Malware Analysis Report

2025-08-05 15:10

Sample ID 250503-spqvpaek7z
Target 1.ex
SHA256 99067d26b7cc568c78e595aa1e0eed2e2f29a421612f0d30ddece76d1095acd5
Tags
upx defense_evasion discovery ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

99067d26b7cc568c78e595aa1e0eed2e2f29a421612f0d30ddece76d1095acd5

Threat Level: Known bad

The file 1.ex was found to be: Known bad.

Malicious Activity Summary

upx defense_evasion discovery ransomware trojan

Modifies Windows Defender Real-time Protection settings

Disables use of System Restore points

Drops startup file

Checks computer location settings

Drops desktop.ini file(s)

Enumerates connected drives

Sets desktop wallpaper using registry

UPX packed file

Drops file in Program Files directory

System Network Configuration Discovery: Internet Connection Discovery

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

System policy modification

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Modifies Control Panel

Runs ping.exe

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-03 15:18

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-03 15:18

Reported

2025-05-03 15:20

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

112s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\1.exe N/A

Disables use of System Restore points

defense_evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C8EE3CFE1CE57604C03F717C9A7CBF28.exe C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C8EE3CFE1CE57604C03F717C9A7CBF28.exe C:\Users\Admin\AppData\Local\Temp\1.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\users\admin\searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\users\public\music\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\users\admin\3d objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\users\admin\favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\users\admin\links\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\users\admin\pictures\saved pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\users\admin\saved games\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\users\public\pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\users\public\videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\microsoft office\root\office16\1033\dataservices\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\users\admin\contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\users\admin\documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\users\admin\music\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\users\admin\onedrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\users\admin\pictures\camera roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\users\public\desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\users\public\documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\users\admin\downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\users\admin\favorites\links\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\users\admin\videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\users\public\accountpictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\users\public\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\users\public\downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\users\public\libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\users\admin\desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\users\admin\pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\1.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\C8EE3CFE1CE57604C03F717C9A7CBF28.bmp" C:\Users\Admin\AppData\Local\Temp\1.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\program files\windowsapps\microsoft.vp9videoextensions_1.0.22681.0_x64__8wekyb3d8bbwe\assets\contrast-black\badgelogo.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.windowscamera_2018.826.98.0_x64__8wekyb3d8bbwe\assets\windowsicons\windowscameraapplist.contrast-white_targetsize-80.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\hxmailbadge.scale-400.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.zunemusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\assets\contrast-black\applist.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\send-for-sign\js\nls\fr-ma\#HowToRecover.txt C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.heifimageextension_1.0.22742.0_x64__8wekyb3d8bbwe\assets\contrast-white\applist.targetsize-256_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.zunevideo_10.19071.19011.0_x64__8wekyb3d8bbwe\assets\contrast-black\applist.targetsize-60_contrast-black.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\outlookmailmediumtile.scale-400.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\hxa-google.scale-100.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File created C:\program files\windowsapps\#HowToRecover.txt C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.heifimageextension_1.0.22742.0_x64__8wekyb3d8bbwe\assets\widetile.scale-200.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.webpimageextension_1.0.22753.0_x64__8wekyb3d8bbwe\assets\widetile.scale-150.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\deletedalluserpackages\microsoft.windowsfeedbackhub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\assets\insiderhubmedtile.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.webpimageextension_1.0.22753.0_x64__8wekyb3d8bbwe\assets\contrast-black\storelogo.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File created C:\program files\windowsapps\microsoft.windowsmaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\assets\secondarytiles\directions\home\rtl\contrast-black\#HowToRecover.txt C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\images\themes\dark\s_sendforsignature_18.svg C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.office.onenote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\onenotesmalltile.scale-200.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\outlookmailbadge.scale-200.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.windowsmaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\assets\secondarytiles\traffichub\contrast-black\smalltile.scale-100.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-computer-select\#HowToRecover.txt C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File created C:\program files\windowsapps\microsoft.microsoft3dviewer_6.1908.2042.0_x64__8wekyb3d8bbwe\common.view.uwp\strings\hr-hr\view3d\#HowToRecover.txt C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.microsoftstickynotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.people_10.1902.633.0_x64__8wekyb3d8bbwe\assets\contrast-white\peoplemedtile.scale-200.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\exchangebadge.scale-125.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.xboxapp_48.49.31001.0_x64__8wekyb3d8bbwe\assets\gamesxboxhubapplist.targetsize-36_contrast-high.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\add-account\js\nls\da-dk\ui-strings.js C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\microsoft office\root\licenses16\powerpointr_trial-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\deletedalluserpackages\microsoft.gethelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\assets\tinytile.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.net.native.runtime.2.2_2.2.27328.0_x64__8wekyb3d8bbwe\appxsignature.p7x C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.windowsfeedbackhub_1.1907.3152.0_x64__8wekyb3d8bbwe\assets\insiderhubapplist.targetsize-60_contrast-white.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.windowsmaps_5.1906.1972.0_x64__8wekyb3d8bbwe\assets\secondarytiles\directions\place\ltr\contrast-white\widetile.scale-200.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.zunevideo_10.19071.19011.0_x64__8wekyb3d8bbwe\assets\applist.targetsize-96_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\files\dev\nls\root\#HowToRecover.txt C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\on-boarding\images\themeless\localized_images\sv-se\playstore_icon.svg C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\microsoft office\root\licenses16\access2019r_oem_perp-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.mixedreality.portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\assets\contrast-black\mixedrealityportalstorelogo.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.mixedreality.portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\assets\background_roomtracing_04.jpg C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\emptyshare.scale-100.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.microsoftsolitairecollection_4.4.8204.0_x64__8wekyb3d8bbwe\win10\splashscreen.scale-100.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File created C:\program files\windowsapps\microsoft.zunemusic_10.19071.19011.0_x64__8wekyb3d8bbwe\assets\contrast-black\#HowToRecover.txt C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\app\dev\nls\nb-no\#HowToRecover.txt C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.office.onenote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-gb\jsaddins\onenote_strings.js C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.office.onenote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\onenoteapplist.scale-100.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.windowsmaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\assets\secondarytiles\directions\home\rtl\contrast-white\widetile.scale-100.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.mspaint_6.1907.29027.0_x64__8wekyb3d8bbwe\assets\images\stickers\sticker_cloud.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.vp9videoextensions_1.0.22681.0_x64__8wekyb3d8bbwe\assets\applist.scale-100.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\hxcalendarapplist.scale-125.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\aicuc\images\rhp_world_icon_hover.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-computer\js\nls\ja-jp\#HowToRecover.txt C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File created C:\program files\videolan\vlc\locale\de\#HowToRecover.txt C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.office.onenote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\onenotesplashlogo.scale-150.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\hxa-advanced-dark.scale-150.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\on-boarding\images\themeless\localized_images\ja-jp\appstore_icon.svg C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\java\jdk-1.8\jre\lib\amd64\jvm.cfg C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\microsoft office\root\licenses16\skypeforbusinessr_grace-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\microsoft office\root\licenses16\visiopromsdnr_retail-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.bingweather_4.25.20211.0_x64__8wekyb3d8bbwe\assets\apptiles\weatherimages\423x173\7.jpg C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\attachmentplaceholder-dark.png C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\signatures\images\themes\dark\#HowToRecover.txt C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\microsoft office\root\office16\1033\winword_col.hxt C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File created C:\program files\windowsapps\microsoft.microsoft3dviewer_6.1908.2042.0_x64__8wekyb3d8bbwe\appxmetadata\#HowToRecover.txt C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\windowsapps\microsoft.windowscalculator_10.1906.55.0_x64__8wekyb3d8bbwe\winmetadata\microsoft.ui.xaml.winmd C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File created C:\program files\windowsapps\microsoft.windowsmaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\assets\secondarytiles\directions\place\ltr\#HowToRecover.txt C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\program files\7-zip\lang\tr.txt C:\Users\Admin\AppData\Local\Temp\1.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NOTEPAD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Modifies Control Panel

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Temp\1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\TileWallpaper = "0" C:\Users\Admin\AppData\Local\Temp\1.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.1cxz\DefaultIcon C:\Users\Admin\AppData\Local\Temp\1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.1cxz C:\Users\Admin\AppData\Local\Temp\1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.1cxz\DefaultIcon\ = "C:\\ProgramData\\C8EE3CFE1CE57604C03F717C9A7CBF28.ico" C:\Users\Admin\AppData\Local\Temp\1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\1.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5372 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\SysWOW64\cmd.exe
PID 5372 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\SysWOW64\cmd.exe
PID 5372 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\SysWOW64\cmd.exe
PID 5372 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\SysWOW64\cmd.exe
PID 5372 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\SysWOW64\cmd.exe
PID 5372 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\SysWOW64\cmd.exe
PID 5372 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\SysWOW64\cmd.exe
PID 5372 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\SysWOW64\cmd.exe
PID 5372 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\SysWOW64\cmd.exe
PID 5372 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\SysWOW64\cmd.exe
PID 5372 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\SysWOW64\cmd.exe
PID 5372 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 5420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 3476 wrote to memory of 5420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 3476 wrote to memory of 5420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 5372 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\SysWOW64\cmd.exe
PID 5372 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\SysWOW64\cmd.exe
PID 5372 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\SysWOW64\cmd.exe
PID 5372 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 5372 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 5372 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 5372 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\SysWOW64\cmd.exe
PID 5372 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\SysWOW64\cmd.exe
PID 5372 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 5504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1436 wrote to memory of 5504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1436 wrote to memory of 5504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

System policy modification

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Your computer is encrypted" C:\Users\Admin\AppData\Local\Temp\1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "We encrypted and stolen all of your files.\r\r\nOpen #HowToRecover.txt and follow the instructions to recover your files.\r\r\nYour ID: C8EE3CFE1CE57604C03F717C9A7CBF28" C:\Users\Admin\AppData\Local\Temp\1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1.exe

"C:\Users\Admin\AppData\Local\Temp\1.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin Delete Shadows /All /Quiet

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c wmic SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c for /F "tokens = *" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\dotnet\#HowToRecover.txt

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" (/c ping 127.0.0.1 -n 5 > nul & del "C:\Users\Admin\AppData\Local\Temp\1.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 5

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.184.195:80 c.pki.goog tcp

Files

memory/5372-0-0x0000000000260000-0x0000000000389000-memory.dmp

C:\PerfLogs\#HowToRecover.txt

MD5 65aa265fdd130539d06c1058297be2fd
SHA1 f1bec6fed783a32d3ff263870dc8a0375276631b
SHA256 6ff0ae3d3e1ff25b063d5fd40b5c78d2c598203d6965a3accd360890911c3b78
SHA512 570ef02d882b2d2556ab92d5bd7f4a2a64aa3aefbde7dcbed7c4618d96350fd88a28ba2e5f94921a4523ee0722c1b823173c8c172790afa80da8782a4f4e9021

memory/5372-9106-0x0000000000260000-0x0000000000389000-memory.dmp

memory/5372-9135-0x0000000000260000-0x0000000000389000-memory.dmp

memory/5372-14852-0x0000000000260000-0x0000000000389000-memory.dmp

memory/5372-14853-0x0000000000260000-0x0000000000389000-memory.dmp

memory/5372-14859-0x0000000000260000-0x0000000000389000-memory.dmp