Malware Analysis Report

2025-08-05 15:10

Sample ID 250503-snxlvaxnt3
Target 1.ex
SHA256 99067d26b7cc568c78e595aa1e0eed2e2f29a421612f0d30ddece76d1095acd5
Tags
upx defense_evasion discovery ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

99067d26b7cc568c78e595aa1e0eed2e2f29a421612f0d30ddece76d1095acd5

Threat Level: Known bad

The file 1.ex was found to be: Known bad.

Malicious Activity Summary

upx defense_evasion discovery ransomware trojan

Modifies Windows Defender Real-time Protection settings

Disables use of System Restore points

Drops startup file

Drops desktop.ini file(s)

Enumerates connected drives

Sets desktop wallpaper using registry

UPX packed file

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of WriteProcessMemory

System policy modification

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies Control Panel

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-03 15:16

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-03 15:16

Reported

2025-05-03 15:17

Platform

win11-20250502-en

Max time kernel

20s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\1.exe N/A

Disables use of System Restore points

defense_evasion

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\81D23CDCE53C9A39C03F717C9A7CBF28.exe C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\81D23CDCE53C9A39C03F717C9A7CBF28.exe C:\Users\Admin\AppData\Local\Temp\1.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\users\admin\videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\users\public\accountpictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\users\public\videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\users\admin\favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\users\admin\favorites\links\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\users\admin\onedrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\users\admin\saved games\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\users\admin\searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\users\public\downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\users\admin\desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\users\admin\documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\users\admin\downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\users\admin\links\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\users\public\desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\users\public\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\users\public\libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\users\public\music\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\users\admin\music\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\users\admin\pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\users\admin\pictures\saved pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\users\public\documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\users\public\pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\microsoft office\root\office16\1033\dataservices\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\users\admin\contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\users\admin\pictures\camera roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\1.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\81D23CDCE53C9A39C03F717C9A7CBF28.bmp" C:\Users\Admin\AppData\Local\Temp\1.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\walk-through\js\nls\it-it\ui-strings.js C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.vp9videoextensions_1.0.41182.0_x64__8wekyb3d8bbwe\assets\contrast-black\applist.targetsize-20_contrast-black.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\sign-services-auth\js\nls\en-il\#HowToRecover.txt C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\deletedalluserpackages\microsoft.gethelp_10.2008.32311.0_neutral_split.scale-125_8wekyb3d8bbwe\assets\gethelpbadgelogo.scale-125.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.549981c3f5f10_2.2106.2807.0_x64__8wekyb3d8bbwe\assets\store\appicon.altform-unplated_targetsize-32.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.getstarted_10.2.41172.0_x64__8wekyb3d8bbwe\assets\tipssmalltile.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File created C:\program files\windowsapps\microsoft.windowsnotepad_10.2102.13.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\#HowToRecover.txt C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\images\themes\#HowToRecover.txt C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\files\dev\nls\ja-jp\#HowToRecover.txt C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files (x86)\adobe\acrobat reader dc\resource\typesupport\unicode\mappings\mac\turkish.txt C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\deletedalluserpackages\microsoft.screensketch_11.2104.2.0_neutral_split.scale-125_8wekyb3d8bbwe\assets\contrast-black\snipsketchstorelogo.scale-125.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.screensketch_11.2104.2.0_x64__8wekyb3d8bbwe\assets\fileassociation\fileassociation.targetsize-336.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.zunemusic_10.21012.10511.0_x64__8wekyb3d8bbwe\assets\applist.targetsize-72.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\images\s_sendforcomments_18.svg C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\files\dev\nls\hu-hu\ui-strings.js C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-computer\js\nls\de-de\#HowToRecover.txt C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.screensketch_11.2104.2.0_x64__8wekyb3d8bbwe\assets\snipsketchapplist.targetsize-72.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.windowsnotepad_10.2102.13.0_x64__8wekyb3d8bbwe\assets\ps1file.targetsize-16.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\microsoft office\packagemanifests\appxmanifest.90160000-001b-0000-1000-0000000ff1ce.xml C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\deletedalluserpackages\microsoft.getstarted_10.2.41172.0_neutral_split.scale-200_8wekyb3d8bbwe\assets\tipsapplist.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\deletedalluserpackages\microsoft.screensketch_11.2104.2.0_neutral_split.scale-125_8wekyb3d8bbwe\snippingtool\assets\largetile.scale-125.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.549981c3f5f10_2.2106.2807.0_x64__8wekyb3d8bbwe\heycortana_en-us.table C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.screensketch_11.2104.2.0_x64__8wekyb3d8bbwe\assets\snipsketchapplist.targetsize-30_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.webmediaextensions_1.0.40831.0_x64__8wekyb3d8bbwe\assets\applist.targetsize-96_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\hxcalendarwidetile.scale-200.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.windowsstore_12104.1001.1.0_neutral_split.scale-100_8wekyb3d8bbwe\assets\apptiles\storewidetile.scale-100.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\microsoft office\root\licenses16\homestudent2019r_retail-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\microsoft office\root\licenses16\standard2019msdnr_retail-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\microsoft office\root\office16\sdxs\fa000000018\index.win32.bundle.map C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File created C:\program files\mozilla firefox\uninstall\#HowToRecover.txt C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.powerautomatedesktop_1.0.65.0_neutral_split.scale-100_8wekyb3d8bbwe\images\powerautomateappicon.scale-100.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\exchangemediumtile.scale-100.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\images\themes\dark\s_signed_out.svg C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\home\js\selector.js C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\microsoft office\root\office16\mceperfctr.man C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\deletedalluserpackages\microsoft.zunevideo_10.21012.10511.0_neutral_split.scale-125_8wekyb3d8bbwe\assets\logo.scale-125.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.windows.photos_21.21030.25003.0_x64__8wekyb3d8bbwe\assets\photosapplist.targetsize-20_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\hxcalendarapplist.targetsize-96_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-files\images\icons_retina.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-en_us_2x.gif C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\uss-search\js\nls\de-de\#HowToRecover.txt C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\deletedalluserpackages\microsoft.getstarted_10.2.41172.0_neutral_split.scale-200_8wekyb3d8bbwe\assets\tipssmalltile.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\txp_3color_invoice_378_dark.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\signatures\js\nls\hu-hu\ui-strings.js C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\unified-share\js\nls\ro-ro\#HowToRecover.txt C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\deletedalluserpackages\microsoft.yourphone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\assets\apptiles\contrast-white\splashscreen.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File created C:\program files\windowsapps\microsoft.xboxspeechtotextoverlay_1.17.29001.0_x64__8wekyb3d8bbwe\assets\#HowToRecover.txt C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.zunemusic_10.21012.10511.0_x64__8wekyb3d8bbwe\assets\contrast-black\applist.targetsize-40_contrast-black.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\reviews\js\nls\de-de\ui-strings.js C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\microsoft office\root\licenses16\homebusinessr_retail-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\hxmailmediumtile.scale-100.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\hxcalendarlargetile.scale-125.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoftwindows.client.webexperience_321.14700.0.9_x64__cw5n1h2txyewy\dashboard\webcontent\node_modules\@fluentui\theme\lib\fonts\index.js C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\microsoft office\root\licenses16\homebusinessr_retail3-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\microsoft office\root\licenses16\o365smallbuspremr_subscription5-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File created C:\program files\windowsapps\deletedalluserpackages\microsoft.windowsfeedbackhub_1.2103.1172.0_neutral_split.scale-125_8wekyb3d8bbwe\assets\images\#HowToRecover.txt C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.bingnews_1.0.6.0_x64__8wekyb3d8bbwe\assets\apptiles\contrast-black\newsapplist.targetsize-30_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.microsoftstickynotes_4.0.2.0_x64__8wekyb3d8bbwe\assets\icons\stickynotesapplist.targetsize-32_contrast-white.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.windowsstore_12104.1001.1.0_x64__8wekyb3d8bbwe\microsoft.membership.mecontrol.winmd C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoftwindows.client.webexperience_321.14700.0.9_x64__cw5n1h2txyewy\dashboard\webcontent\node_modules\@fluentui\react\lib\separator.js C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\microsoft office\root\licenses16\mondor_bypasstrial180-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.zunemusic_10.21012.10511.0_x64__8wekyb3d8bbwe\assets\contrast-black\applist.targetsize-80_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\microsoft office\root\licenses16\homestudent2019r_grace-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\microsoft office\root\office16\fpa_f2\fa000000002 C:\Users\Admin\AppData\Local\Temp\1.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NOTEPAD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies Control Panel

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Temp\1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Desktop\TileWallpaper = "0" C:\Users\Admin\AppData\Local\Temp\1.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.1cxz\DefaultIcon C:\Users\Admin\AppData\Local\Temp\1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.1cxz C:\Users\Admin\AppData\Local\Temp\1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.1cxz\DefaultIcon\ = "C:\\ProgramData\\81D23CDCE53C9A39C03F717C9A7CBF28.ico" C:\Users\Admin\AppData\Local\Temp\1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\1.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 976 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\SysWOW64\cmd.exe
PID 976 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\SysWOW64\cmd.exe
PID 976 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\SysWOW64\cmd.exe
PID 976 wrote to memory of 5384 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\SysWOW64\cmd.exe
PID 976 wrote to memory of 5384 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\SysWOW64\cmd.exe
PID 976 wrote to memory of 5384 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\SysWOW64\cmd.exe
PID 976 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\SysWOW64\cmd.exe
PID 976 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\SysWOW64\cmd.exe
PID 976 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\SysWOW64\cmd.exe
PID 976 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\SysWOW64\cmd.exe
PID 976 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\SysWOW64\cmd.exe
PID 976 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 5072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2180 wrote to memory of 5072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2180 wrote to memory of 5072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 976 wrote to memory of 5708 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\SysWOW64\cmd.exe
PID 976 wrote to memory of 5708 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\SysWOW64\cmd.exe
PID 976 wrote to memory of 5708 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\SysWOW64\cmd.exe
PID 976 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 976 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 976 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\SysWOW64\NOTEPAD.EXE

System policy modification

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Your computer is encrypted" C:\Users\Admin\AppData\Local\Temp\1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "We encrypted and stolen all of your files.\r\r\nOpen #HowToRecover.txt and follow the instructions to recover your files.\r\r\nYour ID: 81D23CDCE53C9A39C03F717C9A7CBF28" C:\Users\Admin\AppData\Local\Temp\1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1.exe

"C:\Users\Admin\AppData\Local\Temp\1.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin Delete Shadows /All /Quiet

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c wmic SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c for /F "tokens = *" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\dotnet\#HowToRecover.txt

Network

N/A

Files

memory/976-0-0x00000000005E0000-0x0000000000709000-memory.dmp

C:\PerfLogs\#HowToRecover.txt

MD5 b5b56eeb1cf7e1eb65e5084fd083c7d7
SHA1 8de0e9ef629fa5ddba0cc76c5cadc202590afbfc
SHA256 9d60b219f17876d4913c48a05600b29c3f2cf47926392fb17a022ac3f3f3845b
SHA512 33c16606e0fc517eee796deae01b036de8312f7510434681a24dc3de7c08f51870546800a481fe6d36dd478b6b3f2943ac263f5fac40c97964a1c4333f08c1f6

C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\6foV69LVg9.1cxz

MD5 7c26043d951fb440a1b10ed16c4890db
SHA1 686354a823c522881eb442f4e9573991ba5d025d
SHA256 a1bf9e88ddccb021b8a6219f1585677fd08df0dee5aca3a39297aefcc3d71a19
SHA512 508eb08c1de88beedd652b81a02a1d55bfcd39a7308de255e2aa7954f86b22cbb1f9d574d1fbcebfcac75b4d4d9495659032a60a5f1c226e043ecdb558c6d1f5

memory/976-8846-0x00000000005E0000-0x0000000000709000-memory.dmp

memory/976-8876-0x00000000005E0000-0x0000000000709000-memory.dmp

memory/976-14769-0x00000000005E0000-0x0000000000709000-memory.dmp