Analysis
-
max time kernel
147s -
max time network
46s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
28-09-2021 08:01
Static task
static1
Behavioral task
behavioral1
Sample
3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
Resource
win10v20210408
General
-
Target
3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
-
Size
186KB
-
MD5
9deb222bace3387108c25a82d2bea2ea
-
SHA1
541bd9855a01b2b785534bcac62e331036eaf0db
-
SHA256
3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a
-
SHA512
74b5e55b80add95ee6390622fcdb7b85f42f74b7dba1596c5c76e35e30c703765a7765b11ce4c8e84ba2383aa304b2ef95bcad70208f44ac88440d05a579a0bb
Malware Config
Extracted
C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME-JAVAFX.txt
ryuk
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exedescription ioc process File renamed C:\Users\Admin\Pictures\ExitFind.crw => C:\Users\Admin\Pictures\ExitFind.crw.QMIBK 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File renamed C:\Users\Admin\Pictures\ImportDebug.tif => C:\Users\Admin\Pictures\ImportDebug.tif.QMIBK 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File renamed C:\Users\Admin\Pictures\NewReset.raw => C:\Users\Admin\Pictures\NewReset.raw.QMIBK 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 39 IoCs
Processes:
3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exedescription ioc process File opened for modification C:\Users\Admin\Contacts\desktop.ini 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Users\Public\Documents\desktop.ini 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\E9RC2MV6\desktop.ini 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Users\Public\desktop.ini 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\NU1L7O13\desktop.ini 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Users\Public\Videos\desktop.ini 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VNYR844D\desktop.ini 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Users\Public\Music\desktop.ini 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\H18KNA1T\desktop.ini 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files\desktop.ini 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files (x86)\desktop.ini 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Users\Admin\Music\desktop.ini 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Users\Admin\Links\desktop.ini 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe -
Drops file in Program Files directory 64 IoCs
Processes:
3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exedescription ioc process File opened for modification C:\Program Files\7-Zip\Lang\fy.txt 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\.lastModified 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kolkata 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-utilities.xml 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File created C:\Program Files\Mozilla Firefox\browser\features\R3ADM3.txt 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Black Tie.thmx 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Wrinkled_Paper.gif 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIconSubpict.png 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14513_.GIF 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.properties 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\R3ADM3.txt 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files\Google\Chrome\Application\master_preferences 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00241_.WMF 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01742_.GIF 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\ECLIPSE.ELM 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Christmas 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_zh_CN.jar 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00165_.GIF 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0233312.WMF 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\PREVIEW.GIF 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21295_.GIF 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Anadyr 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files (x86)\Internet Explorer\en-US\eula.rtf 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sendopts_zh_CN.jar 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File created C:\Program Files\VideoLAN\VLC\lua\R3ADM3.txt 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Yekaterinburg 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLR.SAM 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench_1.1.0.v20140512-1820.jar 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsBlankPage.html 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\US_export_policy.jar 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\VDK10.SYX 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03236_.WMF 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-settings.jar 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106958.WMF 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21413_.GIF 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME34.CSS 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-actions.xml 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00273_.WMF 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107734.WMF 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Perspective.eftx 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Trek.xml 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Apex.thmx 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00369_.WMF 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0157763.WMF 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\PREVIEW.GIF 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107358.WMF 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationUp_ButtonGraphic.png 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Halifax 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBlue.png 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\AST4 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host.xml 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04267_.WMF 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105600.WMF 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01858_.WMF 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolImages16x16.jpg 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.ja_5.5.0.165303.jar 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00915_.WMF 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00555_.WMF 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02417U.BMP 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\sk.pak 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\Groove Starter Template.xsn 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR36F.GIF 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exepid process 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
vssvc.exeWMIC.exeWMIC.exedescription pid process Token: SeBackupPrivilege 1848 vssvc.exe Token: SeRestorePrivilege 1848 vssvc.exe Token: SeAuditPrivilege 1848 vssvc.exe Token: SeIncreaseQuotaPrivilege 2008 WMIC.exe Token: SeSecurityPrivilege 2008 WMIC.exe Token: SeTakeOwnershipPrivilege 2008 WMIC.exe Token: SeLoadDriverPrivilege 2008 WMIC.exe Token: SeSystemProfilePrivilege 2008 WMIC.exe Token: SeSystemtimePrivilege 2008 WMIC.exe Token: SeProfSingleProcessPrivilege 2008 WMIC.exe Token: SeIncBasePriorityPrivilege 2008 WMIC.exe Token: SeCreatePagefilePrivilege 2008 WMIC.exe Token: SeBackupPrivilege 2008 WMIC.exe Token: SeRestorePrivilege 2008 WMIC.exe Token: SeShutdownPrivilege 2008 WMIC.exe Token: SeDebugPrivilege 2008 WMIC.exe Token: SeSystemEnvironmentPrivilege 2008 WMIC.exe Token: SeRemoteShutdownPrivilege 2008 WMIC.exe Token: SeUndockPrivilege 2008 WMIC.exe Token: SeManageVolumePrivilege 2008 WMIC.exe Token: 33 2008 WMIC.exe Token: 34 2008 WMIC.exe Token: 35 2008 WMIC.exe Token: SeIncreaseQuotaPrivilege 2008 WMIC.exe Token: SeSecurityPrivilege 2008 WMIC.exe Token: SeTakeOwnershipPrivilege 2008 WMIC.exe Token: SeLoadDriverPrivilege 2008 WMIC.exe Token: SeSystemProfilePrivilege 2008 WMIC.exe Token: SeSystemtimePrivilege 2008 WMIC.exe Token: SeProfSingleProcessPrivilege 2008 WMIC.exe Token: SeIncBasePriorityPrivilege 2008 WMIC.exe Token: SeCreatePagefilePrivilege 2008 WMIC.exe Token: SeBackupPrivilege 2008 WMIC.exe Token: SeRestorePrivilege 2008 WMIC.exe Token: SeShutdownPrivilege 2008 WMIC.exe Token: SeDebugPrivilege 2008 WMIC.exe Token: SeSystemEnvironmentPrivilege 2008 WMIC.exe Token: SeRemoteShutdownPrivilege 2008 WMIC.exe Token: SeUndockPrivilege 2008 WMIC.exe Token: SeManageVolumePrivilege 2008 WMIC.exe Token: 33 2008 WMIC.exe Token: 34 2008 WMIC.exe Token: 35 2008 WMIC.exe Token: SeIncreaseQuotaPrivilege 540 WMIC.exe Token: SeSecurityPrivilege 540 WMIC.exe Token: SeTakeOwnershipPrivilege 540 WMIC.exe Token: SeLoadDriverPrivilege 540 WMIC.exe Token: SeSystemProfilePrivilege 540 WMIC.exe Token: SeSystemtimePrivilege 540 WMIC.exe Token: SeProfSingleProcessPrivilege 540 WMIC.exe Token: SeIncBasePriorityPrivilege 540 WMIC.exe Token: SeCreatePagefilePrivilege 540 WMIC.exe Token: SeBackupPrivilege 540 WMIC.exe Token: SeRestorePrivilege 540 WMIC.exe Token: SeShutdownPrivilege 540 WMIC.exe Token: SeDebugPrivilege 540 WMIC.exe Token: SeSystemEnvironmentPrivilege 540 WMIC.exe Token: SeRemoteShutdownPrivilege 540 WMIC.exe Token: SeUndockPrivilege 540 WMIC.exe Token: SeManageVolumePrivilege 540 WMIC.exe Token: 33 540 WMIC.exe Token: 34 540 WMIC.exe Token: 35 540 WMIC.exe Token: SeIncreaseQuotaPrivilege 540 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1080 wrote to memory of 1884 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe cmd.exe PID 1080 wrote to memory of 1884 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe cmd.exe PID 1080 wrote to memory of 1884 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe cmd.exe PID 1080 wrote to memory of 1884 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe cmd.exe PID 1884 wrote to memory of 2008 1884 cmd.exe WMIC.exe PID 1884 wrote to memory of 2008 1884 cmd.exe WMIC.exe PID 1884 wrote to memory of 2008 1884 cmd.exe WMIC.exe PID 1080 wrote to memory of 780 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe cmd.exe PID 1080 wrote to memory of 780 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe cmd.exe PID 1080 wrote to memory of 780 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe cmd.exe PID 1080 wrote to memory of 780 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe cmd.exe PID 780 wrote to memory of 540 780 cmd.exe WMIC.exe PID 780 wrote to memory of 540 780 cmd.exe WMIC.exe PID 780 wrote to memory of 540 780 cmd.exe WMIC.exe PID 1080 wrote to memory of 1728 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe cmd.exe PID 1080 wrote to memory of 1728 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe cmd.exe PID 1080 wrote to memory of 1728 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe cmd.exe PID 1080 wrote to memory of 1728 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe cmd.exe PID 1728 wrote to memory of 1972 1728 cmd.exe WMIC.exe PID 1728 wrote to memory of 1972 1728 cmd.exe WMIC.exe PID 1728 wrote to memory of 1972 1728 cmd.exe WMIC.exe PID 1080 wrote to memory of 1420 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe cmd.exe PID 1080 wrote to memory of 1420 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe cmd.exe PID 1080 wrote to memory of 1420 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe cmd.exe PID 1080 wrote to memory of 1420 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe cmd.exe PID 1420 wrote to memory of 1444 1420 cmd.exe WMIC.exe PID 1420 wrote to memory of 1444 1420 cmd.exe WMIC.exe PID 1420 wrote to memory of 1444 1420 cmd.exe WMIC.exe PID 1080 wrote to memory of 1544 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe cmd.exe PID 1080 wrote to memory of 1544 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe cmd.exe PID 1080 wrote to memory of 1544 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe cmd.exe PID 1080 wrote to memory of 1544 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe cmd.exe PID 1544 wrote to memory of 836 1544 cmd.exe WMIC.exe PID 1544 wrote to memory of 836 1544 cmd.exe WMIC.exe PID 1544 wrote to memory of 836 1544 cmd.exe WMIC.exe PID 1080 wrote to memory of 1316 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe cmd.exe PID 1080 wrote to memory of 1316 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe cmd.exe PID 1080 wrote to memory of 1316 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe cmd.exe PID 1080 wrote to memory of 1316 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe cmd.exe PID 1316 wrote to memory of 800 1316 cmd.exe WMIC.exe PID 1316 wrote to memory of 800 1316 cmd.exe WMIC.exe PID 1316 wrote to memory of 800 1316 cmd.exe WMIC.exe PID 1080 wrote to memory of 1688 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe cmd.exe PID 1080 wrote to memory of 1688 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe cmd.exe PID 1080 wrote to memory of 1688 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe cmd.exe PID 1080 wrote to memory of 1688 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe cmd.exe PID 1688 wrote to memory of 1248 1688 cmd.exe WMIC.exe PID 1688 wrote to memory of 1248 1688 cmd.exe WMIC.exe PID 1688 wrote to memory of 1248 1688 cmd.exe WMIC.exe PID 1080 wrote to memory of 336 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe cmd.exe PID 1080 wrote to memory of 336 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe cmd.exe PID 1080 wrote to memory of 336 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe cmd.exe PID 1080 wrote to memory of 336 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe cmd.exe PID 336 wrote to memory of 1092 336 cmd.exe WMIC.exe PID 336 wrote to memory of 1092 336 cmd.exe WMIC.exe PID 336 wrote to memory of 1092 336 cmd.exe WMIC.exe PID 1080 wrote to memory of 300 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe cmd.exe PID 1080 wrote to memory of 300 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe cmd.exe PID 1080 wrote to memory of 300 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe cmd.exe PID 1080 wrote to memory of 300 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe cmd.exe PID 300 wrote to memory of 1108 300 cmd.exe WMIC.exe PID 300 wrote to memory of 1108 300 cmd.exe WMIC.exe PID 300 wrote to memory of 1108 300 cmd.exe WMIC.exe PID 1080 wrote to memory of 1696 1080 3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3EA0DCCD-B68F-4739-8545-1421DB5CBBF9}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3EA0DCCD-B68F-4739-8545-1421DB5CBBF9}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6A4DE33F-EC6D-48D6-B18F-B8C0EB661608}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6A4DE33F-EC6D-48D6-B18F-B8C0EB661608}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{674F5ED5-898F-4B38-B442-9717EBC249B0}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{674F5ED5-898F-4B38-B442-9717EBC249B0}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{56062236-819D-4FFA-9A67-51FD862961CC}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{56062236-819D-4FFA-9A67-51FD862961CC}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{993FFB36-DB0D-4B0F-AB01-F5535FFFD2FF}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{993FFB36-DB0D-4B0F-AB01-F5535FFFD2FF}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5C93421E-92BF-4841-8F4A-AE5CE989C82C}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5C93421E-92BF-4841-8F4A-AE5CE989C82C}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A9CE7C86-FE5D-4BEA-A3FE-1097D95611CF}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A9CE7C86-FE5D-4BEA-A3FE-1097D95611CF}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{781F970E-534F-47AA-999D-6ED6D643AB75}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{781F970E-534F-47AA-999D-6ED6D643AB75}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{39949E94-CD4C-4CF8-B45A-3F512784587B}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{39949E94-CD4C-4CF8-B45A-3F512784587B}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AB291DFD-F8B7-48E4-8503-043258A3C021}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AB291DFD-F8B7-48E4-8503-043258A3C021}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{485AA00D-2E8F-43E3-8672-B2EC5EA21273}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{485AA00D-2E8F-43E3-8672-B2EC5EA21273}'" delete3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/300-77-0x0000000000000000-mapping.dmp
-
memory/336-75-0x0000000000000000-mapping.dmp
-
memory/540-64-0x0000000000000000-mapping.dmp
-
memory/780-63-0x0000000000000000-mapping.dmp
-
memory/800-72-0x0000000000000000-mapping.dmp
-
memory/824-81-0x0000000000000000-mapping.dmp
-
memory/828-82-0x0000000000000000-mapping.dmp
-
memory/836-70-0x0000000000000000-mapping.dmp
-
memory/1080-60-0x0000000075D11000-0x0000000075D13000-memory.dmpFilesize
8KB
-
memory/1092-76-0x0000000000000000-mapping.dmp
-
memory/1108-78-0x0000000000000000-mapping.dmp
-
memory/1248-74-0x0000000000000000-mapping.dmp
-
memory/1316-71-0x0000000000000000-mapping.dmp
-
memory/1420-67-0x0000000000000000-mapping.dmp
-
memory/1444-68-0x0000000000000000-mapping.dmp
-
memory/1544-69-0x0000000000000000-mapping.dmp
-
memory/1688-73-0x0000000000000000-mapping.dmp
-
memory/1696-79-0x0000000000000000-mapping.dmp
-
memory/1728-65-0x0000000000000000-mapping.dmp
-
memory/1728-80-0x0000000000000000-mapping.dmp
-
memory/1884-61-0x0000000000000000-mapping.dmp
-
memory/1972-66-0x0000000000000000-mapping.dmp
-
memory/2008-62-0x0000000000000000-mapping.dmp