1de446ec3ae6ed984e52bd031814ec1397eb5d4f26feb38da866e5b83f6468bd

General

Target

d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
Size

208KB
MD5

b3d6ba0aa663f699283d25ddcb6561b9
SHA1

a1f27e6be62bf0af7d5bff447156b3413f0d97c8
SHA256

d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c
SHA512

6d3b5f75169243f44247bb6ad32d6f68d937240e0d1711373012d696729a3e44ad21336e96a5548e11605412365ad4f53d2f5c798e74f204be2c16df5ae610ef

Score

10^/10

ransomware spyware

Malware Config

Extracted

Path

C:\readme.txt

Ransom Note

Аll оf уоur files аrе currеntlу еncrуptеd bу CОNTI rаnsоmwаrе. If you try to use any additional recovery software - the files might be damaged or lost. To make sure that we REALLY CAN recover data - we offer you to decrypt samples. You can contact us for further instructions through: Our email polzarutu1982@protonmail.com Our website TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid.onion HTTPS VERSION : contirecovery.best YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded your data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us ASAP ---BEGIN ID--- sRttGzzkzsoiC9s8LgcrQk64ew7H47a5JSjCsLGbwdijogjulfu3RO9XBJbfEgCZ ---END ID---

Emails

polzarutu1982@protonmail.com

URLs

http://m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid.onion

Signatures

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\InitializeStep.tif => C:\Users\Admin\Pictures\InitializeStep.tif.CECJF	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Users\Admin\Pictures\RemoveStart.tiff	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File renamed	C:\Users\Admin\Pictures\RemoveStart.tiff => C:\Users\Admin\Pictures\RemoveStart.tiff.CECJF	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 39 IoCs

Processes:

d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe

description	ioc	process
File opened for modification	C:\Users\Public\Pictures\desktop.ini	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\8DDKLDOL\desktop.ini	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AT22T7OH\desktop.ini	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files\desktop.ini	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Users\Public\desktop.ini	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\F6O5NPVK\desktop.ini	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RKGIF8TT\desktop.ini	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe

Drops file in Program Files directory 8854 IoCs

Processes:

d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe

description	ioc	process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_ButtonGraphic.png	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_SelectionSubpicture.png	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\readme.txt	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD08868_.WMF	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OLADD.FAE	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-border.png	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUDGESCH.HTM	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\LISTBOX.JPG	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Rothera	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Canary	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files\RegisterEdit.pcx	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\readme.txt	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\PREVIEW.GIF	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\readme.txt	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Kabul	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\readme.txt	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00103_.GIF	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File created	C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\readme.txt	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_OFF.GIF	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SPACE_01.MID	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143749.GIF	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21301_.GIF	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\SKY.ELM	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\readme.txt	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Kentucky\readme.txt	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01561_.WMF	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\HEADINGBB.DPV	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libbluray-j2se-1.0.2.jar	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Nipigon	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Guatemala	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.properties	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Chuuk	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\New_Salem	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\PACBELL.NET.XML	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Mask1.png	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\readme.txt	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.nl_ja_4.4.0.v20140623020002.jar	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_mid_over.gif	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsBlankPage.html	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_ButtonGraphic.png	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\blackbars80.png	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.configuration_5.5.0.165303.jar	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR39F.GIF	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR5F.GIF	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\QuestionIconMask.bmp	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\vlc.mo	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File created	C:\Program Files\Java\jre7\lib\amd64\readme.txt	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21433_.GIF	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Monaco	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14595_.GIF	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REPLTMPL.CFG	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_ko.properties	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\readme.txt	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400005.PNG	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0199727.WMF	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonSubpicture.png	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\PREVIEW.GIF	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychartplugin_5.5.0.165303.jar	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Apia	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Knox	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeAUM_rootCert.cer	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1840 NOTEPAD.EXE

pid	process
1840	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 193 IoCs

Processes:

d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe

pid	process
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe

Suspicious use of AdjustPrivilegeToken 444 IoCs

Processes:

vssvc.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	1652	vssvc.exe
Token: SeRestorePrivilege	1652	vssvc.exe
Token: SeAuditPrivilege	1652	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1176	WMIC.exe
Token: SeSecurityPrivilege	1176	WMIC.exe
Token: SeTakeOwnershipPrivilege	1176	WMIC.exe
Token: SeLoadDriverPrivilege	1176	WMIC.exe
Token: SeSystemProfilePrivilege	1176	WMIC.exe
Token: SeSystemtimePrivilege	1176	WMIC.exe
Token: SeProfSingleProcessPrivilege	1176	WMIC.exe
Token: SeIncBasePriorityPrivilege	1176	WMIC.exe
Token: SeCreatePagefilePrivilege	1176	WMIC.exe
Token: SeBackupPrivilege	1176	WMIC.exe
Token: SeRestorePrivilege	1176	WMIC.exe
Token: SeShutdownPrivilege	1176	WMIC.exe
Token: SeDebugPrivilege	1176	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1176	WMIC.exe
Token: SeRemoteShutdownPrivilege	1176	WMIC.exe
Token: SeUndockPrivilege	1176	WMIC.exe
Token: SeManageVolumePrivilege	1176	WMIC.exe
Token: 33	1176	WMIC.exe
Token: 34	1176	WMIC.exe
Token: 35	1176	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1176	WMIC.exe
Token: SeSecurityPrivilege	1176	WMIC.exe
Token: SeTakeOwnershipPrivilege	1176	WMIC.exe
Token: SeLoadDriverPrivilege	1176	WMIC.exe
Token: SeSystemProfilePrivilege	1176	WMIC.exe
Token: SeSystemtimePrivilege	1176	WMIC.exe
Token: SeProfSingleProcessPrivilege	1176	WMIC.exe
Token: SeIncBasePriorityPrivilege	1176	WMIC.exe
Token: SeCreatePagefilePrivilege	1176	WMIC.exe
Token: SeBackupPrivilege	1176	WMIC.exe
Token: SeRestorePrivilege	1176	WMIC.exe
Token: SeShutdownPrivilege	1176	WMIC.exe
Token: SeDebugPrivilege	1176	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1176	WMIC.exe
Token: SeRemoteShutdownPrivilege	1176	WMIC.exe
Token: SeUndockPrivilege	1176	WMIC.exe
Token: SeManageVolumePrivilege	1176	WMIC.exe
Token: 33	1176	WMIC.exe
Token: 34	1176	WMIC.exe
Token: 35	1176	WMIC.exe
Token: SeIncreaseQuotaPrivilege	320	WMIC.exe
Token: SeSecurityPrivilege	320	WMIC.exe
Token: SeTakeOwnershipPrivilege	320	WMIC.exe
Token: SeLoadDriverPrivilege	320	WMIC.exe
Token: SeSystemProfilePrivilege	320	WMIC.exe
Token: SeSystemtimePrivilege	320	WMIC.exe
Token: SeProfSingleProcessPrivilege	320	WMIC.exe
Token: SeIncBasePriorityPrivilege	320	WMIC.exe
Token: SeCreatePagefilePrivilege	320	WMIC.exe
Token: SeBackupPrivilege	320	WMIC.exe
Token: SeRestorePrivilege	320	WMIC.exe
Token: SeShutdownPrivilege	320	WMIC.exe
Token: SeDebugPrivilege	320	WMIC.exe
Token: SeSystemEnvironmentPrivilege	320	WMIC.exe
Token: SeRemoteShutdownPrivilege	320	WMIC.exe
Token: SeUndockPrivilege	320	WMIC.exe
Token: SeManageVolumePrivilege	320	WMIC.exe
Token: 33	320	WMIC.exe
Token: 34	320	WMIC.exe
Token: 35	320	WMIC.exe
Token: SeIncreaseQuotaPrivilege	320	WMIC.exe

Suspicious use of WriteProcessMemory 80 IoCs

Processes:

d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1924 wrote to memory of 284	1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe	cmd.exe
PID 1924 wrote to memory of 284	1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe	cmd.exe
PID 1924 wrote to memory of 284	1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe	cmd.exe
PID 1924 wrote to memory of 284	1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe	cmd.exe
PID 284 wrote to memory of 1176	284	cmd.exe	WMIC.exe
PID 284 wrote to memory of 1176	284	cmd.exe	WMIC.exe
PID 284 wrote to memory of 1176	284	cmd.exe	WMIC.exe
PID 1924 wrote to memory of 840	1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe	cmd.exe
PID 1924 wrote to memory of 840	1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe	cmd.exe
PID 1924 wrote to memory of 840	1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe	cmd.exe
PID 1924 wrote to memory of 840	1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe	cmd.exe
PID 840 wrote to memory of 320	840	cmd.exe	WMIC.exe
PID 840 wrote to memory of 320	840	cmd.exe	WMIC.exe
PID 840 wrote to memory of 320	840	cmd.exe	WMIC.exe
PID 1924 wrote to memory of 1956	1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe	cmd.exe
PID 1924 wrote to memory of 1956	1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe	cmd.exe
PID 1924 wrote to memory of 1956	1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe	cmd.exe
PID 1924 wrote to memory of 1956	1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe	cmd.exe
PID 1956 wrote to memory of 2012	1956	cmd.exe	WMIC.exe
PID 1956 wrote to memory of 2012	1956	cmd.exe	WMIC.exe
PID 1956 wrote to memory of 2012	1956	cmd.exe	WMIC.exe
PID 1924 wrote to memory of 2008	1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe	cmd.exe
PID 1924 wrote to memory of 2008	1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe	cmd.exe
PID 1924 wrote to memory of 2008	1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe	cmd.exe
PID 1924 wrote to memory of 2008	1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe	cmd.exe
PID 2008 wrote to memory of 1620	2008	cmd.exe	WMIC.exe
PID 2008 wrote to memory of 1620	2008	cmd.exe	WMIC.exe
PID 2008 wrote to memory of 1620	2008	cmd.exe	WMIC.exe
PID 1924 wrote to memory of 820	1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe	cmd.exe
PID 1924 wrote to memory of 820	1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe	cmd.exe
PID 1924 wrote to memory of 820	1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe	cmd.exe
PID 1924 wrote to memory of 820	1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe	cmd.exe
PID 820 wrote to memory of 964	820	cmd.exe	WMIC.exe
PID 820 wrote to memory of 964	820	cmd.exe	WMIC.exe
PID 820 wrote to memory of 964	820	cmd.exe	WMIC.exe
PID 1924 wrote to memory of 1840	1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe	cmd.exe
PID 1924 wrote to memory of 1840	1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe	cmd.exe
PID 1924 wrote to memory of 1840	1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe	cmd.exe
PID 1924 wrote to memory of 1840	1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe	cmd.exe
PID 1840 wrote to memory of 596	1840	cmd.exe	WMIC.exe
PID 1840 wrote to memory of 596	1840	cmd.exe	WMIC.exe
PID 1840 wrote to memory of 596	1840	cmd.exe	WMIC.exe
PID 1924 wrote to memory of 1108	1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe	cmd.exe
PID 1924 wrote to memory of 1108	1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe	cmd.exe
PID 1924 wrote to memory of 1108	1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe	cmd.exe
PID 1924 wrote to memory of 1108	1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe	cmd.exe
PID 1108 wrote to memory of 1084	1108	cmd.exe	WMIC.exe
PID 1108 wrote to memory of 1084	1108	cmd.exe	WMIC.exe
PID 1108 wrote to memory of 1084	1108	cmd.exe	WMIC.exe
PID 1924 wrote to memory of 1712	1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe	cmd.exe
PID 1924 wrote to memory of 1712	1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe	cmd.exe
PID 1924 wrote to memory of 1712	1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe	cmd.exe
PID 1924 wrote to memory of 1712	1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe	cmd.exe
PID 1712 wrote to memory of 1624	1712	cmd.exe	WMIC.exe
PID 1712 wrote to memory of 1624	1712	cmd.exe	WMIC.exe
PID 1712 wrote to memory of 1624	1712	cmd.exe	WMIC.exe
PID 1924 wrote to memory of 456	1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe	cmd.exe
PID 1924 wrote to memory of 456	1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe	cmd.exe
PID 1924 wrote to memory of 456	1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe	cmd.exe
PID 1924 wrote to memory of 456	1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe	cmd.exe
PID 456 wrote to memory of 528	456	cmd.exe	WMIC.exe
PID 456 wrote to memory of 528	456	cmd.exe	WMIC.exe
PID 456 wrote to memory of 528	456	cmd.exe	WMIC.exe
PID 1924 wrote to memory of 436	1924	d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
"C:\Users\Admin\AppData\Local\Temp\d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6C94F5DE-71AA-4748-A6E4-65D732C8E17B}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:284

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6C94F5DE-71AA-4748-A6E4-65D732C8E17B}'" delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AEAC8CFA-3DBF-4075-86C2-AEB4E13B8C8D}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AEAC8CFA-3DBF-4075-86C2-AEB4E13B8C8D}'" delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:320

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C0A63CD4-7BC9-443E-B08E-F75B9AAA7BEE}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C0A63CD4-7BC9-443E-B08E-F75B9AAA7BEE}'" delete
3⤵
PID:2012

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A8F9DEFE-0315-4860-BBD3-3EA51B04277B}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A8F9DEFE-0315-4860-BBD3-3EA51B04277B}'" delete
3⤵
PID:1620

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F485DFB7-940C-445F-89B0-830CD4C0C6AA}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:820

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F485DFB7-940C-445F-89B0-830CD4C0C6AA}'" delete
3⤵
PID:964

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{62B550E8-FBB1-4E5A-8A36-2AD110607E82}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{62B550E8-FBB1-4E5A-8A36-2AD110607E82}'" delete
3⤵
PID:596

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F5012BF2-8EBD-43FA-9BD9-AAC31516894B}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F5012BF2-8EBD-43FA-9BD9-AAC31516894B}'" delete
3⤵
PID:1084

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9311D394-0691-49F4-9843-4698E19D71B7}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9311D394-0691-49F4-9843-4698E19D71B7}'" delete
3⤵
PID:1624

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{114C0DA1-C29B-46BD-B65D-DC42616CE6F9}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:456

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{114C0DA1-C29B-46BD-B65D-DC42616CE6F9}'" delete
3⤵
PID:528

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{DCC28F2F-1AB0-404A-9561-EB252EC404F1}'" delete
2⤵
PID:436

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{DCC28F2F-1AB0-404A-9561-EB252EC404F1}'" delete
3⤵
PID:320

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{07E5D5E7-4EB4-4081-AC00-CF87FFD39B2C}'" delete
2⤵
PID:328

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{07E5D5E7-4EB4-4081-AC00-CF87FFD39B2C}'" delete
3⤵
PID:844

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\readme.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:1076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7fef7ba6e00,0x7fef7ba6e10,0x7fef7ba6e20
2⤵
PID:1072

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
MD5
1fd3e5284790de856f48f69097674165

SHA1
236a3ce8851d8cf0e3d6732fcb506ea78592b400

SHA256
24b909d46a81506df96bdaa71eed4d9d4e689ea506e99cd20b54222f93205528

SHA512
b23efe3abdfd0b05409c34fb9bba059a07d41f32445a2d6a1f79fe035955321daccccea02d30d833ee96386a8ebf7eacc3e50f8e70e9e57a1a05ccb165b19649

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
MD5
1fd3e5284790de856f48f69097674165

SHA1
236a3ce8851d8cf0e3d6732fcb506ea78592b400

SHA256
24b909d46a81506df96bdaa71eed4d9d4e689ea506e99cd20b54222f93205528

SHA512
b23efe3abdfd0b05409c34fb9bba059a07d41f32445a2d6a1f79fe035955321daccccea02d30d833ee96386a8ebf7eacc3e50f8e70e9e57a1a05ccb165b19649

Download Submit
C:\Users\Public\Desktop\readme.txt
MD5
d81fc6caab6bf3c7aab7452f9e6a7351

SHA1
2245a9393033dfa9d5ec4f97c4aacdc8d9a8d927

SHA256
113a67545aad7d8724e7281615abcfce981135244b20fecbffcb9dd1726bc23b

SHA512
370b8f8ce17cbb222d67298f4035da3e8c92d4c0bb6c93fd4381c4eff1cec4e0d5fc251af4255c24ac7fe058ff6ae2b7898a51fad7db8ee84400e23318002841

Download Submit
memory/284-3-0x0000000000000000-mapping.dmp

Download
memory/320-6-0x0000000000000000-mapping.dmp

Download
memory/320-22-0x0000000000000000-mapping.dmp

Download
memory/328-23-0x0000000000000000-mapping.dmp

Download
memory/436-21-0x0000000000000000-mapping.dmp

Download
memory/456-19-0x0000000000000000-mapping.dmp

Download
memory/528-20-0x0000000000000000-mapping.dmp

Download
memory/596-14-0x0000000000000000-mapping.dmp

Download
memory/820-11-0x0000000000000000-mapping.dmp

Download
memory/840-5-0x0000000000000000-mapping.dmp

Download
memory/844-24-0x0000000000000000-mapping.dmp

Download
memory/964-12-0x0000000000000000-mapping.dmp

Download
memory/1048-27-0x000007FEF6680000-0x000007FEF68FA000-memory.dmp

Filesize
2.5MB

Download
memory/1072-28-0x0000000000000000-mapping.dmp

Download
memory/1084-16-0x0000000000000000-mapping.dmp

Download
memory/1108-15-0x0000000000000000-mapping.dmp

Download
memory/1176-4-0x0000000000000000-mapping.dmp

Download
memory/1620-10-0x0000000000000000-mapping.dmp

Download
memory/1624-18-0x0000000000000000-mapping.dmp

Download
memory/1712-17-0x0000000000000000-mapping.dmp

Download
memory/1840-13-0x0000000000000000-mapping.dmp

Download
memory/1840-25-0x000007FEFC021000-0x000007FEFC023000-memory.dmp

Filesize
8KB

Download
memory/1924-2-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download
memory/1956-7-0x0000000000000000-mapping.dmp

Download
memory/2008-9-0x0000000000000000-mapping.dmp

Download
memory/2012-8-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads