Analysis
-
max time kernel
140s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
19-11-2021 21:23
Static task
static1
Behavioral task
behavioral1
Sample
34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
Resource
win10-en-20211014
General
-
Target
34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
-
Size
194KB
-
MD5
4220529bbf818e00cdec2ebbf4b24565
-
SHA1
2c0d7929b304a3cf633e432dd9b580f2c3fb5a0b
-
SHA256
34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b
-
SHA512
6fa9cb66438d99bfe41b45b690db65a455050bae4ce2386aa44d451891d5beeb24e7df28c67ea863aa944ed734aa668e40909868bbf28f261f8b289e2428ce73
Malware Config
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.ws
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exedescription ioc process File renamed C:\Users\Admin\Pictures\GrantUndo.tif => C:\Users\Admin\Pictures\GrantUndo.tif.MVDKV 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File renamed C:\Users\Admin\Pictures\PublishConvertFrom.png => C:\Users\Admin\Pictures\PublishConvertFrom.png.MVDKV 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File opened for modification C:\Users\Admin\Pictures\RedoUnpublish.tiff 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File renamed C:\Users\Admin\Pictures\RedoUnpublish.tiff => C:\Users\Admin\Pictures\RedoUnpublish.tiff.MVDKV 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File renamed C:\Users\Admin\Pictures\SendRevoke.png => C:\Users\Admin\Pictures\SendRevoke.png.MVDKV 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File renamed C:\Users\Admin\Pictures\StartMerge.crw => C:\Users\Admin\Pictures\StartMerge.crw.MVDKV 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe -
Drops startup file 1 IoCs
Processes:
34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro_5.5.0.165303.jar 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\oracle.gif 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\bg_get.svg 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_ko_135x40.svg 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.intro.nl_ja_4.4.0.v20140623020002.jar 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\readme.txt 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-api.xml 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons_retina.png 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-tw\ui-strings.js 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File created C:\Program Files (x86)\Google\Policies\readme.txt 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derby.war 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File created C:\Program Files\VideoLAN\VLC\plugins\audio_output\readme.txt 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\css\main.css 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\hu-hu\ui-strings.js 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\plugin.js 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\readme.txt 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity@3x.png 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\sound.properties 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_forward_18.svg 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-right.gif 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-execution_ja.jar 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_up_hover_18.svg 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File opened for modification C:\Program Files (x86)\Common Files\System\ado\msadox28.tlb 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\THMBNAIL.PNG 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\readme.txt 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\action_poster.jpg 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ko-kr\readme.txt 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File created C:\Program Files\Mozilla Firefox\defaults\readme.txt 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\classfile_constants.h 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-ul-oob.xrm-ms 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\apple-touch-icon-57x57-precomposed.png 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\Confirmation.png 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sk-sk\ui-strings.js 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ar_get.svg 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-bridge-office.xrm-ms 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File created C:\Program Files\VideoLAN\VLC\lua\meta\art\readme.txt 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-queries_ja.jar 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\readme.txt 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\file_info.png 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ppd.xrm-ms 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\readme.txt 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CollectSignatures.aapp 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\readme.txt 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\rhp\combinepdf-selector.js 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\root\readme.txt 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\doh-rollout@mozilla.org.xpi 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\readme.txt 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\BLUEPRNT.ELM 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-default.svg 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ul-oob.xrm-ms 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL075.XML 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\ui-strings.js 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\s_radio_unselected_18.svg 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MinionPro-BoldIt.otf 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File created C:\Program Files\Mozilla Firefox\uninstall\readme.txt 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_Grace-ul-oob.xrm-ms 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\A12_Checkmark_White@1x.png 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity-dark@3x.png 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\illustrations.png 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\cstm_brand_preview2x.png 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\de-de\readme.txt 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exepid process 1744 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe 1744 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
vssvc.exeWMIC.exedescription pid process Token: SeBackupPrivilege 3776 vssvc.exe Token: SeRestorePrivilege 3776 vssvc.exe Token: SeAuditPrivilege 3776 vssvc.exe Token: SeIncreaseQuotaPrivilege 3788 WMIC.exe Token: SeSecurityPrivilege 3788 WMIC.exe Token: SeTakeOwnershipPrivilege 3788 WMIC.exe Token: SeLoadDriverPrivilege 3788 WMIC.exe Token: SeSystemProfilePrivilege 3788 WMIC.exe Token: SeSystemtimePrivilege 3788 WMIC.exe Token: SeProfSingleProcessPrivilege 3788 WMIC.exe Token: SeIncBasePriorityPrivilege 3788 WMIC.exe Token: SeCreatePagefilePrivilege 3788 WMIC.exe Token: SeBackupPrivilege 3788 WMIC.exe Token: SeRestorePrivilege 3788 WMIC.exe Token: SeShutdownPrivilege 3788 WMIC.exe Token: SeDebugPrivilege 3788 WMIC.exe Token: SeSystemEnvironmentPrivilege 3788 WMIC.exe Token: SeRemoteShutdownPrivilege 3788 WMIC.exe Token: SeUndockPrivilege 3788 WMIC.exe Token: SeManageVolumePrivilege 3788 WMIC.exe Token: 33 3788 WMIC.exe Token: 34 3788 WMIC.exe Token: 35 3788 WMIC.exe Token: 36 3788 WMIC.exe Token: SeIncreaseQuotaPrivilege 3788 WMIC.exe Token: SeSecurityPrivilege 3788 WMIC.exe Token: SeTakeOwnershipPrivilege 3788 WMIC.exe Token: SeLoadDriverPrivilege 3788 WMIC.exe Token: SeSystemProfilePrivilege 3788 WMIC.exe Token: SeSystemtimePrivilege 3788 WMIC.exe Token: SeProfSingleProcessPrivilege 3788 WMIC.exe Token: SeIncBasePriorityPrivilege 3788 WMIC.exe Token: SeCreatePagefilePrivilege 3788 WMIC.exe Token: SeBackupPrivilege 3788 WMIC.exe Token: SeRestorePrivilege 3788 WMIC.exe Token: SeShutdownPrivilege 3788 WMIC.exe Token: SeDebugPrivilege 3788 WMIC.exe Token: SeSystemEnvironmentPrivilege 3788 WMIC.exe Token: SeRemoteShutdownPrivilege 3788 WMIC.exe Token: SeUndockPrivilege 3788 WMIC.exe Token: SeManageVolumePrivilege 3788 WMIC.exe Token: 33 3788 WMIC.exe Token: 34 3788 WMIC.exe Token: 35 3788 WMIC.exe Token: 36 3788 WMIC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.execmd.exedescription pid process target process PID 1744 wrote to memory of 3532 1744 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe cmd.exe PID 1744 wrote to memory of 3532 1744 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe cmd.exe PID 3532 wrote to memory of 3788 3532 cmd.exe WMIC.exe PID 3532 wrote to memory of 3788 3532 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe"C:\Users\Admin\AppData\Local\Temp\34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{19CDF45A-AB26-4CD3-A80A-DC59EDB6A247}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{19CDF45A-AB26-4CD3-A80A-DC59EDB6A247}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken