Analysis
-
max time kernel
65s -
max time network
68s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
20-01-2022 10:21
Static task
static1
Behavioral task
behavioral1
Sample
v2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
v2.exe
Resource
win10v2004-en-20220113
General
-
Target
v2.exe
-
Size
170KB
-
MD5
6432b67fb54be5748571aba7b7cf3213
-
SHA1
6a17b61b7ed2b12ca424a88b3828a0b70855626a
-
SHA256
bc87bb72ce1ab19b2cff617a894fc1acf30bd3f9d2994235189ca8e5057fb354
-
SHA512
59646b41a47f2086ee1f47b0e3c7fb31752447364ffd7335cff2b4d09213be02d5758c15d4d86eb5109b45b112d9b3e38a64c55440039838623d552753548753
Malware Config
Extracted
C:\readme.txt
conti
http://contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion/jehZ00C9PrzdBeD0vmBk8EYUAmCctYHBJazVJraQGUMWmkWoaDUcndRgCHzKGsz5
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
v2.exedescription ioc process File renamed C:\Users\Admin\Pictures\CheckpointOpen.png => C:\Users\Admin\Pictures\CheckpointOpen.png.SQYZO v2.exe File renamed C:\Users\Admin\Pictures\CheckpointResume.crw => C:\Users\Admin\Pictures\CheckpointResume.crw.SQYZO v2.exe File renamed C:\Users\Admin\Pictures\CompareImport.raw => C:\Users\Admin\Pictures\CompareImport.raw.SQYZO v2.exe File renamed C:\Users\Admin\Pictures\ConvertFromSet.raw => C:\Users\Admin\Pictures\ConvertFromSet.raw.SQYZO v2.exe File renamed C:\Users\Admin\Pictures\JoinAdd.raw => C:\Users\Admin\Pictures\JoinAdd.raw.SQYZO v2.exe File renamed C:\Users\Admin\Pictures\SearchMove.png => C:\Users\Admin\Pictures\SearchMove.png.SQYZO v2.exe File renamed C:\Users\Admin\Pictures\ConvertFromPing.crw => C:\Users\Admin\Pictures\ConvertFromPing.crw.SQYZO v2.exe File renamed C:\Users\Admin\Pictures\CopyUndo.crw => C:\Users\Admin\Pictures\CopyUndo.crw.SQYZO v2.exe File renamed C:\Users\Admin\Pictures\DisableSplit.crw => C:\Users\Admin\Pictures\DisableSplit.crw.SQYZO v2.exe File renamed C:\Users\Admin\Pictures\ReadWatch.raw => C:\Users\Admin\Pictures\ReadWatch.raw.SQYZO v2.exe File renamed C:\Users\Admin\Pictures\RevokeFind.crw => C:\Users\Admin\Pictures\RevokeFind.crw.SQYZO v2.exe File renamed C:\Users\Admin\Pictures\UndoNew.tif => C:\Users\Admin\Pictures\UndoNew.tif.SQYZO v2.exe -
Drops desktop.ini file(s) 31 IoCs
Processes:
v2.exedescription ioc process File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini v2.exe File opened for modification C:\Users\Public\Downloads\desktop.ini v2.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini v2.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini v2.exe File opened for modification C:\Users\Admin\Links\desktop.ini v2.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini v2.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini v2.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini v2.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini v2.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini v2.exe File opened for modification C:\Users\Admin\Searches\desktop.ini v2.exe File opened for modification C:\Users\Public\Libraries\desktop.ini v2.exe File opened for modification C:\Users\Public\Music\desktop.ini v2.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini v2.exe File opened for modification C:\Users\Public\desktop.ini v2.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini v2.exe File opened for modification C:\Users\Admin\Music\desktop.ini v2.exe File opened for modification C:\Program Files\desktop.ini v2.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini v2.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini v2.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini v2.exe File opened for modification C:\Users\Admin\Documents\desktop.ini v2.exe File opened for modification C:\Users\Admin\Videos\desktop.ini v2.exe File opened for modification C:\Users\Public\Desktop\desktop.ini v2.exe File opened for modification C:\Program Files (x86)\desktop.ini v2.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini v2.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini v2.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini v2.exe File opened for modification C:\Users\Public\Pictures\desktop.ini v2.exe File opened for modification C:\Users\Public\Videos\desktop.ini v2.exe File opened for modification C:\Users\Public\Documents\desktop.ini v2.exe -
Drops file in Program Files directory 64 IoCs
Processes:
v2.exedescription ioc process File opened for modification C:\Program Files\WriteBackup.ps1 v2.exe File created C:\Program Files\Microsoft Games\FreeCell\readme.txt v2.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml v2.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\readme.txt v2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CGMIMP32.HLP v2.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\readme.txt v2.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\readme.txt v2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00186_.WMF v2.exe File opened for modification C:\Program Files\7-Zip\Lang\ky.txt v2.exe File opened for modification C:\Program Files\7-Zip\Lang\uz.txt v2.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi v2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04108_.WMF v2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00175_.GIF v2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\EXLIRM.XML v2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OCRHC.DAT v2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\REMINDER.WAV v2.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_ButtonGraphic.png v2.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\oledbjvs.inc v2.exe File opened for modification C:\Program Files\Common Files\System\ado\msado25.tlb v2.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt v2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Pushpin.thmx v2.exe File opened for modification C:\Program Files\Common Files\System\ado\msado21.tlb v2.exe File opened for modification C:\Program Files\Java\jre7\lib\javaws.jar v2.exe File created C:\Program Files\Java\jdk1.7.0_80\db\readme.txt v2.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.CNT v2.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini v2.exe File opened for modification C:\Program Files\Java\jre7\lib\classlist v2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00161_.GIF v2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04206_.WMF v2.exe File opened for modification C:\Program Files\7-Zip\Lang\gl.txt v2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ASCIIENG.LNG v2.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrcatsh.dat v2.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_ButtonGraphic.png v2.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_SelectionSubpicture.png v2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD00146_.WMF v2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00040_.GIF v2.exe File created C:\Program Files (x86)\Common Files\System\MSMAPI\readme.txt v2.exe File created C:\Program Files (x86)\Google\Update\Offline\readme.txt v2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD10972_.GIF v2.exe File created C:\Program Files (x86)\Common Files\microsoft shared\TextConv\readme.txt v2.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\sqloledb.rll v2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00145_.WMF v2.exe File opened for modification C:\Program Files\7-Zip\Lang\kab.txt v2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessApplications.Runtime.xml v2.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\osppobjs-spp-plugin-manifest-signed.xrm-ms v2.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\OrangeCircles.jpg v2.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Roses.jpg v2.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\readme.txt v2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00965_.WMF v2.exe File opened for modification C:\Program Files\VideoLAN\VLC\AUTHORS.txt v2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\IPIRMV.XML v2.exe File created C:\Program Files (x86)\Reference Assemblies\readme.txt v2.exe File opened for modification C:\Program Files\7-Zip\Lang\it.txt v2.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\jdwpTransport.h v2.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\javafx-doclet.jar v2.exe File opened for modification C:\Program Files\7-Zip\Lang\hr.txt v2.exe File created C:\Program Files\Microsoft Games\Minesweeper\ja-JP\readme.txt v2.exe File created C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\readme.txt v2.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\ActionsPane3.xsd v2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD19582_.GIF v2.exe File opened for modification C:\Program Files\DVD Maker\Shared\Parity.fx v2.exe File opened for modification C:\Program Files\VideoLAN\VLC\COPYING.txt v2.exe File created C:\Program Files\Common Files\System\fr-FR\readme.txt v2.exe File opened for modification C:\Program Files\Java\jre7\lib\alt-rt.jar v2.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
v2.exepid process 1628 v2.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
vssvc.exeWMIC.exeWMIC.exedescription pid process Token: SeBackupPrivilege 384 vssvc.exe Token: SeRestorePrivilege 384 vssvc.exe Token: SeAuditPrivilege 384 vssvc.exe Token: SeIncreaseQuotaPrivilege 1544 WMIC.exe Token: SeSecurityPrivilege 1544 WMIC.exe Token: SeTakeOwnershipPrivilege 1544 WMIC.exe Token: SeLoadDriverPrivilege 1544 WMIC.exe Token: SeSystemProfilePrivilege 1544 WMIC.exe Token: SeSystemtimePrivilege 1544 WMIC.exe Token: SeProfSingleProcessPrivilege 1544 WMIC.exe Token: SeIncBasePriorityPrivilege 1544 WMIC.exe Token: SeCreatePagefilePrivilege 1544 WMIC.exe Token: SeBackupPrivilege 1544 WMIC.exe Token: SeRestorePrivilege 1544 WMIC.exe Token: SeShutdownPrivilege 1544 WMIC.exe Token: SeDebugPrivilege 1544 WMIC.exe Token: SeSystemEnvironmentPrivilege 1544 WMIC.exe Token: SeRemoteShutdownPrivilege 1544 WMIC.exe Token: SeUndockPrivilege 1544 WMIC.exe Token: SeManageVolumePrivilege 1544 WMIC.exe Token: 33 1544 WMIC.exe Token: 34 1544 WMIC.exe Token: 35 1544 WMIC.exe Token: SeIncreaseQuotaPrivilege 1544 WMIC.exe Token: SeSecurityPrivilege 1544 WMIC.exe Token: SeTakeOwnershipPrivilege 1544 WMIC.exe Token: SeLoadDriverPrivilege 1544 WMIC.exe Token: SeSystemProfilePrivilege 1544 WMIC.exe Token: SeSystemtimePrivilege 1544 WMIC.exe Token: SeProfSingleProcessPrivilege 1544 WMIC.exe Token: SeIncBasePriorityPrivilege 1544 WMIC.exe Token: SeCreatePagefilePrivilege 1544 WMIC.exe Token: SeBackupPrivilege 1544 WMIC.exe Token: SeRestorePrivilege 1544 WMIC.exe Token: SeShutdownPrivilege 1544 WMIC.exe Token: SeDebugPrivilege 1544 WMIC.exe Token: SeSystemEnvironmentPrivilege 1544 WMIC.exe Token: SeRemoteShutdownPrivilege 1544 WMIC.exe Token: SeUndockPrivilege 1544 WMIC.exe Token: SeManageVolumePrivilege 1544 WMIC.exe Token: 33 1544 WMIC.exe Token: 34 1544 WMIC.exe Token: 35 1544 WMIC.exe Token: SeIncreaseQuotaPrivilege 1060 WMIC.exe Token: SeSecurityPrivilege 1060 WMIC.exe Token: SeTakeOwnershipPrivilege 1060 WMIC.exe Token: SeLoadDriverPrivilege 1060 WMIC.exe Token: SeSystemProfilePrivilege 1060 WMIC.exe Token: SeSystemtimePrivilege 1060 WMIC.exe Token: SeProfSingleProcessPrivilege 1060 WMIC.exe Token: SeIncBasePriorityPrivilege 1060 WMIC.exe Token: SeCreatePagefilePrivilege 1060 WMIC.exe Token: SeBackupPrivilege 1060 WMIC.exe Token: SeRestorePrivilege 1060 WMIC.exe Token: SeShutdownPrivilege 1060 WMIC.exe Token: SeDebugPrivilege 1060 WMIC.exe Token: SeSystemEnvironmentPrivilege 1060 WMIC.exe Token: SeRemoteShutdownPrivilege 1060 WMIC.exe Token: SeUndockPrivilege 1060 WMIC.exe Token: SeManageVolumePrivilege 1060 WMIC.exe Token: 33 1060 WMIC.exe Token: 34 1060 WMIC.exe Token: 35 1060 WMIC.exe Token: SeIncreaseQuotaPrivilege 1060 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
v2.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1628 wrote to memory of 892 1628 v2.exe cmd.exe PID 1628 wrote to memory of 892 1628 v2.exe cmd.exe PID 1628 wrote to memory of 892 1628 v2.exe cmd.exe PID 1628 wrote to memory of 892 1628 v2.exe cmd.exe PID 892 wrote to memory of 1544 892 cmd.exe WMIC.exe PID 892 wrote to memory of 1544 892 cmd.exe WMIC.exe PID 892 wrote to memory of 1544 892 cmd.exe WMIC.exe PID 1628 wrote to memory of 1472 1628 v2.exe cmd.exe PID 1628 wrote to memory of 1472 1628 v2.exe cmd.exe PID 1628 wrote to memory of 1472 1628 v2.exe cmd.exe PID 1628 wrote to memory of 1472 1628 v2.exe cmd.exe PID 1472 wrote to memory of 1060 1472 cmd.exe WMIC.exe PID 1472 wrote to memory of 1060 1472 cmd.exe WMIC.exe PID 1472 wrote to memory of 1060 1472 cmd.exe WMIC.exe PID 1628 wrote to memory of 1496 1628 v2.exe cmd.exe PID 1628 wrote to memory of 1496 1628 v2.exe cmd.exe PID 1628 wrote to memory of 1496 1628 v2.exe cmd.exe PID 1628 wrote to memory of 1496 1628 v2.exe cmd.exe PID 1496 wrote to memory of 2004 1496 cmd.exe WMIC.exe PID 1496 wrote to memory of 2004 1496 cmd.exe WMIC.exe PID 1496 wrote to memory of 2004 1496 cmd.exe WMIC.exe PID 1628 wrote to memory of 1476 1628 v2.exe cmd.exe PID 1628 wrote to memory of 1476 1628 v2.exe cmd.exe PID 1628 wrote to memory of 1476 1628 v2.exe cmd.exe PID 1628 wrote to memory of 1476 1628 v2.exe cmd.exe PID 1476 wrote to memory of 988 1476 cmd.exe WMIC.exe PID 1476 wrote to memory of 988 1476 cmd.exe WMIC.exe PID 1476 wrote to memory of 988 1476 cmd.exe WMIC.exe PID 1628 wrote to memory of 1684 1628 v2.exe cmd.exe PID 1628 wrote to memory of 1684 1628 v2.exe cmd.exe PID 1628 wrote to memory of 1684 1628 v2.exe cmd.exe PID 1628 wrote to memory of 1684 1628 v2.exe cmd.exe PID 1684 wrote to memory of 364 1684 cmd.exe WMIC.exe PID 1684 wrote to memory of 364 1684 cmd.exe WMIC.exe PID 1684 wrote to memory of 364 1684 cmd.exe WMIC.exe PID 1628 wrote to memory of 1712 1628 v2.exe cmd.exe PID 1628 wrote to memory of 1712 1628 v2.exe cmd.exe PID 1628 wrote to memory of 1712 1628 v2.exe cmd.exe PID 1628 wrote to memory of 1712 1628 v2.exe cmd.exe PID 1712 wrote to memory of 784 1712 cmd.exe WMIC.exe PID 1712 wrote to memory of 784 1712 cmd.exe WMIC.exe PID 1712 wrote to memory of 784 1712 cmd.exe WMIC.exe PID 1628 wrote to memory of 1328 1628 v2.exe cmd.exe PID 1628 wrote to memory of 1328 1628 v2.exe cmd.exe PID 1628 wrote to memory of 1328 1628 v2.exe cmd.exe PID 1628 wrote to memory of 1328 1628 v2.exe cmd.exe PID 1328 wrote to memory of 1536 1328 cmd.exe WMIC.exe PID 1328 wrote to memory of 1536 1328 cmd.exe WMIC.exe PID 1328 wrote to memory of 1536 1328 cmd.exe WMIC.exe PID 1628 wrote to memory of 1740 1628 v2.exe cmd.exe PID 1628 wrote to memory of 1740 1628 v2.exe cmd.exe PID 1628 wrote to memory of 1740 1628 v2.exe cmd.exe PID 1628 wrote to memory of 1740 1628 v2.exe cmd.exe PID 1740 wrote to memory of 1608 1740 cmd.exe WMIC.exe PID 1740 wrote to memory of 1608 1740 cmd.exe WMIC.exe PID 1740 wrote to memory of 1608 1740 cmd.exe WMIC.exe PID 1628 wrote to memory of 1424 1628 v2.exe cmd.exe PID 1628 wrote to memory of 1424 1628 v2.exe cmd.exe PID 1628 wrote to memory of 1424 1628 v2.exe cmd.exe PID 1628 wrote to memory of 1424 1628 v2.exe cmd.exe PID 1424 wrote to memory of 1104 1424 cmd.exe WMIC.exe PID 1424 wrote to memory of 1104 1424 cmd.exe WMIC.exe PID 1424 wrote to memory of 1104 1424 cmd.exe WMIC.exe PID 1628 wrote to memory of 608 1628 v2.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\v2.exe"C:\Users\Admin\AppData\Local\Temp\v2.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E44615B8-B9B5-4870-9DD9-8A8542723199}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E44615B8-B9B5-4870-9DD9-8A8542723199}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{84F4B8C3-25A2-4458-A56F-8519E36811F7}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{84F4B8C3-25A2-4458-A56F-8519E36811F7}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{744FE292-20A5-4AFC-BD35-933034B0EF11}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{744FE292-20A5-4AFC-BD35-933034B0EF11}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A95C7851-06D0-4CCA-A3E1-B1F1626F096E}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A95C7851-06D0-4CCA-A3E1-B1F1626F096E}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{14A1A80C-9E7C-48D0-86C2-448827344C94}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{14A1A80C-9E7C-48D0-86C2-448827344C94}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{44676B88-09A9-4F29-B5AA-1A29E20A4F75}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{44676B88-09A9-4F29-B5AA-1A29E20A4F75}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A848EC9E-3173-4948-B6B3-92AA790A398D}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A848EC9E-3173-4948-B6B3-92AA790A398D}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{847CDF19-2016-4A38-AFDE-ACAACC042E32}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{847CDF19-2016-4A38-AFDE-ACAACC042E32}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{149E22FF-26D8-4174-B024-D9A099D41A26}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{149E22FF-26D8-4174-B024-D9A099D41A26}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7AB0E411-B327-4F16-BBD1-9AE4F37B7704}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7AB0E411-B327-4F16-BBD1-9AE4F37B7704}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{469B32FA-07FA-4E77-BD92-42CDE468BDF3}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{469B32FA-07FA-4E77-BD92-42CDE468BDF3}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6531F51C-FE63-4790-8958-D5812779895E}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6531F51C-FE63-4790-8958-D5812779895E}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{410940A4-BA5D-4F4E-B015-F25CD66FA904}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{410940A4-BA5D-4F4E-B015-F25CD66FA904}'" delete3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1628-54-0x00000000751B1000-0x00000000751B3000-memory.dmpFilesize
8KB