f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05

General

Target

f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
Size

588KB
MD5

d4f2318beec5fb9fbe1c8e33472159a4
SHA1

55f05db53254f8d129c3fabc91e1b46d93c81b92
SHA256

f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05
SHA512

b1b23730841240b051034c36d9e8c69400212ae51f43a3c9f8f4ac79c860a1d2d7af9727e1ff1303a87f9146b22fbad5091f2a1879925b1a01922b949379d1e9

Score

10^/10

ransomware persistence

Malware Config

Extracted

Path

C:\R3ADM3.txt

Ransom Note

The network is LOCKED. Do not try to use other software. For decryption tool write HERE: guifullcharti1970@protonmail.com phrasitliter1981@protonmail.com If you do not pay, we will publish private data on our news site.

Emails

guifullcharti1970@protonmail.com

phrasitliter1981@protonmail.com

Signatures

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\UnregisterInitialize.png => C:\Users\Admin\Pictures\UnregisterInitialize.png.UAKXC	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Users\Admin\Pictures\PingApprove.tiff	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File renamed	C:\Users\Admin\Pictures\PingApprove.tiff => C:\Users\Admin\Pictures\PingApprove.tiff.UAKXC	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File renamed	C:\Users\Admin\Pictures\StepRead.tif => C:\Users\Admin\Pictures\StepRead.tif.UAKXC	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File renamed	C:\Users\Admin\Pictures\UninstallPush.raw => C:\Users\Admin\Pictures\UninstallPush.raw.UAKXC	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe

Drops desktop.ini file(s) 32 IoCs

Processes:

f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe

description	ioc	process
File opened for modification	C:\Users\Public\Documents\desktop.ini	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\desktop.ini	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Users\Public\desktop.ini	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Drops file in Program Files directory 6854 IoCs

Processes:

f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0107254.WMF	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-background.png	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_zh_4.4.0.v20140623020002.jar	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\CONVERT\ORG97.SAM	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_ButtonGraphic.png	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02755U.BMP	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\BL00130_.WMF	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0233070.WMF	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\BS00445_.WMF	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Barbados	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0182946.WMF	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115834.GIF	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0157191.WMF	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sq\R3ADM3.txt	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\LINES\BD15301_.GIF	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.annotation_1.2.0.v201401042248.jar	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0107734.WMF	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00199_.WMF	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\R3ADM3.txt	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099159.WMF	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\JSByteCodeWin.bin	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Smart Tag\MSTAG.TLB	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.concurrent_1.1.0.v20130327-1442.jar	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\R3ADM3.txt	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.en-us\R3ADM3.txt	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.intro.nl_zh_4.4.0.v20140623020002.jar	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PAGESIZE\PGLBL077.XML	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_ButtonGraphic.png	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0297727.WMF	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Novosibirsk	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\images\R3ADM3.txt	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\R3ADM3.txt	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Outlook.en-us\SETUP.XML	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0291984.WMF	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\PUBCOLOR.SCM	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\MSWORD.OLB	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0241077.WMF	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\skin.dtd	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\currency.data	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO02025_.WMF	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PUBWIZ\PROG98.POC	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NavigationButtonSubpicture.png	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\highlight.png	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File created	C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\R3ADM3.txt	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\NA00452_.WMF	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PE00272_.WMF	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\PPINTL.REST.IDX_DLL	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\ReviewRouting_Review.xsn	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl.css	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Month_Calendar.emf	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkServerCP.bat	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02214_.GIF	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File created	C:\Program Files\Microsoft Office\Document Themes 14\R3ADM3.txt	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0341636.JPG	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PUBWIZ\BZCARD11.POC	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SecStoreFile.ico	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\Microsoft Office\Document Themes 14\Theme Colors\Equity.xml	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\FORMS\1033\DOC.CFG	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0160590.WMF	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\Groove Starter Template.xsn	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe

Suspicious behavior: EnumeratesProcesses 162 IoCs

Processes:

f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe

pid	process
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe

Suspicious use of AdjustPrivilegeToken 447 IoCs

Processes:

vssvc.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	1572	vssvc.exe
Token: SeRestorePrivilege	1572	vssvc.exe
Token: SeAuditPrivilege	1572	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1960	WMIC.exe
Token: SeSecurityPrivilege	1960	WMIC.exe
Token: SeTakeOwnershipPrivilege	1960	WMIC.exe
Token: SeLoadDriverPrivilege	1960	WMIC.exe
Token: SeSystemProfilePrivilege	1960	WMIC.exe
Token: SeSystemtimePrivilege	1960	WMIC.exe
Token: SeProfSingleProcessPrivilege	1960	WMIC.exe
Token: SeIncBasePriorityPrivilege	1960	WMIC.exe
Token: SeCreatePagefilePrivilege	1960	WMIC.exe
Token: SeBackupPrivilege	1960	WMIC.exe
Token: SeRestorePrivilege	1960	WMIC.exe
Token: SeShutdownPrivilege	1960	WMIC.exe
Token: SeDebugPrivilege	1960	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1960	WMIC.exe
Token: SeRemoteShutdownPrivilege	1960	WMIC.exe
Token: SeUndockPrivilege	1960	WMIC.exe
Token: SeManageVolumePrivilege	1960	WMIC.exe
Token: 33	1960	WMIC.exe
Token: 34	1960	WMIC.exe
Token: 35	1960	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1960	WMIC.exe
Token: SeSecurityPrivilege	1960	WMIC.exe
Token: SeTakeOwnershipPrivilege	1960	WMIC.exe
Token: SeLoadDriverPrivilege	1960	WMIC.exe
Token: SeSystemProfilePrivilege	1960	WMIC.exe
Token: SeSystemtimePrivilege	1960	WMIC.exe
Token: SeProfSingleProcessPrivilege	1960	WMIC.exe
Token: SeIncBasePriorityPrivilege	1960	WMIC.exe
Token: SeCreatePagefilePrivilege	1960	WMIC.exe
Token: SeBackupPrivilege	1960	WMIC.exe
Token: SeRestorePrivilege	1960	WMIC.exe
Token: SeShutdownPrivilege	1960	WMIC.exe
Token: SeDebugPrivilege	1960	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1960	WMIC.exe
Token: SeRemoteShutdownPrivilege	1960	WMIC.exe
Token: SeUndockPrivilege	1960	WMIC.exe
Token: SeManageVolumePrivilege	1960	WMIC.exe
Token: 33	1960	WMIC.exe
Token: 34	1960	WMIC.exe
Token: 35	1960	WMIC.exe
Token: SeIncreaseQuotaPrivilege	320	WMIC.exe
Token: SeSecurityPrivilege	320	WMIC.exe
Token: SeTakeOwnershipPrivilege	320	WMIC.exe
Token: SeLoadDriverPrivilege	320	WMIC.exe
Token: SeSystemProfilePrivilege	320	WMIC.exe
Token: SeSystemtimePrivilege	320	WMIC.exe
Token: SeProfSingleProcessPrivilege	320	WMIC.exe
Token: SeIncBasePriorityPrivilege	320	WMIC.exe
Token: SeCreatePagefilePrivilege	320	WMIC.exe
Token: SeBackupPrivilege	320	WMIC.exe
Token: SeRestorePrivilege	320	WMIC.exe
Token: SeShutdownPrivilege	320	WMIC.exe
Token: SeDebugPrivilege	320	WMIC.exe
Token: SeSystemEnvironmentPrivilege	320	WMIC.exe
Token: SeRemoteShutdownPrivilege	320	WMIC.exe
Token: SeUndockPrivilege	320	WMIC.exe
Token: SeManageVolumePrivilege	320	WMIC.exe
Token: 33	320	WMIC.exe
Token: 34	320	WMIC.exe
Token: 35	320	WMIC.exe
Token: SeIncreaseQuotaPrivilege	320	WMIC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe

pid	process
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe

Suspicious use of WriteProcessMemory 77 IoCs

Processes:

f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1124 wrote to memory of 1984	1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe	cmd.exe
PID 1124 wrote to memory of 1984	1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe	cmd.exe
PID 1124 wrote to memory of 1984	1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe	cmd.exe
PID 1124 wrote to memory of 1984	1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe	cmd.exe
PID 1984 wrote to memory of 1960	1984	cmd.exe	WMIC.exe
PID 1984 wrote to memory of 1960	1984	cmd.exe	WMIC.exe
PID 1984 wrote to memory of 1960	1984	cmd.exe	WMIC.exe
PID 1124 wrote to memory of 436	1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe	cmd.exe
PID 1124 wrote to memory of 436	1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe	cmd.exe
PID 1124 wrote to memory of 436	1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe	cmd.exe
PID 1124 wrote to memory of 436	1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe	cmd.exe
PID 436 wrote to memory of 320	436	cmd.exe	WMIC.exe
PID 436 wrote to memory of 320	436	cmd.exe	WMIC.exe
PID 436 wrote to memory of 320	436	cmd.exe	WMIC.exe
PID 1124 wrote to memory of 824	1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe	cmd.exe
PID 1124 wrote to memory of 824	1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe	cmd.exe
PID 1124 wrote to memory of 824	1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe	cmd.exe
PID 1124 wrote to memory of 824	1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe	cmd.exe
PID 824 wrote to memory of 324	824	cmd.exe	WMIC.exe
PID 824 wrote to memory of 324	824	cmd.exe	WMIC.exe
PID 824 wrote to memory of 324	824	cmd.exe	WMIC.exe
PID 1124 wrote to memory of 1172	1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe	cmd.exe
PID 1124 wrote to memory of 1172	1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe	cmd.exe
PID 1124 wrote to memory of 1172	1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe	cmd.exe
PID 1124 wrote to memory of 1172	1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe	cmd.exe
PID 1172 wrote to memory of 688	1172	cmd.exe	WMIC.exe
PID 1172 wrote to memory of 688	1172	cmd.exe	WMIC.exe
PID 1172 wrote to memory of 688	1172	cmd.exe	WMIC.exe
PID 1124 wrote to memory of 368	1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe	cmd.exe
PID 1124 wrote to memory of 368	1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe	cmd.exe
PID 1124 wrote to memory of 368	1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe	cmd.exe
PID 1124 wrote to memory of 368	1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe	cmd.exe
PID 368 wrote to memory of 836	368	cmd.exe	WMIC.exe
PID 368 wrote to memory of 836	368	cmd.exe	WMIC.exe
PID 368 wrote to memory of 836	368	cmd.exe	WMIC.exe
PID 1124 wrote to memory of 1184	1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe	cmd.exe
PID 1124 wrote to memory of 1184	1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe	cmd.exe
PID 1124 wrote to memory of 1184	1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe	cmd.exe
PID 1124 wrote to memory of 1184	1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe	cmd.exe
PID 1184 wrote to memory of 1976	1184	cmd.exe	WMIC.exe
PID 1184 wrote to memory of 1976	1184	cmd.exe	WMIC.exe
PID 1184 wrote to memory of 1976	1184	cmd.exe	WMIC.exe
PID 1124 wrote to memory of 1960	1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe	cmd.exe
PID 1124 wrote to memory of 1960	1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe	cmd.exe
PID 1124 wrote to memory of 1960	1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe	cmd.exe
PID 1124 wrote to memory of 1960	1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe	cmd.exe
PID 1960 wrote to memory of 528	1960	cmd.exe	WMIC.exe
PID 1960 wrote to memory of 528	1960	cmd.exe	WMIC.exe
PID 1960 wrote to memory of 528	1960	cmd.exe	WMIC.exe
PID 1124 wrote to memory of 320	1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe	cmd.exe
PID 1124 wrote to memory of 320	1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe	cmd.exe
PID 1124 wrote to memory of 320	1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe	cmd.exe
PID 1124 wrote to memory of 320	1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe	cmd.exe
PID 320 wrote to memory of 1100	320	cmd.exe	WMIC.exe
PID 320 wrote to memory of 1100	320	cmd.exe	WMIC.exe
PID 320 wrote to memory of 1100	320	cmd.exe	WMIC.exe
PID 1124 wrote to memory of 324	1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe	cmd.exe
PID 1124 wrote to memory of 324	1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe	cmd.exe
PID 1124 wrote to memory of 324	1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe	cmd.exe
PID 1124 wrote to memory of 324	1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe	cmd.exe
PID 324 wrote to memory of 976	324	cmd.exe	WMIC.exe
PID 324 wrote to memory of 976	324	cmd.exe	WMIC.exe
PID 324 wrote to memory of 976	324	cmd.exe	WMIC.exe
PID 1124 wrote to memory of 308	1124	f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
"C:\Users\Admin\AppData\Local\Temp\f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4566BDE7-D9BC-40E9-914E-75B6FE041A60}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4566BDE7-D9BC-40E9-914E-75B6FE041A60}'" delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{262AED25-86BF-4ECA-BE2B-0A721721225D}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:436

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{262AED25-86BF-4ECA-BE2B-0A721721225D}'" delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:320

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{57CAC47B-5DA4-4A8C-9F4A-1CBEED32B4CD}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:824

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{57CAC47B-5DA4-4A8C-9F4A-1CBEED32B4CD}'" delete
3⤵
PID:324

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{83E41C58-363E-480D-A822-23328CC0CE08}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1172

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{83E41C58-363E-480D-A822-23328CC0CE08}'" delete
3⤵
PID:688

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3FD94DD0-A65A-4932-9BBE-3002637A79AC}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:368

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3FD94DD0-A65A-4932-9BBE-3002637A79AC}'" delete
3⤵
PID:836

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D0F7AE9A-4D9C-48FD-BB80-5303C83278D1}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D0F7AE9A-4D9C-48FD-BB80-5303C83278D1}'" delete
3⤵
PID:1976

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EFE7B7E3-757D-4FAB-8633-C3490AA8CCB6}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EFE7B7E3-757D-4FAB-8633-C3490AA8CCB6}'" delete
3⤵
PID:528

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{20A2D9DB-6F14-4EB3-B35E-C81771212B1F}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:320

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{20A2D9DB-6F14-4EB3-B35E-C81771212B1F}'" delete
3⤵
PID:1100

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{ACE5448B-4A74-4875-9B43-E377AC8BEC7F}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:324

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{ACE5448B-4A74-4875-9B43-E377AC8BEC7F}'" delete
3⤵
PID:976

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2C007F17-791E-46A6-A59B-071D466B3D84}'" delete
2⤵
PID:308

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2C007F17-791E-46A6-A59B-071D466B3D84}'" delete
3⤵
PID:1472

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{ADF8E430-F00C-4266-B408-F8C18C9C4243}'" delete
2⤵
PID:1064

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{ADF8E430-F00C-4266-B408-F8C18C9C4243}'" delete
3⤵
PID:2024

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5a0
1⤵
PID:344

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/308-20-0x0000000000000000-mapping.dmp

Download
memory/320-16-0x0000000000000000-mapping.dmp

Download
memory/320-5-0x0000000000000000-mapping.dmp

Download
memory/324-18-0x0000000000000000-mapping.dmp

Download
memory/324-7-0x0000000000000000-mapping.dmp

Download
memory/368-10-0x0000000000000000-mapping.dmp

Download
memory/436-4-0x0000000000000000-mapping.dmp

Download
memory/528-15-0x0000000000000000-mapping.dmp

Download
memory/688-9-0x0000000000000000-mapping.dmp

Download
memory/824-6-0x0000000000000000-mapping.dmp

Download
memory/836-11-0x0000000000000000-mapping.dmp

Download
memory/976-19-0x0000000000000000-mapping.dmp

Download
memory/1064-22-0x0000000000000000-mapping.dmp

Download
memory/1100-17-0x0000000000000000-mapping.dmp

Download
memory/1124-0-0x0000000001C90000-0x0000000001CBD000-memory.dmp

Filesize
180KB

Download
memory/1124-1-0x0000000001DC0000-0x0000000001DEB000-memory.dmp

Filesize
172KB

Download
memory/1172-8-0x0000000000000000-mapping.dmp

Download
memory/1184-12-0x0000000000000000-mapping.dmp

Download
memory/1472-21-0x0000000000000000-mapping.dmp

Download
memory/1960-3-0x0000000000000000-mapping.dmp

Download
memory/1960-14-0x0000000000000000-mapping.dmp

Download
memory/1976-13-0x0000000000000000-mapping.dmp

Download
memory/1984-2-0x0000000000000000-mapping.dmp

Download
memory/2024-23-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads