conti | 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d

General

Target

9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
Size

195KB
MD5

bf4933f379b743cfbdcdfe78b7071749
SHA1

2ddaf5e2ee25ec75c2a4d0bd83097aa93d1de941
SHA256

9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d
SHA512

9fe5d25f97e600aa8f67302b6fa07e4246d9fb9bf1b0d24d1f5ce7038b0390089468956ffea5477fa18ca7009b5d9af37a710236eed0b051400a379ffb39586a

Score

10^/10

conti ransomware

Malware Config

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.click YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- yIe0BFhEGHFSJ8G0iEutn6kJm34kLTKKb79sUBcfYqbwlHXQ3vFPZTF0X23J76Y0 ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.click

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti

Drops file in Program Files directory 64 IoCs

Processes:

9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe

description	ioc	process
File opened for modification	C:\Program Files\RedoOpen.tiff	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\TestUnpublish.emf	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\UpdateUnblock.wax	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\DVD Maker\directshowtap.ax	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File created	C:\Program Files\Microsoft Games\readme.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File created	C:\Program Files\MSBuild\readme.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File created	C:\Program Files\readme.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\SwitchCompare.iso	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\UseUpdate.M2T	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\DVD Maker\fieldswitch.ax	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File created	C:\Program Files\Microsoft Office\readme.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File created	C:\Program Files (x86)\Google\readme.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File created	C:\Program Files (x86)\Reference Assemblies\readme.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\DVD Maker\offset.ax	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\DisableGrant.xltm	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\MoveCheckpoint.xla	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\OpenGrant.DVR-MS	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\PingUpdate.m4v	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\PopSelect.xml	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File created	C:\Program Files (x86)\readme.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File created	C:\Program Files\Google\readme.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\readme.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\CompareWatch.vssx	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\ResolveSearch.aifc	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File created	C:\Program Files\DVD Maker\readme.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\Internet Explorer\ie9props.propdesc	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\Internet Explorer\Timeline.cpu.xml	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File created	C:\Program Files (x86)\Common Files\readme.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\CompressDisconnect.m1v	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\PopBackup.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\Mozilla Firefox\install.log	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File created	C:\Program Files\VideoLAN\readme.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\FormatClear.bmp	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\DVD Maker\audiodepthconverter.ax	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\DVD Maker\soniccolorconverter.ax	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\DVD Maker\sonicsptransform.ax	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\Mozilla Firefox\dependentlibs.list	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File created	C:\Program Files (x86)\MSBuild\readme.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\AssertConnect.TTS	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\CheckpointBackup.odt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\ReadRepair.mht	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\Mozilla Firefox\precomplete	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\Mozilla Firefox\removed-files	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\readme.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\ApproveWait.mp4v	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File created	C:\Program Files\Uninstall Information\readme.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File created	C:\Program Files (x86)\Internet Explorer\readme.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft.Office.InfoPath.targets	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\RepairExport.jpg	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\readme.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\ConvertBackup.ods	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\RepairShow.wax	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File created	C:\Program Files\Internet Explorer\readme.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ie9props.propdesc	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\OpenWait.odt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\readme.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe

pid process

1088 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe

pid	process
1088	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

vssvc.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	1148	vssvc.exe
Token: SeRestorePrivilege	1148	vssvc.exe
Token: SeAuditPrivilege	1148	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1824	WMIC.exe
Token: SeSecurityPrivilege	1824	WMIC.exe
Token: SeTakeOwnershipPrivilege	1824	WMIC.exe
Token: SeLoadDriverPrivilege	1824	WMIC.exe
Token: SeSystemProfilePrivilege	1824	WMIC.exe
Token: SeSystemtimePrivilege	1824	WMIC.exe
Token: SeProfSingleProcessPrivilege	1824	WMIC.exe
Token: SeIncBasePriorityPrivilege	1824	WMIC.exe
Token: SeCreatePagefilePrivilege	1824	WMIC.exe
Token: SeBackupPrivilege	1824	WMIC.exe
Token: SeRestorePrivilege	1824	WMIC.exe
Token: SeShutdownPrivilege	1824	WMIC.exe
Token: SeDebugPrivilege	1824	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1824	WMIC.exe
Token: SeRemoteShutdownPrivilege	1824	WMIC.exe
Token: SeUndockPrivilege	1824	WMIC.exe
Token: SeManageVolumePrivilege	1824	WMIC.exe
Token: 33	1824	WMIC.exe
Token: 34	1824	WMIC.exe
Token: 35	1824	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1824	WMIC.exe
Token: SeSecurityPrivilege	1824	WMIC.exe
Token: SeTakeOwnershipPrivilege	1824	WMIC.exe
Token: SeLoadDriverPrivilege	1824	WMIC.exe
Token: SeSystemProfilePrivilege	1824	WMIC.exe
Token: SeSystemtimePrivilege	1824	WMIC.exe
Token: SeProfSingleProcessPrivilege	1824	WMIC.exe
Token: SeIncBasePriorityPrivilege	1824	WMIC.exe
Token: SeCreatePagefilePrivilege	1824	WMIC.exe
Token: SeBackupPrivilege	1824	WMIC.exe
Token: SeRestorePrivilege	1824	WMIC.exe
Token: SeShutdownPrivilege	1824	WMIC.exe
Token: SeDebugPrivilege	1824	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1824	WMIC.exe
Token: SeRemoteShutdownPrivilege	1824	WMIC.exe
Token: SeUndockPrivilege	1824	WMIC.exe
Token: SeManageVolumePrivilege	1824	WMIC.exe
Token: 33	1824	WMIC.exe
Token: 34	1824	WMIC.exe
Token: 35	1824	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1064	WMIC.exe
Token: SeSecurityPrivilege	1064	WMIC.exe
Token: SeTakeOwnershipPrivilege	1064	WMIC.exe
Token: SeLoadDriverPrivilege	1064	WMIC.exe
Token: SeSystemProfilePrivilege	1064	WMIC.exe
Token: SeSystemtimePrivilege	1064	WMIC.exe
Token: SeProfSingleProcessPrivilege	1064	WMIC.exe
Token: SeIncBasePriorityPrivilege	1064	WMIC.exe
Token: SeCreatePagefilePrivilege	1064	WMIC.exe
Token: SeBackupPrivilege	1064	WMIC.exe
Token: SeRestorePrivilege	1064	WMIC.exe
Token: SeShutdownPrivilege	1064	WMIC.exe
Token: SeDebugPrivilege	1064	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1064	WMIC.exe
Token: SeRemoteShutdownPrivilege	1064	WMIC.exe
Token: SeUndockPrivilege	1064	WMIC.exe
Token: SeManageVolumePrivilege	1064	WMIC.exe
Token: 33	1064	WMIC.exe
Token: 34	1064	WMIC.exe
Token: 35	1064	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1064	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1088 wrote to memory of 816	1088	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe	cmd.exe
PID 1088 wrote to memory of 816	1088	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe	cmd.exe
PID 1088 wrote to memory of 816	1088	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe	cmd.exe
PID 1088 wrote to memory of 816	1088	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe	cmd.exe
PID 816 wrote to memory of 1824	816	cmd.exe	WMIC.exe
PID 816 wrote to memory of 1824	816	cmd.exe	WMIC.exe
PID 816 wrote to memory of 1824	816	cmd.exe	WMIC.exe
PID 1088 wrote to memory of 1156	1088	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe	cmd.exe
PID 1088 wrote to memory of 1156	1088	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe	cmd.exe
PID 1088 wrote to memory of 1156	1088	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe	cmd.exe
PID 1088 wrote to memory of 1156	1088	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe	cmd.exe
PID 1156 wrote to memory of 1064	1156	cmd.exe	WMIC.exe
PID 1156 wrote to memory of 1064	1156	cmd.exe	WMIC.exe
PID 1156 wrote to memory of 1064	1156	cmd.exe	WMIC.exe
PID 1088 wrote to memory of 1440	1088	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe	cmd.exe
PID 1088 wrote to memory of 1440	1088	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe	cmd.exe
PID 1088 wrote to memory of 1440	1088	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe	cmd.exe
PID 1088 wrote to memory of 1440	1088	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe	cmd.exe
PID 1440 wrote to memory of 1800	1440	cmd.exe	WMIC.exe
PID 1440 wrote to memory of 1800	1440	cmd.exe	WMIC.exe
PID 1440 wrote to memory of 1800	1440	cmd.exe	WMIC.exe
PID 1088 wrote to memory of 1760	1088	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe	cmd.exe
PID 1088 wrote to memory of 1760	1088	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe	cmd.exe
PID 1088 wrote to memory of 1760	1088	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe	cmd.exe
PID 1088 wrote to memory of 1760	1088	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe	cmd.exe
PID 1760 wrote to memory of 1940	1760	cmd.exe	WMIC.exe
PID 1760 wrote to memory of 1940	1760	cmd.exe	WMIC.exe
PID 1760 wrote to memory of 1940	1760	cmd.exe	WMIC.exe
PID 1088 wrote to memory of 600	1088	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe	cmd.exe
PID 1088 wrote to memory of 600	1088	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe	cmd.exe
PID 1088 wrote to memory of 600	1088	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe	cmd.exe
PID 1088 wrote to memory of 600	1088	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe	cmd.exe
PID 600 wrote to memory of 1668	600	cmd.exe	WMIC.exe
PID 600 wrote to memory of 1668	600	cmd.exe	WMIC.exe
PID 600 wrote to memory of 1668	600	cmd.exe	WMIC.exe
PID 1088 wrote to memory of 1204	1088	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe	cmd.exe
PID 1088 wrote to memory of 1204	1088	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe	cmd.exe
PID 1088 wrote to memory of 1204	1088	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe	cmd.exe
PID 1088 wrote to memory of 1204	1088	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe	cmd.exe
PID 1204 wrote to memory of 692	1204	cmd.exe	WMIC.exe
PID 1204 wrote to memory of 692	1204	cmd.exe	WMIC.exe
PID 1204 wrote to memory of 692	1204	cmd.exe	WMIC.exe
PID 1088 wrote to memory of 1512	1088	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe	cmd.exe
PID 1088 wrote to memory of 1512	1088	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe	cmd.exe
PID 1088 wrote to memory of 1512	1088	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe	cmd.exe
PID 1088 wrote to memory of 1512	1088	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe	cmd.exe
PID 1512 wrote to memory of 1684	1512	cmd.exe	WMIC.exe
PID 1512 wrote to memory of 1684	1512	cmd.exe	WMIC.exe
PID 1512 wrote to memory of 1684	1512	cmd.exe	WMIC.exe
PID 1088 wrote to memory of 2016	1088	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe	cmd.exe
PID 1088 wrote to memory of 2016	1088	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe	cmd.exe
PID 1088 wrote to memory of 2016	1088	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe	cmd.exe
PID 1088 wrote to memory of 2016	1088	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe	cmd.exe
PID 2016 wrote to memory of 432	2016	cmd.exe	WMIC.exe
PID 2016 wrote to memory of 432	2016	cmd.exe	WMIC.exe
PID 2016 wrote to memory of 432	2016	cmd.exe	WMIC.exe
PID 1088 wrote to memory of 1516	1088	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe	cmd.exe
PID 1088 wrote to memory of 1516	1088	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe	cmd.exe
PID 1088 wrote to memory of 1516	1088	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe	cmd.exe
PID 1088 wrote to memory of 1516	1088	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe	cmd.exe
PID 1516 wrote to memory of 1480	1516	cmd.exe	WMIC.exe
PID 1516 wrote to memory of 1480	1516	cmd.exe	WMIC.exe
PID 1516 wrote to memory of 1480	1516	cmd.exe	WMIC.exe
PID 1088 wrote to memory of 1520	1088	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
"C:\Users\Admin\AppData\Local\Temp\9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C42FD895-B421-4A33-8B73-34420B94C6C4}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C42FD895-B421-4A33-8B73-34420B94C6C4}'" delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{10A95FEA-CE68-4673-91E9-44796907EA8F}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{10A95FEA-CE68-4673-91E9-44796907EA8F}'" delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1064

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3F8D846B-9DD4-48C1-9EB7-331601E45A01}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1440

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3F8D846B-9DD4-48C1-9EB7-331601E45A01}'" delete
3⤵
PID:1800

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{83DB695E-B6C4-4F19-94F5-5AB249FE6E4B}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{83DB695E-B6C4-4F19-94F5-5AB249FE6E4B}'" delete
3⤵
PID:1940

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6E98F490-EC90-48A3-8095-7CAB9F53C350}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:600

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6E98F490-EC90-48A3-8095-7CAB9F53C350}'" delete
3⤵
PID:1668

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BE04AF18-D313-4450-8D00-0E635D2D4C97}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BE04AF18-D313-4450-8D00-0E635D2D4C97}'" delete
3⤵
PID:692

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CEE4CCBC-073C-4640-96A7-6BA7CCA7CF92}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CEE4CCBC-073C-4640-96A7-6BA7CCA7CF92}'" delete
3⤵
PID:1684

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{865F3304-51C3-4B8F-A536-F05EC48E587F}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{865F3304-51C3-4B8F-A536-F05EC48E587F}'" delete
3⤵
PID:432

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F66D88E2-B57B-4989-8ED8-F69EC00D6AED}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F66D88E2-B57B-4989-8ED8-F69EC00D6AED}'" delete
3⤵
PID:1480

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2D3F6F2F-1FEA-4EF5-B2F9-9AD4D3736A5B}'" delete
2⤵
PID:1520

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2D3F6F2F-1FEA-4EF5-B2F9-9AD4D3736A5B}'" delete
3⤵
PID:1004

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3AB2448F-F186-4CD1-8044-F01D62EBD5C3}'" delete
2⤵
PID:1996

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3AB2448F-F186-4CD1-8044-F01D62EBD5C3}'" delete
3⤵
PID:676

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5E61C5BD-F1FA-4763-95D9-47A0D7BD5FDD}'" delete
2⤵
PID:1628

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5E61C5BD-F1FA-4763-95D9-47A0D7BD5FDD}'" delete
3⤵
PID:1356

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1148

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/432-69-0x0000000000000000-mapping.dmp

Download
memory/600-62-0x0000000000000000-mapping.dmp

Download
memory/676-75-0x0000000000000000-mapping.dmp

Download
memory/692-65-0x0000000000000000-mapping.dmp

Download
memory/816-54-0x0000000000000000-mapping.dmp

Download
memory/1004-73-0x0000000000000000-mapping.dmp

Download
memory/1064-57-0x0000000000000000-mapping.dmp

Download
memory/1088-53-0x00000000751A1000-0x00000000751A3000-memory.dmp

Filesize
8KB

Download
memory/1156-56-0x0000000000000000-mapping.dmp

Download
memory/1204-64-0x0000000000000000-mapping.dmp

Download
memory/1356-77-0x0000000000000000-mapping.dmp

Download
memory/1440-58-0x0000000000000000-mapping.dmp

Download
memory/1480-71-0x0000000000000000-mapping.dmp

Download
memory/1512-66-0x0000000000000000-mapping.dmp

Download
memory/1516-70-0x0000000000000000-mapping.dmp

Download
memory/1520-72-0x0000000000000000-mapping.dmp

Download
memory/1628-76-0x0000000000000000-mapping.dmp

Download
memory/1668-63-0x0000000000000000-mapping.dmp

Download
memory/1684-67-0x0000000000000000-mapping.dmp

Download
memory/1760-60-0x0000000000000000-mapping.dmp

Download
memory/1800-59-0x0000000000000000-mapping.dmp

Download
memory/1824-55-0x0000000000000000-mapping.dmp

Download
memory/1940-61-0x0000000000000000-mapping.dmp

Download
memory/1996-74-0x0000000000000000-mapping.dmp

Download
memory/2016-68-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads