Analysis
-
max time kernel
130s -
max time network
141s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
20-01-2021 15:44
Static task
static1
Behavioral task
behavioral1
Sample
locker.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
locker.exe
Resource
win10v20201028
General
-
Target
locker.exe
-
Size
191KB
-
MD5
20f0c736a966142de88dee06a2e4a5b1
-
SHA1
afb2fe6b541069259b0fd9be82d62594a361afb0
-
SHA256
198667b1eda010a431dfb051a101cc73ead1d45ba8d0f6641ec1c14bca4106f3
-
SHA512
a012898e9e8cc6789cbaea7a36f54140f1b70c45b8874f2f5504ea3971494d5856f7f54aaa00dc37a3746362d85b54c665bc485f0e7d491ec99e9155950c7e43
Malware Config
Extracted
C:\readme.txt
http://m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid.onion
https://contirecovery.best
Signatures
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
locker.exedescription ioc process File renamed C:\Users\Admin\Pictures\TestConvertTo.tiff => C:\Users\Admin\Pictures\TestConvertTo.tiff.KKBKR locker.exe File renamed C:\Users\Admin\Pictures\UnpublishResolve.raw => C:\Users\Admin\Pictures\UnpublishResolve.raw.KKBKR locker.exe File renamed C:\Users\Admin\Pictures\ConvertToExpand.png => C:\Users\Admin\Pictures\ConvertToExpand.png.KKBKR locker.exe File renamed C:\Users\Admin\Pictures\DenyWatch.raw => C:\Users\Admin\Pictures\DenyWatch.raw.KKBKR locker.exe File renamed C:\Users\Admin\Pictures\EnableReset.tif => C:\Users\Admin\Pictures\EnableReset.tif.KKBKR locker.exe File renamed C:\Users\Admin\Pictures\ReceiveConnect.raw => C:\Users\Admin\Pictures\ReceiveConnect.raw.KKBKR locker.exe File renamed C:\Users\Admin\Pictures\RedoNew.raw => C:\Users\Admin\Pictures\RedoNew.raw.KKBKR locker.exe File opened for modification C:\Users\Admin\Pictures\TestConvertTo.tiff locker.exe -
Drops startup file 1 IoCs
Processes:
locker.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt locker.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 61 IoCs
Processes:
locker.exedescription ioc process File opened for modification C:\Users\Admin\Desktop\desktop.ini locker.exe File opened for modification \??\UNC\10.10.0.77\C$\Users\Admin\Documents\desktop.ini locker.exe File opened for modification \??\UNC\10.10.0.77\C$\Users\Admin\Saved Games\desktop.ini locker.exe File opened for modification \??\UNC\10.10.0.77\C$\Users\Public\Desktop\desktop.ini locker.exe File opened for modification \??\UNC\10.10.0.77\C$\Users\Admin\Links\desktop.ini locker.exe File opened for modification C:\Users\Public\desktop.ini locker.exe File opened for modification C:\Users\Public\Documents\desktop.ini locker.exe File opened for modification C:\Users\Public\Downloads\desktop.ini locker.exe File opened for modification \??\UNC\10.10.0.77\C$\Users\Admin\Contacts\desktop.ini locker.exe File opened for modification C:\Users\Public\Pictures\desktop.ini locker.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini locker.exe File opened for modification C:\Program Files\desktop.ini locker.exe File opened for modification \??\UNC\10.10.0.77\C$\Program Files\desktop.ini locker.exe File opened for modification \??\UNC\10.10.0.77\C$\Users\Public\Documents\desktop.ini locker.exe File opened for modification \??\UNC\10.10.0.77\C$\Users\Admin\Videos\desktop.ini locker.exe File opened for modification \??\UNC\10.10.0.77\C$\Users\Public\Music\desktop.ini locker.exe File opened for modification C:\Users\Admin\Links\desktop.ini locker.exe File opened for modification \??\UNC\10.10.0.77\C$\Users\Admin\Desktop\desktop.ini locker.exe File opened for modification \??\UNC\10.10.0.77\C$\Users\Admin\Favorites\desktop.ini locker.exe File opened for modification \??\UNC\10.10.0.82\C$\Users\desktop.ini locker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI locker.exe File opened for modification \??\UNC\10.10.0.77\C$\Users\Admin\Pictures\desktop.ini locker.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini locker.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini locker.exe File opened for modification C:\Users\Public\Desktop\desktop.ini locker.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini locker.exe File opened for modification C:\Users\Public\Music\desktop.ini locker.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini locker.exe File opened for modification \??\UNC\10.10.0.82\C$\Users\Public\desktop.ini locker.exe File opened for modification C:\Users\Admin\Documents\desktop.ini locker.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini locker.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini locker.exe File opened for modification \??\UNC\10.10.0.82\C$\Program Files\desktop.ini locker.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini locker.exe File opened for modification \??\UNC\10.10.0.77\C$\Users\Admin\OneDrive\desktop.ini locker.exe File opened for modification C:\Program Files (x86)\desktop.ini locker.exe File opened for modification C:\Users\Admin\Music\desktop.ini locker.exe File opened for modification \??\UNC\10.10.0.82\C$\Program Files (x86)\desktop.ini locker.exe File opened for modification \??\UNC\10.10.0.77\C$\Users\Public\Libraries\desktop.ini locker.exe File opened for modification \??\UNC\10.10.0.77\C$\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini locker.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini locker.exe File opened for modification \??\UNC\10.10.0.77\C$\Users\Admin\Music\desktop.ini locker.exe File opened for modification \??\UNC\10.10.0.77\C$\Users\Admin\Searches\desktop.ini locker.exe File opened for modification \??\UNC\10.10.0.77\C$\Users\Public\AccountPictures\desktop.ini locker.exe File opened for modification \??\UNC\10.10.0.77\C$\Program Files (x86)\desktop.ini locker.exe File opened for modification C:\Users\Admin\Searches\desktop.ini locker.exe File opened for modification \??\UNC\10.10.0.77\C$\Users\Public\Downloads\desktop.ini locker.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini locker.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini locker.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini locker.exe File opened for modification \??\UNC\10.10.0.77\C$\Users\desktop.ini locker.exe File opened for modification C:\Users\Admin\Videos\desktop.ini locker.exe File opened for modification \??\UNC\10.10.0.77\C$\Users\Public\desktop.ini locker.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini locker.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini locker.exe File opened for modification \??\UNC\10.10.0.77\C$\Users\Public\Pictures\desktop.ini locker.exe File opened for modification \??\UNC\10.10.0.77\C$\Users\Public\Videos\desktop.ini locker.exe File opened for modification C:\Users\Public\Libraries\desktop.ini locker.exe File opened for modification C:\Users\Public\Videos\desktop.ini locker.exe File opened for modification \??\UNC\10.10.0.77\C$\Users\Admin\Downloads\desktop.ini locker.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini locker.exe -
Drops file in Program Files directory 9233 IoCs
Processes:
locker.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL096.XML locker.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUAB.TTF locker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo_large.png locker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] locker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\example_icons.png locker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hu-hu\readme.txt locker.exe File opened for modification C:\Program Files\7-Zip\Lang\he.txt locker.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\vlc.mo locker.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\readme.txt locker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\de-de\readme.txt locker.exe File created C:\Program Files\VideoLAN\VLC\locale\cy\readme.txt locker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ko-kr\readme.txt locker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\tr-tr\ui-strings.js locker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\selection-actions.png locker.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\sv.pak locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-oql.jar locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-execution.xml locker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ja-jp\ui-strings.js locker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sv-se\readme.txt locker.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt locker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentlogon.xml locker.exe File created C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\readme.txt locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-charts.xml locker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_newfolder_18.svg locker.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\DATES.XML locker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\illustrations.png locker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\dark\rhp_world_icon.png locker.exe File opened for modification C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8_RTL.mp4 locker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\tr-tr\ui-strings.js locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.webapp.nl_ja_4.4.0.v20140623020002.jar locker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_ellipses.svg locker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\rhp_world_icon_2x.png locker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sv-se\readme.txt locker.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ul-oob.xrm-ms locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicTSFrame.png locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.nl_ja_4.4.0.v20140623020002.jar locker.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ul-oob.xrm-ms locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\.lastModified locker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\da-dk\ui-strings.js locker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\it-it\ui-strings.js locker.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalDemoR_BypassTrial180-ul-oob.xrm-ms locker.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man locker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ru-ru\ui-strings.js locker.exe File opened for modification C:\Program Files\7-Zip\Lang\el.txt locker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\js\plugin.js locker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1036\MSO.ACL locker.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Office 2007 - 2010.xml locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic_5.5.0.165303.jar locker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hr-hr\readme.txt locker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\zh-cn\readme.txt locker.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\readme.txt locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html locker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\readme.txt locker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\ui-strings.js locker.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul-oob.xrm-ms locker.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\security\blacklist locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_ja_4.4.0.v20140623020002.jar locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.metadata.repository.prefs locker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\[email protected] locker.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ul-oob.xrm-ms locker.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ul.xrm-ms locker.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-pl.xrm-ms locker.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Schoolbook.xml locker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_super.gif locker.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\Debug\ESE.TXT svchost.exe -
Modifies Control Panel 1 IoCs
Processes:
ShellExperienceHost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Colors ShellExperienceHost.exe -
Suspicious behavior: EnumeratesProcesses 200 IoCs
Processes:
locker.exepid process 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe 1192 locker.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
locker.exepid process 1192 locker.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
vssvc.exeWMIC.exedescription pid process Token: SeBackupPrivilege 2960 vssvc.exe Token: SeRestorePrivilege 2960 vssvc.exe Token: SeAuditPrivilege 2960 vssvc.exe Token: SeIncreaseQuotaPrivilege 964 WMIC.exe Token: SeSecurityPrivilege 964 WMIC.exe Token: SeTakeOwnershipPrivilege 964 WMIC.exe Token: SeLoadDriverPrivilege 964 WMIC.exe Token: SeSystemProfilePrivilege 964 WMIC.exe Token: SeSystemtimePrivilege 964 WMIC.exe Token: SeProfSingleProcessPrivilege 964 WMIC.exe Token: SeIncBasePriorityPrivilege 964 WMIC.exe Token: SeCreatePagefilePrivilege 964 WMIC.exe Token: SeBackupPrivilege 964 WMIC.exe Token: SeRestorePrivilege 964 WMIC.exe Token: SeShutdownPrivilege 964 WMIC.exe Token: SeDebugPrivilege 964 WMIC.exe Token: SeSystemEnvironmentPrivilege 964 WMIC.exe Token: SeRemoteShutdownPrivilege 964 WMIC.exe Token: SeUndockPrivilege 964 WMIC.exe Token: SeManageVolumePrivilege 964 WMIC.exe Token: 33 964 WMIC.exe Token: 34 964 WMIC.exe Token: 35 964 WMIC.exe Token: 36 964 WMIC.exe Token: SeIncreaseQuotaPrivilege 964 WMIC.exe Token: SeSecurityPrivilege 964 WMIC.exe Token: SeTakeOwnershipPrivilege 964 WMIC.exe Token: SeLoadDriverPrivilege 964 WMIC.exe Token: SeSystemProfilePrivilege 964 WMIC.exe Token: SeSystemtimePrivilege 964 WMIC.exe Token: SeProfSingleProcessPrivilege 964 WMIC.exe Token: SeIncBasePriorityPrivilege 964 WMIC.exe Token: SeCreatePagefilePrivilege 964 WMIC.exe Token: SeBackupPrivilege 964 WMIC.exe Token: SeRestorePrivilege 964 WMIC.exe Token: SeShutdownPrivilege 964 WMIC.exe Token: SeDebugPrivilege 964 WMIC.exe Token: SeSystemEnvironmentPrivilege 964 WMIC.exe Token: SeRemoteShutdownPrivilege 964 WMIC.exe Token: SeUndockPrivilege 964 WMIC.exe Token: SeManageVolumePrivilege 964 WMIC.exe Token: 33 964 WMIC.exe Token: 34 964 WMIC.exe Token: 35 964 WMIC.exe Token: 36 964 WMIC.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ShellExperienceHost.exepid process 3844 ShellExperienceHost.exe 3844 ShellExperienceHost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
locker.execmd.exedescription pid process target process PID 1192 wrote to memory of 2120 1192 locker.exe cmd.exe PID 1192 wrote to memory of 2120 1192 locker.exe cmd.exe PID 2120 wrote to memory of 964 2120 cmd.exe WMIC.exe PID 2120 wrote to memory of 964 2120 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\locker.exe"C:\Users\Admin\AppData\Local\Temp\locker.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{93112D84-1B93-496E-9888-06FD5CF49C31}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{93112D84-1B93-496E-9888-06FD5CF49C31}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵
- Drops file in Windows directory