Analysis
-
max time kernel
144s -
max time network
47s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
28-09-2021 09:19
Static task
static1
Behavioral task
behavioral1
Sample
5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe
Resource
win10-en-20210920
General
-
Target
5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe
-
Size
194KB
-
MD5
2286384bd0aec92e81a0a3163a45447c
-
SHA1
350bc9d5342f1adf4cd6482b051e9afb78c0eb91
-
SHA256
5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7
-
SHA512
5d1bf6121b48ffdc728a1ecb583a32e0401235dffe188cd6c7b351480db1e12d8a7f39c29acf8e17533740afefc955d0adb36e9019bda6b3e2d9b69b658c9a98
Malware Config
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.icu/
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exedescription ioc process File renamed C:\Users\Admin\Pictures\PopShow.crw => C:\Users\Admin\Pictures\PopShow.crw.GWYXZ 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File renamed C:\Users\Admin\Pictures\WatchPing.tiff => C:\Users\Admin\Pictures\WatchPing.tiff.GWYXZ 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File renamed C:\Users\Admin\Pictures\BackupTrace.tif => C:\Users\Admin\Pictures\BackupTrace.tif.GWYXZ 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File renamed C:\Users\Admin\Pictures\ConfirmSet.tif => C:\Users\Admin\Pictures\ConfirmSet.tif.GWYXZ 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File renamed C:\Users\Admin\Pictures\MergeApprove.tiff => C:\Users\Admin\Pictures\MergeApprove.tiff.GWYXZ 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File renamed C:\Users\Admin\Pictures\RevokeEdit.crw => C:\Users\Admin\Pictures\RevokeEdit.crw.GWYXZ 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File renamed C:\Users\Admin\Pictures\UnprotectBackup.crw => C:\Users\Admin\Pictures\UnprotectBackup.crw.GWYXZ 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\WatchPing.tiff 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File renamed C:\Users\Admin\Pictures\AddGroup.png => C:\Users\Admin\Pictures\AddGroup.png.GWYXZ 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\MergeApprove.tiff 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 39 IoCs
Processes:
5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exedescription ioc process File opened for modification C:\Users\Public\Recorded TV\desktop.ini 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\E9RC2MV6\desktop.ini 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\NU1L7O13\desktop.ini 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VNYR844D\desktop.ini 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Users\Public\desktop.ini 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Users\Public\Videos\desktop.ini 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Users\Admin\Links\desktop.ini 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Users\Admin\Music\desktop.ini 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Users\Public\Documents\desktop.ini 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\H18KNA1T\desktop.ini 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files\desktop.ini 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files (x86)\desktop.ini 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Users\Public\Music\desktop.ini 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe -
Drops file in Program Files directory 64 IoCs
Processes:
5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exedescription ioc process File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_ButtonGraphic.png 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_hu.jar 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-print.jar 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00049_.WMF 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\readme.txt 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14883_.GIF 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property_1.4.200.v20140214-0004.jar 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\readme.txt 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216600.WMF 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Median.xml 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\psfont.properties.ja 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File created C:\Program Files\VideoLAN\VLC\locale\da\readme.txt 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\readme.txt 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\high-contrast.css 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files\7-Zip\History.txt 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00934_.WMF 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115863.GIF 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\SNEEZE.WAV 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\epl-v10.html 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTVIEW.JPG 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00957_.WMF 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0158071.WMF 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\readme.txt 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File created C:\Program Files (x86)\Common Files\System\msadc\en-US\readme.txt 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR32F.GIF 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04332_.WMF 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-14 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Grid.xml 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\WATERMAR.ELM 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18245_.WMF 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR38F.GIF 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\readme.txt 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\sq.txt 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185798.WMF 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0301252.WMF 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\SUBMIT.JS 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0199549.WMF 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\readme.txt 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File created C:\Program Files\VideoLAN\VLC\skins\readme.txt 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02278_.WMF 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL_COL.HXC 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR10F.GIF 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Belgrade 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382938.JPG 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Anadyr 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\readme.txt 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files\EnableRedo.easmx 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099180.WMF 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152890.WMF 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\ONENOTE.HXS 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115839.GIF 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0237225.WMF 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\highlight.png 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\readme.txt 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21305_.GIF 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-settings.jar 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL090.XML 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME44.CSS 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-services_zh_CN.jar 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309598.JPG 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exepid process 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
vssvc.exeWMIC.exeWMIC.exedescription pid process Token: SeBackupPrivilege 1624 vssvc.exe Token: SeRestorePrivilege 1624 vssvc.exe Token: SeAuditPrivilege 1624 vssvc.exe Token: SeIncreaseQuotaPrivilege 2004 WMIC.exe Token: SeSecurityPrivilege 2004 WMIC.exe Token: SeTakeOwnershipPrivilege 2004 WMIC.exe Token: SeLoadDriverPrivilege 2004 WMIC.exe Token: SeSystemProfilePrivilege 2004 WMIC.exe Token: SeSystemtimePrivilege 2004 WMIC.exe Token: SeProfSingleProcessPrivilege 2004 WMIC.exe Token: SeIncBasePriorityPrivilege 2004 WMIC.exe Token: SeCreatePagefilePrivilege 2004 WMIC.exe Token: SeBackupPrivilege 2004 WMIC.exe Token: SeRestorePrivilege 2004 WMIC.exe Token: SeShutdownPrivilege 2004 WMIC.exe Token: SeDebugPrivilege 2004 WMIC.exe Token: SeSystemEnvironmentPrivilege 2004 WMIC.exe Token: SeRemoteShutdownPrivilege 2004 WMIC.exe Token: SeUndockPrivilege 2004 WMIC.exe Token: SeManageVolumePrivilege 2004 WMIC.exe Token: 33 2004 WMIC.exe Token: 34 2004 WMIC.exe Token: 35 2004 WMIC.exe Token: SeIncreaseQuotaPrivilege 2004 WMIC.exe Token: SeSecurityPrivilege 2004 WMIC.exe Token: SeTakeOwnershipPrivilege 2004 WMIC.exe Token: SeLoadDriverPrivilege 2004 WMIC.exe Token: SeSystemProfilePrivilege 2004 WMIC.exe Token: SeSystemtimePrivilege 2004 WMIC.exe Token: SeProfSingleProcessPrivilege 2004 WMIC.exe Token: SeIncBasePriorityPrivilege 2004 WMIC.exe Token: SeCreatePagefilePrivilege 2004 WMIC.exe Token: SeBackupPrivilege 2004 WMIC.exe Token: SeRestorePrivilege 2004 WMIC.exe Token: SeShutdownPrivilege 2004 WMIC.exe Token: SeDebugPrivilege 2004 WMIC.exe Token: SeSystemEnvironmentPrivilege 2004 WMIC.exe Token: SeRemoteShutdownPrivilege 2004 WMIC.exe Token: SeUndockPrivilege 2004 WMIC.exe Token: SeManageVolumePrivilege 2004 WMIC.exe Token: 33 2004 WMIC.exe Token: 34 2004 WMIC.exe Token: 35 2004 WMIC.exe Token: SeIncreaseQuotaPrivilege 556 WMIC.exe Token: SeSecurityPrivilege 556 WMIC.exe Token: SeTakeOwnershipPrivilege 556 WMIC.exe Token: SeLoadDriverPrivilege 556 WMIC.exe Token: SeSystemProfilePrivilege 556 WMIC.exe Token: SeSystemtimePrivilege 556 WMIC.exe Token: SeProfSingleProcessPrivilege 556 WMIC.exe Token: SeIncBasePriorityPrivilege 556 WMIC.exe Token: SeCreatePagefilePrivilege 556 WMIC.exe Token: SeBackupPrivilege 556 WMIC.exe Token: SeRestorePrivilege 556 WMIC.exe Token: SeShutdownPrivilege 556 WMIC.exe Token: SeDebugPrivilege 556 WMIC.exe Token: SeSystemEnvironmentPrivilege 556 WMIC.exe Token: SeRemoteShutdownPrivilege 556 WMIC.exe Token: SeUndockPrivilege 556 WMIC.exe Token: SeManageVolumePrivilege 556 WMIC.exe Token: 33 556 WMIC.exe Token: 34 556 WMIC.exe Token: 35 556 WMIC.exe Token: SeIncreaseQuotaPrivilege 556 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 280 wrote to memory of 1164 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe cmd.exe PID 280 wrote to memory of 1164 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe cmd.exe PID 280 wrote to memory of 1164 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe cmd.exe PID 280 wrote to memory of 1164 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe cmd.exe PID 1164 wrote to memory of 2004 1164 cmd.exe WMIC.exe PID 1164 wrote to memory of 2004 1164 cmd.exe WMIC.exe PID 1164 wrote to memory of 2004 1164 cmd.exe WMIC.exe PID 280 wrote to memory of 1944 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe cmd.exe PID 280 wrote to memory of 1944 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe cmd.exe PID 280 wrote to memory of 1944 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe cmd.exe PID 280 wrote to memory of 1944 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe cmd.exe PID 1944 wrote to memory of 556 1944 cmd.exe WMIC.exe PID 1944 wrote to memory of 556 1944 cmd.exe WMIC.exe PID 1944 wrote to memory of 556 1944 cmd.exe WMIC.exe PID 280 wrote to memory of 1500 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe cmd.exe PID 280 wrote to memory of 1500 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe cmd.exe PID 280 wrote to memory of 1500 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe cmd.exe PID 280 wrote to memory of 1500 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe cmd.exe PID 1500 wrote to memory of 1852 1500 cmd.exe WMIC.exe PID 1500 wrote to memory of 1852 1500 cmd.exe WMIC.exe PID 1500 wrote to memory of 1852 1500 cmd.exe WMIC.exe PID 280 wrote to memory of 1748 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe cmd.exe PID 280 wrote to memory of 1748 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe cmd.exe PID 280 wrote to memory of 1748 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe cmd.exe PID 280 wrote to memory of 1748 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe cmd.exe PID 1748 wrote to memory of 1696 1748 cmd.exe WMIC.exe PID 1748 wrote to memory of 1696 1748 cmd.exe WMIC.exe PID 1748 wrote to memory of 1696 1748 cmd.exe WMIC.exe PID 280 wrote to memory of 820 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe cmd.exe PID 280 wrote to memory of 820 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe cmd.exe PID 280 wrote to memory of 820 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe cmd.exe PID 280 wrote to memory of 820 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe cmd.exe PID 820 wrote to memory of 1324 820 cmd.exe WMIC.exe PID 820 wrote to memory of 1324 820 cmd.exe WMIC.exe PID 820 wrote to memory of 1324 820 cmd.exe WMIC.exe PID 280 wrote to memory of 1340 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe cmd.exe PID 280 wrote to memory of 1340 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe cmd.exe PID 280 wrote to memory of 1340 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe cmd.exe PID 280 wrote to memory of 1340 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe cmd.exe PID 1340 wrote to memory of 852 1340 cmd.exe WMIC.exe PID 1340 wrote to memory of 852 1340 cmd.exe WMIC.exe PID 1340 wrote to memory of 852 1340 cmd.exe WMIC.exe PID 280 wrote to memory of 1668 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe cmd.exe PID 280 wrote to memory of 1668 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe cmd.exe PID 280 wrote to memory of 1668 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe cmd.exe PID 280 wrote to memory of 1668 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe cmd.exe PID 1668 wrote to memory of 1652 1668 cmd.exe WMIC.exe PID 1668 wrote to memory of 1652 1668 cmd.exe WMIC.exe PID 1668 wrote to memory of 1652 1668 cmd.exe WMIC.exe PID 280 wrote to memory of 1596 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe cmd.exe PID 280 wrote to memory of 1596 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe cmd.exe PID 280 wrote to memory of 1596 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe cmd.exe PID 280 wrote to memory of 1596 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe cmd.exe PID 1596 wrote to memory of 1964 1596 cmd.exe WMIC.exe PID 1596 wrote to memory of 1964 1596 cmd.exe WMIC.exe PID 1596 wrote to memory of 1964 1596 cmd.exe WMIC.exe PID 280 wrote to memory of 2008 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe cmd.exe PID 280 wrote to memory of 2008 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe cmd.exe PID 280 wrote to memory of 2008 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe cmd.exe PID 280 wrote to memory of 2008 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe cmd.exe PID 2008 wrote to memory of 1928 2008 cmd.exe WMIC.exe PID 2008 wrote to memory of 1928 2008 cmd.exe WMIC.exe PID 2008 wrote to memory of 1928 2008 cmd.exe WMIC.exe PID 280 wrote to memory of 268 280 5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\5e30c8fcb1ddd09e85853ce25cccd20036e47f3dcc49436012a67b42574187b7.bin.sample.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:280 -
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3EA0DCCD-B68F-4739-8545-1421DB5CBBF9}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3EA0DCCD-B68F-4739-8545-1421DB5CBBF9}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2004 -
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6A4DE33F-EC6D-48D6-B18F-B8C0EB661608}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6A4DE33F-EC6D-48D6-B18F-B8C0EB661608}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:556 -
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{674F5ED5-898F-4B38-B442-9717EBC249B0}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{674F5ED5-898F-4B38-B442-9717EBC249B0}'" delete3⤵PID:1852
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{56062236-819D-4FFA-9A67-51FD862961CC}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{56062236-819D-4FFA-9A67-51FD862961CC}'" delete3⤵PID:1696
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{993FFB36-DB0D-4B0F-AB01-F5535FFFD2FF}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{993FFB36-DB0D-4B0F-AB01-F5535FFFD2FF}'" delete3⤵PID:1324
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5C93421E-92BF-4841-8F4A-AE5CE989C82C}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5C93421E-92BF-4841-8F4A-AE5CE989C82C}'" delete3⤵PID:852
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A9CE7C86-FE5D-4BEA-A3FE-1097D95611CF}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A9CE7C86-FE5D-4BEA-A3FE-1097D95611CF}'" delete3⤵PID:1652
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{781F970E-534F-47AA-999D-6ED6D643AB75}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{781F970E-534F-47AA-999D-6ED6D643AB75}'" delete3⤵PID:1964
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{39949E94-CD4C-4CF8-B45A-3F512784587B}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{39949E94-CD4C-4CF8-B45A-3F512784587B}'" delete3⤵PID:1928
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AB291DFD-F8B7-48E4-8503-043258A3C021}'" delete2⤵PID:268
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AB291DFD-F8B7-48E4-8503-043258A3C021}'" delete3⤵PID:568
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{485AA00D-2E8F-43E3-8672-B2EC5EA21273}'" delete2⤵PID:2028
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{485AA00D-2E8F-43E3-8672-B2EC5EA21273}'" delete3⤵PID:1732
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1624