 8ba3276c59d5d4c02bf3ce0433e89e9848bd41c2bf31c5801b4e6087e154d7442a3b0bcc88df843a730acfb56bd56da44682871dd066b3ad291e9a6be6b737a3