Analysis
-
max time kernel
110s -
max time network
111s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
05-10-2021 08:41
Static task
static1
Behavioral task
behavioral1
Sample
732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
Resource
win10v20210408
General
-
Target
732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
-
Size
206KB
-
MD5
f9234840f07c5cfe75b482275a63f549
-
SHA1
8fbc27b26c4c582b5764eacf897a89fe74c0a88d
-
SHA256
732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884
-
SHA512
d47d3a1fd0555da513c0a768d71b7eb19c9adb0df7a04431e74235a02fc37aa22a23beec3757ff1ce3b4370915ff07f431c1d8e26db3704188c1d9708a583ba6
Malware Config
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.click/
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 2640 created 1096 2640 WerFault.exe 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe -
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exedescription ioc process File renamed C:\Users\Admin\Pictures\MergeCompare.tiff => C:\Users\Admin\Pictures\MergeCompare.tiff.QTBHS 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File renamed C:\Users\Admin\Pictures\MountDismount.tif => C:\Users\Admin\Pictures\MountDismount.tif.QTBHS 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File renamed C:\Users\Admin\Pictures\RemoveRegister.raw => C:\Users\Admin\Pictures\RemoveRegister.raw.QTBHS 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File renamed C:\Users\Admin\Pictures\ConvertToSend.crw => C:\Users\Admin\Pictures\ConvertToSend.crw.QTBHS 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File renamed C:\Users\Admin\Pictures\DenyReset.tif => C:\Users\Admin\Pictures\DenyReset.tif.QTBHS 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File renamed C:\Users\Admin\Pictures\DismountSplit.raw => C:\Users\Admin\Pictures\DismountSplit.raw.QTBHS 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File renamed C:\Users\Admin\Pictures\ExitDebug.crw => C:\Users\Admin\Pictures\ExitDebug.crw.QTBHS 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\MergeCompare.tiff 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe -
Drops file in Program Files directory 64 IoCs
Processes:
732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-pl.xrm-ms 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteFreeR_Bypass-ul-oob.xrm-ms 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-pl.xrm-ms 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Bears.htm 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\ShadesOfBlue.jpg 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ppd.xrm-ms 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-ppd.xrm-ms 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-pl.xrm-ms 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-oob.xrm-ms 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\et.txt 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\calendars.properties 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ppd.xrm-ms 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File created C:\Program Files\Common Files\microsoft shared\Stationery\readme.txt 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntime2019R_PrepidBypass-ppd.xrm-ms 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ul-phn.xrm-ms 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-ul-oob.xrm-ms 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ppd.xrm-ms 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\gu.txt 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\FlickAnimation.avi 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ppd.xrm-ms 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Grace-ppd.xrm-ms 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee100.tlb 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\net.properties 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-oob.xrm-ms 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-ul-oob.xrm-ms 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-ul-oob.xrm-ms 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifestLoc.16.en-us.xml 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-pl.xrm-ms 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-pl.xrm-ms 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-ul-oob.xrm-ms 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ul-phn.xrm-ms 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\formautofill@mozilla.org.xpi 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ppd.xrm-ms 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-pl.xrm-ms 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-pl.xrm-ms 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\ro.txt 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-pl.xrm-ms 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ppd.xrm-ms 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File created C:\Program Files (x86)\Google\Update\readme.txt 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-pl.xrm-ms 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-ul-oob.xrm-ms 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-pl.xrm-ms 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ppd.xrm-ms 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ul-oob.xrm-ms 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\flat_officeFontsPreview.ttf 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-pl.xrm-ms 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ul-phn.xrm-ms 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File created C:\Program Files\VideoLAN\VLC\plugins\readme.txt 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-pl.xrm-ms 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-pl.xrm-ms 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ppd.xrm-ms 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ppd.xrm-ms 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-pl.xrm-ms 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ul-oob.xrm-ms 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File created C:\Program Files\Mozilla Firefox\browser\readme.txt 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-ppd.xrm-ms 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2640 1096 WerFault.exe 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exeWerFault.exepid process 1096 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe 1096 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe 2640 WerFault.exe 2640 WerFault.exe 2640 WerFault.exe 2640 WerFault.exe 2640 WerFault.exe 2640 WerFault.exe 2640 WerFault.exe 2640 WerFault.exe 2640 WerFault.exe 2640 WerFault.exe 2640 WerFault.exe 2640 WerFault.exe 2640 WerFault.exe 2640 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
vssvc.exeWMIC.exeWerFault.exedescription pid process Token: SeBackupPrivilege 1104 vssvc.exe Token: SeRestorePrivilege 1104 vssvc.exe Token: SeAuditPrivilege 1104 vssvc.exe Token: SeIncreaseQuotaPrivilege 3976 WMIC.exe Token: SeSecurityPrivilege 3976 WMIC.exe Token: SeTakeOwnershipPrivilege 3976 WMIC.exe Token: SeLoadDriverPrivilege 3976 WMIC.exe Token: SeSystemProfilePrivilege 3976 WMIC.exe Token: SeSystemtimePrivilege 3976 WMIC.exe Token: SeProfSingleProcessPrivilege 3976 WMIC.exe Token: SeIncBasePriorityPrivilege 3976 WMIC.exe Token: SeCreatePagefilePrivilege 3976 WMIC.exe Token: SeBackupPrivilege 3976 WMIC.exe Token: SeRestorePrivilege 3976 WMIC.exe Token: SeShutdownPrivilege 3976 WMIC.exe Token: SeDebugPrivilege 3976 WMIC.exe Token: SeSystemEnvironmentPrivilege 3976 WMIC.exe Token: SeRemoteShutdownPrivilege 3976 WMIC.exe Token: SeUndockPrivilege 3976 WMIC.exe Token: SeManageVolumePrivilege 3976 WMIC.exe Token: 33 3976 WMIC.exe Token: 34 3976 WMIC.exe Token: 35 3976 WMIC.exe Token: 36 3976 WMIC.exe Token: SeIncreaseQuotaPrivilege 3976 WMIC.exe Token: SeSecurityPrivilege 3976 WMIC.exe Token: SeTakeOwnershipPrivilege 3976 WMIC.exe Token: SeLoadDriverPrivilege 3976 WMIC.exe Token: SeSystemProfilePrivilege 3976 WMIC.exe Token: SeSystemtimePrivilege 3976 WMIC.exe Token: SeProfSingleProcessPrivilege 3976 WMIC.exe Token: SeIncBasePriorityPrivilege 3976 WMIC.exe Token: SeCreatePagefilePrivilege 3976 WMIC.exe Token: SeBackupPrivilege 3976 WMIC.exe Token: SeRestorePrivilege 3976 WMIC.exe Token: SeShutdownPrivilege 3976 WMIC.exe Token: SeDebugPrivilege 3976 WMIC.exe Token: SeSystemEnvironmentPrivilege 3976 WMIC.exe Token: SeRemoteShutdownPrivilege 3976 WMIC.exe Token: SeUndockPrivilege 3976 WMIC.exe Token: SeManageVolumePrivilege 3976 WMIC.exe Token: 33 3976 WMIC.exe Token: 34 3976 WMIC.exe Token: 35 3976 WMIC.exe Token: 36 3976 WMIC.exe Token: SeRestorePrivilege 2640 WerFault.exe Token: SeBackupPrivilege 2640 WerFault.exe Token: SeDebugPrivilege 2640 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.execmd.exedescription pid process target process PID 1096 wrote to memory of 4052 1096 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe cmd.exe PID 1096 wrote to memory of 4052 1096 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe cmd.exe PID 4052 wrote to memory of 3976 4052 cmd.exe WMIC.exe PID 4052 wrote to memory of 3976 4052 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{493E2A7D-D35C-4823-8312-DB6A87B45E66}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{493E2A7D-D35C-4823-8312-DB6A87B45E66}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 19162⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken