conti | 82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a

General

Target

82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
Size

3.2MB
MD5

1c1fb24c14610e74c3b00d62f8b0dc06
SHA1

d49a276e5e55c8fb449b603beac70d7cd37753aa
SHA256

82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a
SHA512

6ece399d5d7a0e5cb78d2db45163c6a99f32437604dd7ce40a6826f7c94d340eff84d777142386274f4d61170dcc0d877f7d733cd9c7843b1b22ae3c6cce540f

Score

10^/10

conti ransomware

Malware Config

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion/ZABQk2xlwqLflJWvwNoGlzddhRYvIC9SNpWOrYfrIk2xDRkElNgqed0ljaLiHmLj YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- ZABQk2xlwqLflJWvwNoGlzddhRYvIC9SNpWOrYfrIk2xDRkElNgqed0ljaLiHmLj ---END ID---

URLs

http://contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion/ZABQk2xlwqLflJWvwNoGlzddhRYvIC9SNpWOrYfrIk2xDRkElNgqed0ljaLiHmLj

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\ShowReceive.tif => C:\Users\Admin\Pictures\ShowReceive.tif.QGGJX	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\CopyInvoke.crw => C:\Users\Admin\Pictures\CopyInvoke.crw.QGGJX	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\DebugCompress.png => C:\Users\Admin\Pictures\DebugCompress.png.QGGJX	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\NewMount.raw => C:\Users\Admin\Pictures\NewMount.raw.QGGJX	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\PingEnter.tiff	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\PingEnter.tiff => C:\Users\Admin\Pictures\PingEnter.tiff.QGGJX	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe

Drops desktop.ini file(s) 38 IoCs

Processes:

82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Users\Public\desktop.ini	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files\desktop.ini	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe

Drops file in Program Files directory 64 IoCs

Processes:

82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099197.GIF	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00286_.WMF	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01770_.GIF	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\POST98SP.POC	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\readme.txt	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15135_.GIF	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File created	C:\Program Files\Microsoft Games\More Games\en-US\readme.txt	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239935.WMF	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0304861.WMF	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387578.JPG	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01478U.BMP	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BIZCARD.DPV	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00443_.WMF	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\readme.txt	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21315_.GIF	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CARBN_01.MID	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14984_.GIF	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382954.JPG	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01682_.WMF	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00693_.WMF	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0293238.WMF	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CERT98SP.POC	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGREPFRM.XML	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File created	C:\Program Files\VideoLAN\VLC\locale\de\readme.txt	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\readme.txt	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files\SuspendCompress.mhtml	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04269_.WMF	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099175.WMF	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CATWIZ11.POC	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jre7\lib\psfontj2d.properties	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LETTHEAD.DPV	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground_PAL.wmv	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\view.html	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\PREVIEW.GIF	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0241041.WMF	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01560_.WMF	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL.DEV_K_COL.HXK	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.PL.XML	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages_zh_HK.properties	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\formautofill@mozilla.org.xpi	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00957_.WMF	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00241_.WMF	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.JP.XML	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\PAWPRINT.GIF	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_pt_BR.jar	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_OliveGreen.gif	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152694.WMF	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02280_.WMF	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01236_.WMF	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground_PAL.wmv	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jre7\lib\cmm\PYCC.pf	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14980_.GIF	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21413_.GIF	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File created	C:\Program Files\Mozilla Firefox\defaults\readme.txt	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files\Common Files\System\ado\adojavas.inc	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jre7\lib\tzmappings	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\readme.txt	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD10972_.GIF	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0205582.WMF	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ast\readme.txt	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe

pid process

1128 82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe

pid	process
1128	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

vssvc.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	1104	vssvc.exe
Token: SeRestorePrivilege	1104	vssvc.exe
Token: SeAuditPrivilege	1104	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1548	WMIC.exe
Token: SeSecurityPrivilege	1548	WMIC.exe
Token: SeTakeOwnershipPrivilege	1548	WMIC.exe
Token: SeLoadDriverPrivilege	1548	WMIC.exe
Token: SeSystemProfilePrivilege	1548	WMIC.exe
Token: SeSystemtimePrivilege	1548	WMIC.exe
Token: SeProfSingleProcessPrivilege	1548	WMIC.exe
Token: SeIncBasePriorityPrivilege	1548	WMIC.exe
Token: SeCreatePagefilePrivilege	1548	WMIC.exe
Token: SeBackupPrivilege	1548	WMIC.exe
Token: SeRestorePrivilege	1548	WMIC.exe
Token: SeShutdownPrivilege	1548	WMIC.exe
Token: SeDebugPrivilege	1548	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1548	WMIC.exe
Token: SeRemoteShutdownPrivilege	1548	WMIC.exe
Token: SeUndockPrivilege	1548	WMIC.exe
Token: SeManageVolumePrivilege	1548	WMIC.exe
Token: 33	1548	WMIC.exe
Token: 34	1548	WMIC.exe
Token: 35	1548	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1548	WMIC.exe
Token: SeSecurityPrivilege	1548	WMIC.exe
Token: SeTakeOwnershipPrivilege	1548	WMIC.exe
Token: SeLoadDriverPrivilege	1548	WMIC.exe
Token: SeSystemProfilePrivilege	1548	WMIC.exe
Token: SeSystemtimePrivilege	1548	WMIC.exe
Token: SeProfSingleProcessPrivilege	1548	WMIC.exe
Token: SeIncBasePriorityPrivilege	1548	WMIC.exe
Token: SeCreatePagefilePrivilege	1548	WMIC.exe
Token: SeBackupPrivilege	1548	WMIC.exe
Token: SeRestorePrivilege	1548	WMIC.exe
Token: SeShutdownPrivilege	1548	WMIC.exe
Token: SeDebugPrivilege	1548	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1548	WMIC.exe
Token: SeRemoteShutdownPrivilege	1548	WMIC.exe
Token: SeUndockPrivilege	1548	WMIC.exe
Token: SeManageVolumePrivilege	1548	WMIC.exe
Token: 33	1548	WMIC.exe
Token: 34	1548	WMIC.exe
Token: 35	1548	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1056	WMIC.exe
Token: SeSecurityPrivilege	1056	WMIC.exe
Token: SeTakeOwnershipPrivilege	1056	WMIC.exe
Token: SeLoadDriverPrivilege	1056	WMIC.exe
Token: SeSystemProfilePrivilege	1056	WMIC.exe
Token: SeSystemtimePrivilege	1056	WMIC.exe
Token: SeProfSingleProcessPrivilege	1056	WMIC.exe
Token: SeIncBasePriorityPrivilege	1056	WMIC.exe
Token: SeCreatePagefilePrivilege	1056	WMIC.exe
Token: SeBackupPrivilege	1056	WMIC.exe
Token: SeRestorePrivilege	1056	WMIC.exe
Token: SeShutdownPrivilege	1056	WMIC.exe
Token: SeDebugPrivilege	1056	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1056	WMIC.exe
Token: SeRemoteShutdownPrivilege	1056	WMIC.exe
Token: SeUndockPrivilege	1056	WMIC.exe
Token: SeManageVolumePrivilege	1056	WMIC.exe
Token: 33	1056	WMIC.exe
Token: 34	1056	WMIC.exe
Token: 35	1056	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1056	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1128 wrote to memory of 1708	1128	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe	cmd.exe
PID 1128 wrote to memory of 1708	1128	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe	cmd.exe
PID 1128 wrote to memory of 1708	1128	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe	cmd.exe
PID 1128 wrote to memory of 1708	1128	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe	cmd.exe
PID 1708 wrote to memory of 1548	1708	cmd.exe	WMIC.exe
PID 1708 wrote to memory of 1548	1708	cmd.exe	WMIC.exe
PID 1708 wrote to memory of 1548	1708	cmd.exe	WMIC.exe
PID 1128 wrote to memory of 2004	1128	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe	cmd.exe
PID 1128 wrote to memory of 2004	1128	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe	cmd.exe
PID 1128 wrote to memory of 2004	1128	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe	cmd.exe
PID 1128 wrote to memory of 2004	1128	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe	cmd.exe
PID 2004 wrote to memory of 1056	2004	cmd.exe	WMIC.exe
PID 2004 wrote to memory of 1056	2004	cmd.exe	WMIC.exe
PID 2004 wrote to memory of 1056	2004	cmd.exe	WMIC.exe
PID 1128 wrote to memory of 1596	1128	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe	cmd.exe
PID 1128 wrote to memory of 1596	1128	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe	cmd.exe
PID 1128 wrote to memory of 1596	1128	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe	cmd.exe
PID 1128 wrote to memory of 1596	1128	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe	cmd.exe
PID 1596 wrote to memory of 1688	1596	cmd.exe	WMIC.exe
PID 1596 wrote to memory of 1688	1596	cmd.exe	WMIC.exe
PID 1596 wrote to memory of 1688	1596	cmd.exe	WMIC.exe
PID 1128 wrote to memory of 1476	1128	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe	cmd.exe
PID 1128 wrote to memory of 1476	1128	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe	cmd.exe
PID 1128 wrote to memory of 1476	1128	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe	cmd.exe
PID 1128 wrote to memory of 1476	1128	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe	cmd.exe
PID 1476 wrote to memory of 1808	1476	cmd.exe	WMIC.exe
PID 1476 wrote to memory of 1808	1476	cmd.exe	WMIC.exe
PID 1476 wrote to memory of 1808	1476	cmd.exe	WMIC.exe
PID 1128 wrote to memory of 1928	1128	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe	cmd.exe
PID 1128 wrote to memory of 1928	1128	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe	cmd.exe
PID 1128 wrote to memory of 1928	1128	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe	cmd.exe
PID 1128 wrote to memory of 1928	1128	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe	cmd.exe
PID 1928 wrote to memory of 316	1928	cmd.exe	WMIC.exe
PID 1928 wrote to memory of 316	1928	cmd.exe	WMIC.exe
PID 1928 wrote to memory of 316	1928	cmd.exe	WMIC.exe
PID 1128 wrote to memory of 1736	1128	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe	cmd.exe
PID 1128 wrote to memory of 1736	1128	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe	cmd.exe
PID 1128 wrote to memory of 1736	1128	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe	cmd.exe
PID 1128 wrote to memory of 1736	1128	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe	cmd.exe
PID 1736 wrote to memory of 1900	1736	cmd.exe	WMIC.exe
PID 1736 wrote to memory of 1900	1736	cmd.exe	WMIC.exe
PID 1736 wrote to memory of 1900	1736	cmd.exe	WMIC.exe
PID 1128 wrote to memory of 1532	1128	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe	cmd.exe
PID 1128 wrote to memory of 1532	1128	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe	cmd.exe
PID 1128 wrote to memory of 1532	1128	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe	cmd.exe
PID 1128 wrote to memory of 1532	1128	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe	cmd.exe
PID 1532 wrote to memory of 1616	1532	cmd.exe	WMIC.exe
PID 1532 wrote to memory of 1616	1532	cmd.exe	WMIC.exe
PID 1532 wrote to memory of 1616	1532	cmd.exe	WMIC.exe
PID 1128 wrote to memory of 1968	1128	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe	cmd.exe
PID 1128 wrote to memory of 1968	1128	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe	cmd.exe
PID 1128 wrote to memory of 1968	1128	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe	cmd.exe
PID 1128 wrote to memory of 1968	1128	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe	cmd.exe
PID 1968 wrote to memory of 1832	1968	cmd.exe	WMIC.exe
PID 1968 wrote to memory of 1832	1968	cmd.exe	WMIC.exe
PID 1968 wrote to memory of 1832	1968	cmd.exe	WMIC.exe
PID 1128 wrote to memory of 1592	1128	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe	cmd.exe
PID 1128 wrote to memory of 1592	1128	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe	cmd.exe
PID 1128 wrote to memory of 1592	1128	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe	cmd.exe
PID 1128 wrote to memory of 1592	1128	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe	cmd.exe
PID 1592 wrote to memory of 1956	1592	cmd.exe	WMIC.exe
PID 1592 wrote to memory of 1956	1592	cmd.exe	WMIC.exe
PID 1592 wrote to memory of 1956	1592	cmd.exe	WMIC.exe
PID 1128 wrote to memory of 1996	1128	82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\82c8a9e6e9cef2aafefe6a828831c7dc1f8d422f8f6c18fef50cc8de32af6f9a.bin.sample.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9E6B4C83-E397-4517-8DA9-3484AF0AD84A}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9E6B4C83-E397-4517-8DA9-3484AF0AD84A}'" delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C39B6211-31BD-4714-8535-1220FA86C225}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C39B6211-31BD-4714-8535-1220FA86C225}'" delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{00CC08EC-00AD-4AA8-AF16-B3F4F224E56A}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{00CC08EC-00AD-4AA8-AF16-B3F4F224E56A}'" delete
3⤵
PID:1688

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9B0FF658-0C54-4EB3-9B69-1DA1FB9B2C27}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9B0FF658-0C54-4EB3-9B69-1DA1FB9B2C27}'" delete
3⤵
PID:1808

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BD3219A2-9723-4FB9-975E-9F39890481B3}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BD3219A2-9723-4FB9-975E-9F39890481B3}'" delete
3⤵
PID:316

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5106A401-EE5E-40A2-BB45-05B36DB087C7}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5106A401-EE5E-40A2-BB45-05B36DB087C7}'" delete
3⤵
PID:1900

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8183FD06-C119-473D-B4A2-E73D4BF85C63}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8183FD06-C119-473D-B4A2-E73D4BF85C63}'" delete
3⤵
PID:1616

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AC1A004E-B2DB-49B0-9331-2F2CC053D3DA}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AC1A004E-B2DB-49B0-9331-2F2CC053D3DA}'" delete
3⤵
PID:1832

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{ADB940AD-0A35-462E-9FEB-ACC3FC9BC5A1}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{ADB940AD-0A35-462E-9FEB-ACC3FC9BC5A1}'" delete
3⤵
PID:1956

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7A2524F2-6C16-47EF-938D-0890A33A8DBA}'" delete
2⤵
PID:1996

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7A2524F2-6C16-47EF-938D-0890A33A8DBA}'" delete
3⤵
PID:1640

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{703828D3-18E3-4962-B702-5FA1F0BACDF6}'" delete
2⤵
PID:1692

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{703828D3-18E3-4962-B702-5FA1F0BACDF6}'" delete
3⤵
PID:1216

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{00AFFCD2-8CEA-41F5-8D20-3B81FD754182}'" delete
2⤵
PID:1028

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{00AFFCD2-8CEA-41F5-8D20-3B81FD754182}'" delete
3⤵
PID:1064

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1FC5D151-5000-4A63-8B37-619EA4D209F3}'" delete
2⤵
PID:1080

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1FC5D151-5000-4A63-8B37-619EA4D209F3}'" delete
3⤵
PID:1700

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1104

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/316-67-0x0000000000000000-mapping.dmp

Download
memory/1028-80-0x0000000000000000-mapping.dmp

Download
memory/1056-61-0x0000000000000000-mapping.dmp

Download
memory/1064-81-0x0000000000000000-mapping.dmp

Download
memory/1080-82-0x0000000000000000-mapping.dmp

Download
memory/1128-56-0x0000000000780000-0x00000000007AF000-memory.dmp

Filesize
188KB

Download
memory/1128-57-0x0000000075421000-0x0000000075423000-memory.dmp

Filesize
8KB

Download
memory/1128-55-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1216-79-0x0000000000000000-mapping.dmp

Download
memory/1476-64-0x0000000000000000-mapping.dmp

Download
memory/1532-70-0x0000000000000000-mapping.dmp

Download
memory/1548-59-0x0000000000000000-mapping.dmp

Download
memory/1592-74-0x0000000000000000-mapping.dmp

Download
memory/1596-62-0x0000000000000000-mapping.dmp

Download
memory/1616-71-0x0000000000000000-mapping.dmp

Download
memory/1640-77-0x0000000000000000-mapping.dmp

Download
memory/1688-63-0x0000000000000000-mapping.dmp

Download
memory/1692-78-0x0000000000000000-mapping.dmp

Download
memory/1700-83-0x0000000000000000-mapping.dmp

Download
memory/1708-58-0x0000000000000000-mapping.dmp

Download
memory/1736-68-0x0000000000000000-mapping.dmp

Download
memory/1808-65-0x0000000000000000-mapping.dmp

Download
memory/1832-73-0x0000000000000000-mapping.dmp

Download
memory/1900-69-0x0000000000000000-mapping.dmp

Download
memory/1928-66-0x0000000000000000-mapping.dmp

Download
memory/1956-75-0x0000000000000000-mapping.dmp

Download
memory/1968-72-0x0000000000000000-mapping.dmp

Download
memory/1996-76-0x0000000000000000-mapping.dmp

Download
memory/2004-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads