Analysis
-
max time kernel
134s -
max time network
108s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
28-09-2021 07:53
Static task
static1
Behavioral task
behavioral1
Sample
2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe
Resource
win10v20210408
General
-
Target
2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe
-
Size
196KB
-
MD5
21cebf7aefdae41e3c0c89a3a6f904c4
-
SHA1
866419baad25a08b12cefbe6d19681bae7b692a3
-
SHA256
2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196
-
SHA512
b4eec6daf509a3dd5518f09eeceff016ee10c48b84fa9ea35dd13f35de71ee7356029b872b79a4cfd74b42b437d0c044fceda4c7c07ecaf1f59bea31a7477446
Malware Config
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.xyz/
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exedescription ioc process File renamed C:\Users\Admin\Pictures\GetSkip.raw => C:\Users\Admin\Pictures\GetSkip.raw.MPSJS 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File renamed C:\Users\Admin\Pictures\UpdateStart.tif => C:\Users\Admin\Pictures\UpdateStart.tif.MPSJS 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\WatchConvert.tiff 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File renamed C:\Users\Admin\Pictures\WatchConvert.tiff => C:\Users\Admin\Pictures\WatchConvert.tiff.MPSJS 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File renamed C:\Users\Admin\Pictures\ApproveExport.tiff => C:\Users\Admin\Pictures\ApproveExport.tiff.MPSJS 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File renamed C:\Users\Admin\Pictures\BackupClose.crw => C:\Users\Admin\Pictures\BackupClose.crw.MPSJS 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File renamed C:\Users\Admin\Pictures\EnableReset.tif => C:\Users\Admin\Pictures\EnableReset.tif.MPSJS 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\ApproveExport.tiff 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File renamed C:\Users\Admin\Pictures\BlockRevoke.crw => C:\Users\Admin\Pictures\BlockRevoke.crw.MPSJS 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 39 IoCs
Processes:
2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exedescription ioc process File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files\desktop.ini 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Users\Admin\Music\desktop.ini 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files (x86)\desktop.ini 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Users\Public\Music\desktop.ini 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\E9RC2MV6\desktop.ini 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\NU1L7O13\desktop.ini 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\H18KNA1T\desktop.ini 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Users\Admin\Links\desktop.ini 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Users\Public\desktop.ini 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Users\Public\Documents\desktop.ini 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VNYR844D\desktop.ini 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Users\Public\Videos\desktop.ini 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe -
Drops file in Program Files directory 64 IoCs
Processes:
2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BDRTKFUL.POC 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SECURS.ICO 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\PublicFunctions.js 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\sql2000.xsl 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR51F.GIF 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.app_1.3.200.v20130910-1609.jar 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Dotted_Lines.emf 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files\Common Files\System\msadc\adcvbs.inc 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0237759.WMF 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Maceio 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Sofia 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_center.gif 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow.css 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\readme.txt 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187921.WMF 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03795_.WMF 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0195384.WMF 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File created C:\Program Files\VideoLAN\VLC\locale\gu\readme.txt 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\BriefcaseIconMask.bmp 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files\ConvertToClear.vsx 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00231_.WMF 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\BLENDS.INF 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\browse_window.html 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-awt.jar 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL01565_.WMF 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File created C:\Program Files (x86)\Microsoft Office\Office14\XLSTART\readme.txt 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File created C:\Program Files\VideoLAN\VLC\locale\lg\readme.txt 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\SNEEZE.WAV 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File created C:\Program Files\VideoLAN\VLC\locale\uz\readme.txt 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.ja_5.5.0.165303.jar 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File created C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\readme.txt 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Tarawa 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\cue.luac 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\EVRGREEN.INF 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierWindowMask.bmp 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00683_.WMF 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\readme.txt 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Components\readme.txt 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-templates.xml_hidden 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_babypink_Thumbnail.bmp 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01176_.WMF 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.ja_5.5.0.165303.jar 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\.lastModified 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File created C:\Program Files\Java\jre7\lib\ext\readme.txt 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Esl\readme.txt 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00814_.WMF 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PICTPH.POC 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Simple.dotx 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File created C:\Program Files\VideoLAN\VLC\locale\hi\readme.txt 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\sd\jamendo.luac 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia.api 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\net.properties 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00853_.WMF 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341634.JPG 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\MAIN.XML 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\XDPFile_8.ico 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR11F.GIF 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Manuscript.dotx 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Baku 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\POSTCARD.DPV 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exepid process 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
vssvc.exeWMIC.exeWMIC.exedescription pid process Token: SeBackupPrivilege 2040 vssvc.exe Token: SeRestorePrivilege 2040 vssvc.exe Token: SeAuditPrivilege 2040 vssvc.exe Token: SeIncreaseQuotaPrivilege 776 WMIC.exe Token: SeSecurityPrivilege 776 WMIC.exe Token: SeTakeOwnershipPrivilege 776 WMIC.exe Token: SeLoadDriverPrivilege 776 WMIC.exe Token: SeSystemProfilePrivilege 776 WMIC.exe Token: SeSystemtimePrivilege 776 WMIC.exe Token: SeProfSingleProcessPrivilege 776 WMIC.exe Token: SeIncBasePriorityPrivilege 776 WMIC.exe Token: SeCreatePagefilePrivilege 776 WMIC.exe Token: SeBackupPrivilege 776 WMIC.exe Token: SeRestorePrivilege 776 WMIC.exe Token: SeShutdownPrivilege 776 WMIC.exe Token: SeDebugPrivilege 776 WMIC.exe Token: SeSystemEnvironmentPrivilege 776 WMIC.exe Token: SeRemoteShutdownPrivilege 776 WMIC.exe Token: SeUndockPrivilege 776 WMIC.exe Token: SeManageVolumePrivilege 776 WMIC.exe Token: 33 776 WMIC.exe Token: 34 776 WMIC.exe Token: 35 776 WMIC.exe Token: SeIncreaseQuotaPrivilege 776 WMIC.exe Token: SeSecurityPrivilege 776 WMIC.exe Token: SeTakeOwnershipPrivilege 776 WMIC.exe Token: SeLoadDriverPrivilege 776 WMIC.exe Token: SeSystemProfilePrivilege 776 WMIC.exe Token: SeSystemtimePrivilege 776 WMIC.exe Token: SeProfSingleProcessPrivilege 776 WMIC.exe Token: SeIncBasePriorityPrivilege 776 WMIC.exe Token: SeCreatePagefilePrivilege 776 WMIC.exe Token: SeBackupPrivilege 776 WMIC.exe Token: SeRestorePrivilege 776 WMIC.exe Token: SeShutdownPrivilege 776 WMIC.exe Token: SeDebugPrivilege 776 WMIC.exe Token: SeSystemEnvironmentPrivilege 776 WMIC.exe Token: SeRemoteShutdownPrivilege 776 WMIC.exe Token: SeUndockPrivilege 776 WMIC.exe Token: SeManageVolumePrivilege 776 WMIC.exe Token: 33 776 WMIC.exe Token: 34 776 WMIC.exe Token: 35 776 WMIC.exe Token: SeIncreaseQuotaPrivilege 1776 WMIC.exe Token: SeSecurityPrivilege 1776 WMIC.exe Token: SeTakeOwnershipPrivilege 1776 WMIC.exe Token: SeLoadDriverPrivilege 1776 WMIC.exe Token: SeSystemProfilePrivilege 1776 WMIC.exe Token: SeSystemtimePrivilege 1776 WMIC.exe Token: SeProfSingleProcessPrivilege 1776 WMIC.exe Token: SeIncBasePriorityPrivilege 1776 WMIC.exe Token: SeCreatePagefilePrivilege 1776 WMIC.exe Token: SeBackupPrivilege 1776 WMIC.exe Token: SeRestorePrivilege 1776 WMIC.exe Token: SeShutdownPrivilege 1776 WMIC.exe Token: SeDebugPrivilege 1776 WMIC.exe Token: SeSystemEnvironmentPrivilege 1776 WMIC.exe Token: SeRemoteShutdownPrivilege 1776 WMIC.exe Token: SeUndockPrivilege 1776 WMIC.exe Token: SeManageVolumePrivilege 1776 WMIC.exe Token: 33 1776 WMIC.exe Token: 34 1776 WMIC.exe Token: 35 1776 WMIC.exe Token: SeIncreaseQuotaPrivilege 1776 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1972 wrote to memory of 1904 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe cmd.exe PID 1972 wrote to memory of 1904 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe cmd.exe PID 1972 wrote to memory of 1904 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe cmd.exe PID 1972 wrote to memory of 1904 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe cmd.exe PID 1904 wrote to memory of 776 1904 cmd.exe WMIC.exe PID 1904 wrote to memory of 776 1904 cmd.exe WMIC.exe PID 1904 wrote to memory of 776 1904 cmd.exe WMIC.exe PID 1972 wrote to memory of 1756 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe cmd.exe PID 1972 wrote to memory of 1756 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe cmd.exe PID 1972 wrote to memory of 1756 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe cmd.exe PID 1972 wrote to memory of 1756 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe cmd.exe PID 1756 wrote to memory of 1776 1756 cmd.exe WMIC.exe PID 1756 wrote to memory of 1776 1756 cmd.exe WMIC.exe PID 1756 wrote to memory of 1776 1756 cmd.exe WMIC.exe PID 1972 wrote to memory of 1488 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe cmd.exe PID 1972 wrote to memory of 1488 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe cmd.exe PID 1972 wrote to memory of 1488 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe cmd.exe PID 1972 wrote to memory of 1488 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe cmd.exe PID 1488 wrote to memory of 1420 1488 cmd.exe WMIC.exe PID 1488 wrote to memory of 1420 1488 cmd.exe WMIC.exe PID 1488 wrote to memory of 1420 1488 cmd.exe WMIC.exe PID 1972 wrote to memory of 1724 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe cmd.exe PID 1972 wrote to memory of 1724 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe cmd.exe PID 1972 wrote to memory of 1724 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe cmd.exe PID 1972 wrote to memory of 1724 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe cmd.exe PID 1724 wrote to memory of 1728 1724 cmd.exe WMIC.exe PID 1724 wrote to memory of 1728 1724 cmd.exe WMIC.exe PID 1724 wrote to memory of 1728 1724 cmd.exe WMIC.exe PID 1972 wrote to memory of 1008 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe cmd.exe PID 1972 wrote to memory of 1008 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe cmd.exe PID 1972 wrote to memory of 1008 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe cmd.exe PID 1972 wrote to memory of 1008 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe cmd.exe PID 1008 wrote to memory of 1380 1008 cmd.exe WMIC.exe PID 1008 wrote to memory of 1380 1008 cmd.exe WMIC.exe PID 1008 wrote to memory of 1380 1008 cmd.exe WMIC.exe PID 1972 wrote to memory of 1736 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe cmd.exe PID 1972 wrote to memory of 1736 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe cmd.exe PID 1972 wrote to memory of 1736 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe cmd.exe PID 1972 wrote to memory of 1736 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe cmd.exe PID 1736 wrote to memory of 1668 1736 cmd.exe WMIC.exe PID 1736 wrote to memory of 1668 1736 cmd.exe WMIC.exe PID 1736 wrote to memory of 1668 1736 cmd.exe WMIC.exe PID 1972 wrote to memory of 1948 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe cmd.exe PID 1972 wrote to memory of 1948 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe cmd.exe PID 1972 wrote to memory of 1948 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe cmd.exe PID 1972 wrote to memory of 1948 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe cmd.exe PID 1948 wrote to memory of 1612 1948 cmd.exe WMIC.exe PID 1948 wrote to memory of 1612 1948 cmd.exe WMIC.exe PID 1948 wrote to memory of 1612 1948 cmd.exe WMIC.exe PID 1972 wrote to memory of 752 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe cmd.exe PID 1972 wrote to memory of 752 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe cmd.exe PID 1972 wrote to memory of 752 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe cmd.exe PID 1972 wrote to memory of 752 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe cmd.exe PID 752 wrote to memory of 1708 752 cmd.exe WMIC.exe PID 752 wrote to memory of 1708 752 cmd.exe WMIC.exe PID 752 wrote to memory of 1708 752 cmd.exe WMIC.exe PID 1972 wrote to memory of 684 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe cmd.exe PID 1972 wrote to memory of 684 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe cmd.exe PID 1972 wrote to memory of 684 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe cmd.exe PID 1972 wrote to memory of 684 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe cmd.exe PID 684 wrote to memory of 1140 684 cmd.exe WMIC.exe PID 684 wrote to memory of 1140 684 cmd.exe WMIC.exe PID 684 wrote to memory of 1140 684 cmd.exe WMIC.exe PID 1972 wrote to memory of 340 1972 2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\2412b5ee3bf9de72b0e98999857d0152dbc6d0e8204d907f874ce71bcef70196.bin.sample.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3EA0DCCD-B68F-4739-8545-1421DB5CBBF9}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3EA0DCCD-B68F-4739-8545-1421DB5CBBF9}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:776 -
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6A4DE33F-EC6D-48D6-B18F-B8C0EB661608}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6A4DE33F-EC6D-48D6-B18F-B8C0EB661608}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1776 -
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{674F5ED5-898F-4B38-B442-9717EBC249B0}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{674F5ED5-898F-4B38-B442-9717EBC249B0}'" delete3⤵PID:1420
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{56062236-819D-4FFA-9A67-51FD862961CC}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{56062236-819D-4FFA-9A67-51FD862961CC}'" delete3⤵PID:1728
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{993FFB36-DB0D-4B0F-AB01-F5535FFFD2FF}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{993FFB36-DB0D-4B0F-AB01-F5535FFFD2FF}'" delete3⤵PID:1380
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5C93421E-92BF-4841-8F4A-AE5CE989C82C}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5C93421E-92BF-4841-8F4A-AE5CE989C82C}'" delete3⤵PID:1668
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A9CE7C86-FE5D-4BEA-A3FE-1097D95611CF}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A9CE7C86-FE5D-4BEA-A3FE-1097D95611CF}'" delete3⤵PID:1612
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{781F970E-534F-47AA-999D-6ED6D643AB75}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{781F970E-534F-47AA-999D-6ED6D643AB75}'" delete3⤵PID:1708
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{39949E94-CD4C-4CF8-B45A-3F512784587B}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{39949E94-CD4C-4CF8-B45A-3F512784587B}'" delete3⤵PID:1140
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AB291DFD-F8B7-48E4-8503-043258A3C021}'" delete2⤵PID:340
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AB291DFD-F8B7-48E4-8503-043258A3C021}'" delete3⤵PID:976
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{485AA00D-2E8F-43E3-8672-B2EC5EA21273}'" delete2⤵PID:828
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{485AA00D-2E8F-43E3-8672-B2EC5EA21273}'" delete3⤵PID:1744
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2040