Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
31-12-2021 08:10
Static task
static1
Behavioral task
behavioral1
Sample
1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1.exe
Resource
win10-en-20211208
General
-
Target
1.exe
-
Size
1.0MB
-
MD5
42800d065e5855e261cc617fa688850f
-
SHA1
6c7b35e36830c1cc613fb08280ee25e5fbba9937
-
SHA256
24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59
-
SHA512
9e6e09aa81666c491058773b312d2c3178c4d6d6d295c455e8ad40f186f2081a6cc3b00e6a9eeefd66a806e05019d496cb2d54e2dcf45cc6b63ab7d55f9c2154
Malware Config
Extracted
C:\readme.txt
conti
http://contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion/rw0J6Ap3LZNfxsJyo6UpClQbrgD1dzRjxZLVZep0QQEFdl01ihbHIkEvZt91EvtA
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
1.exedescription ioc process File renamed C:\Users\Admin\Pictures\ExportSearch.tiff => C:\Users\Admin\Pictures\ExportSearch.tiff.XKLKO 1.exe File opened for modification C:\Users\Admin\Pictures\InstallUnregister.tiff 1.exe File renamed C:\Users\Admin\Pictures\InstallUnregister.tiff => C:\Users\Admin\Pictures\InstallUnregister.tiff.XKLKO 1.exe File renamed C:\Users\Admin\Pictures\SelectSearch.tif => C:\Users\Admin\Pictures\SelectSearch.tif.XKLKO 1.exe File renamed C:\Users\Admin\Pictures\WaitExit.raw => C:\Users\Admin\Pictures\WaitExit.raw.XKLKO 1.exe File renamed C:\Users\Admin\Pictures\ExitTrace.png => C:\Users\Admin\Pictures\ExitTrace.png.XKLKO 1.exe File opened for modification C:\Users\Admin\Pictures\ExportSearch.tiff 1.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 46 IoCs
Processes:
1.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini 1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini 1.exe File opened for modification C:\Users\Public\desktop.ini 1.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini 1.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 1.exe File opened for modification C:\Users\Public\Documents\desktop.ini 1.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini 1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini 1.exe File opened for modification C:\Users\Admin\Links\desktop.ini 1.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini 1.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 1.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 1.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini 1.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini 1.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini 1.exe File opened for modification C:\Program Files\desktop.ini 1.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini 1.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 1.exe File opened for modification C:\Users\Public\Music\desktop.ini 1.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini 1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini 1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 1.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 1.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 1.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 1.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 1.exe File opened for modification C:\Users\Public\Videos\desktop.ini 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI 1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\K819CMRP\desktop.ini 1.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 1.exe File opened for modification C:\Program Files (x86)\desktop.ini 1.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini 1.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 1.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 1.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 1.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 1.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini 1.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini 1.exe File opened for modification C:\Users\Admin\Music\desktop.ini 1.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini 1.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini 1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\S3IV548V\desktop.ini 1.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini 1.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 1.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 1.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini 1.exe -
Drops file in Program Files directory 64 IoCs
Processes:
1.exedescription ioc process File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\readme.txt 1.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-background.png 1.exe File created C:\Program Files\Java\jre7\lib\fonts\readme.txt 1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Bogota 1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_zh_CN.jar 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME39.CSS 1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Apia 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FORM.ICO 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Earthy.css 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE01797_.WMF 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Apex.eftx 1.exe File created C:\Program Files\VideoLAN\VLC\locale\th\readme.txt 1.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Cancun 1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240811.profile.gz 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309920.WMF 1.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Wake 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\viewSelectionChanged.js 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_decreaseindent.gif 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF 1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-text.xml 1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\topnav.gif 1.exe File opened for modification C:\Program Files\Common Files\System\ado\msado20.tlb 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01162_.WMF 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105338.WMF 1.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml 1.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\Office64MUI.XML 1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Maldives 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00241_.WMF 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01866_.WMF 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_08.MID 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN089.XML 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\HEADINGBB.DPV 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\TECHTOOL.GIF 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR5B.GIF 1.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\or\LC_MESSAGES\vlc.mo 1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multiview.xml 1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\jfluid-server-15.jar 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107024.WMF 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02369_.WMF 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00110_.WMF 1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding_1.4.2.v20140729-1044.jar 1.exe File created C:\Program Files\Mozilla Firefox\defaults\readme.txt 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0174315.WMF 1.exe File created C:\Program Files\Google\Chrome\Application\89.0.4389.114\readme.txt 1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro_5.5.0.165303.jar 1.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\readme.txt 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198372.WMF 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00525_.WMF 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OLAPPT.FAE 1.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\readme.txt 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\Hierarchy.js 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00273_.WMF 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0315612.JPG 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0302953.JPG 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GRINTL32.REST.IDX_DLL 1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.services.nl_ja_4.4.0.v20140623020002.jar 1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Bishkek 1.exe File opened for modification C:\Program Files\7-Zip\Lang\th.txt 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152622.WMF 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART13.BDR 1.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\PREVIEW.GIF 1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-remote_ja.jar 1.exe File opened for modification C:\Program Files\7-Zip\Lang\gu.txt 1.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\shortcuts_log.ini 1.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
1.exepid process 836 1.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
vssvc.exeWMIC.exeWMIC.exedescription pid process Token: SeBackupPrivilege 268 vssvc.exe Token: SeRestorePrivilege 268 vssvc.exe Token: SeAuditPrivilege 268 vssvc.exe Token: SeIncreaseQuotaPrivilege 820 WMIC.exe Token: SeSecurityPrivilege 820 WMIC.exe Token: SeTakeOwnershipPrivilege 820 WMIC.exe Token: SeLoadDriverPrivilege 820 WMIC.exe Token: SeSystemProfilePrivilege 820 WMIC.exe Token: SeSystemtimePrivilege 820 WMIC.exe Token: SeProfSingleProcessPrivilege 820 WMIC.exe Token: SeIncBasePriorityPrivilege 820 WMIC.exe Token: SeCreatePagefilePrivilege 820 WMIC.exe Token: SeBackupPrivilege 820 WMIC.exe Token: SeRestorePrivilege 820 WMIC.exe Token: SeShutdownPrivilege 820 WMIC.exe Token: SeDebugPrivilege 820 WMIC.exe Token: SeSystemEnvironmentPrivilege 820 WMIC.exe Token: SeRemoteShutdownPrivilege 820 WMIC.exe Token: SeUndockPrivilege 820 WMIC.exe Token: SeManageVolumePrivilege 820 WMIC.exe Token: 33 820 WMIC.exe Token: 34 820 WMIC.exe Token: 35 820 WMIC.exe Token: SeIncreaseQuotaPrivilege 820 WMIC.exe Token: SeSecurityPrivilege 820 WMIC.exe Token: SeTakeOwnershipPrivilege 820 WMIC.exe Token: SeLoadDriverPrivilege 820 WMIC.exe Token: SeSystemProfilePrivilege 820 WMIC.exe Token: SeSystemtimePrivilege 820 WMIC.exe Token: SeProfSingleProcessPrivilege 820 WMIC.exe Token: SeIncBasePriorityPrivilege 820 WMIC.exe Token: SeCreatePagefilePrivilege 820 WMIC.exe Token: SeBackupPrivilege 820 WMIC.exe Token: SeRestorePrivilege 820 WMIC.exe Token: SeShutdownPrivilege 820 WMIC.exe Token: SeDebugPrivilege 820 WMIC.exe Token: SeSystemEnvironmentPrivilege 820 WMIC.exe Token: SeRemoteShutdownPrivilege 820 WMIC.exe Token: SeUndockPrivilege 820 WMIC.exe Token: SeManageVolumePrivilege 820 WMIC.exe Token: 33 820 WMIC.exe Token: 34 820 WMIC.exe Token: 35 820 WMIC.exe Token: SeIncreaseQuotaPrivilege 1776 WMIC.exe Token: SeSecurityPrivilege 1776 WMIC.exe Token: SeTakeOwnershipPrivilege 1776 WMIC.exe Token: SeLoadDriverPrivilege 1776 WMIC.exe Token: SeSystemProfilePrivilege 1776 WMIC.exe Token: SeSystemtimePrivilege 1776 WMIC.exe Token: SeProfSingleProcessPrivilege 1776 WMIC.exe Token: SeIncBasePriorityPrivilege 1776 WMIC.exe Token: SeCreatePagefilePrivilege 1776 WMIC.exe Token: SeBackupPrivilege 1776 WMIC.exe Token: SeRestorePrivilege 1776 WMIC.exe Token: SeShutdownPrivilege 1776 WMIC.exe Token: SeDebugPrivilege 1776 WMIC.exe Token: SeSystemEnvironmentPrivilege 1776 WMIC.exe Token: SeRemoteShutdownPrivilege 1776 WMIC.exe Token: SeUndockPrivilege 1776 WMIC.exe Token: SeManageVolumePrivilege 1776 WMIC.exe Token: 33 1776 WMIC.exe Token: 34 1776 WMIC.exe Token: 35 1776 WMIC.exe Token: SeIncreaseQuotaPrivilege 1776 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 836 wrote to memory of 924 836 1.exe cmd.exe PID 836 wrote to memory of 924 836 1.exe cmd.exe PID 836 wrote to memory of 924 836 1.exe cmd.exe PID 836 wrote to memory of 924 836 1.exe cmd.exe PID 924 wrote to memory of 820 924 cmd.exe WMIC.exe PID 924 wrote to memory of 820 924 cmd.exe WMIC.exe PID 924 wrote to memory of 820 924 cmd.exe WMIC.exe PID 836 wrote to memory of 432 836 1.exe cmd.exe PID 836 wrote to memory of 432 836 1.exe cmd.exe PID 836 wrote to memory of 432 836 1.exe cmd.exe PID 836 wrote to memory of 432 836 1.exe cmd.exe PID 432 wrote to memory of 1776 432 cmd.exe WMIC.exe PID 432 wrote to memory of 1776 432 cmd.exe WMIC.exe PID 432 wrote to memory of 1776 432 cmd.exe WMIC.exe PID 836 wrote to memory of 1464 836 1.exe cmd.exe PID 836 wrote to memory of 1464 836 1.exe cmd.exe PID 836 wrote to memory of 1464 836 1.exe cmd.exe PID 836 wrote to memory of 1464 836 1.exe cmd.exe PID 1464 wrote to memory of 1112 1464 cmd.exe WMIC.exe PID 1464 wrote to memory of 1112 1464 cmd.exe WMIC.exe PID 1464 wrote to memory of 1112 1464 cmd.exe WMIC.exe PID 836 wrote to memory of 1000 836 1.exe cmd.exe PID 836 wrote to memory of 1000 836 1.exe cmd.exe PID 836 wrote to memory of 1000 836 1.exe cmd.exe PID 836 wrote to memory of 1000 836 1.exe cmd.exe PID 1000 wrote to memory of 980 1000 cmd.exe WMIC.exe PID 1000 wrote to memory of 980 1000 cmd.exe WMIC.exe PID 1000 wrote to memory of 980 1000 cmd.exe WMIC.exe PID 836 wrote to memory of 1732 836 1.exe cmd.exe PID 836 wrote to memory of 1732 836 1.exe cmd.exe PID 836 wrote to memory of 1732 836 1.exe cmd.exe PID 836 wrote to memory of 1732 836 1.exe cmd.exe PID 1732 wrote to memory of 912 1732 cmd.exe WMIC.exe PID 1732 wrote to memory of 912 1732 cmd.exe WMIC.exe PID 1732 wrote to memory of 912 1732 cmd.exe WMIC.exe PID 836 wrote to memory of 1748 836 1.exe cmd.exe PID 836 wrote to memory of 1748 836 1.exe cmd.exe PID 836 wrote to memory of 1748 836 1.exe cmd.exe PID 836 wrote to memory of 1748 836 1.exe cmd.exe PID 1748 wrote to memory of 1348 1748 cmd.exe WMIC.exe PID 1748 wrote to memory of 1348 1748 cmd.exe WMIC.exe PID 1748 wrote to memory of 1348 1748 cmd.exe WMIC.exe PID 836 wrote to memory of 1648 836 1.exe cmd.exe PID 836 wrote to memory of 1648 836 1.exe cmd.exe PID 836 wrote to memory of 1648 836 1.exe cmd.exe PID 836 wrote to memory of 1648 836 1.exe cmd.exe PID 1648 wrote to memory of 1880 1648 cmd.exe WMIC.exe PID 1648 wrote to memory of 1880 1648 cmd.exe WMIC.exe PID 1648 wrote to memory of 1880 1648 cmd.exe WMIC.exe PID 836 wrote to memory of 1216 836 1.exe cmd.exe PID 836 wrote to memory of 1216 836 1.exe cmd.exe PID 836 wrote to memory of 1216 836 1.exe cmd.exe PID 836 wrote to memory of 1216 836 1.exe cmd.exe PID 1216 wrote to memory of 540 1216 cmd.exe WMIC.exe PID 1216 wrote to memory of 540 1216 cmd.exe WMIC.exe PID 1216 wrote to memory of 540 1216 cmd.exe WMIC.exe PID 836 wrote to memory of 336 836 1.exe cmd.exe PID 836 wrote to memory of 336 836 1.exe cmd.exe PID 836 wrote to memory of 336 836 1.exe cmd.exe PID 836 wrote to memory of 336 836 1.exe cmd.exe PID 336 wrote to memory of 1788 336 cmd.exe WMIC.exe PID 336 wrote to memory of 1788 336 cmd.exe WMIC.exe PID 336 wrote to memory of 1788 336 cmd.exe WMIC.exe PID 836 wrote to memory of 1776 836 1.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E44615B8-B9B5-4870-9DD9-8A8542723199}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E44615B8-B9B5-4870-9DD9-8A8542723199}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:820 -
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{84F4B8C3-25A2-4458-A56F-8519E36811F7}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{84F4B8C3-25A2-4458-A56F-8519E36811F7}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1776 -
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{744FE292-20A5-4AFC-BD35-933034B0EF11}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{744FE292-20A5-4AFC-BD35-933034B0EF11}'" delete3⤵PID:1112
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A95C7851-06D0-4CCA-A3E1-B1F1626F096E}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A95C7851-06D0-4CCA-A3E1-B1F1626F096E}'" delete3⤵PID:980
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{14A1A80C-9E7C-48D0-86C2-448827344C94}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{14A1A80C-9E7C-48D0-86C2-448827344C94}'" delete3⤵PID:912
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{44676B88-09A9-4F29-B5AA-1A29E20A4F75}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{44676B88-09A9-4F29-B5AA-1A29E20A4F75}'" delete3⤵PID:1348
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A848EC9E-3173-4948-B6B3-92AA790A398D}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A848EC9E-3173-4948-B6B3-92AA790A398D}'" delete3⤵PID:1880
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{847CDF19-2016-4A38-AFDE-ACAACC042E32}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{847CDF19-2016-4A38-AFDE-ACAACC042E32}'" delete3⤵PID:540
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{149E22FF-26D8-4174-B024-D9A099D41A26}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{149E22FF-26D8-4174-B024-D9A099D41A26}'" delete3⤵PID:1788
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7AB0E411-B327-4F16-BBD1-9AE4F37B7704}'" delete2⤵PID:1776
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7AB0E411-B327-4F16-BBD1-9AE4F37B7704}'" delete3⤵PID:1180
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{469B32FA-07FA-4E77-BD92-42CDE468BDF3}'" delete2⤵PID:1112
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{469B32FA-07FA-4E77-BD92-42CDE468BDF3}'" delete3⤵PID:856
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6531F51C-FE63-4790-8958-D5812779895E}'" delete2⤵PID:980
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6531F51C-FE63-4790-8958-D5812779895E}'" delete3⤵PID:804
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{410940A4-BA5D-4F4E-B015-F25CD66FA904}'" delete2⤵PID:912
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{410940A4-BA5D-4F4E-B015-F25CD66FA904}'" delete3⤵PID:1328
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:268