Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
27-01-2022 15:51
Static task
static1
Behavioral task
behavioral1
Sample
5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe
Resource
win10-en-20211208
General
-
Target
5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe
-
Size
624KB
-
MD5
7e18dd4a4b84f2f93eff4790f16e8e8b
-
SHA1
3113dbbeb536000ac8175ccb6438355af41ab2eb
-
SHA256
5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9
-
SHA512
3edfa60480ec1e0a6b5ce01d99cf0156fe544a77944ccd87acf95dcd0667cdfe4a2b99e9988cee0e597de03aa96d8098ae3f324fe63ca37db688522e5ec87fca
Malware Config
Extracted
C:\readme.txt
conti
http://contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion/MAYeHZzawPjL51jqGnH1euFenWdJSCSx4LjdiNz46bQ2ZPugz83x52n5vqW0O76L
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Dave packer 1 IoCs
Detects executable using a packer named 'Dave' by the community, based on a string at the end.
Processes:
resource yara_rule behavioral1/memory/1600-59-0x0000000000340000-0x000000000036E000-memory.dmp dave -
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\SkipRename.tiff 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File renamed C:\Users\Admin\Pictures\SkipRename.tiff => C:\Users\Admin\Pictures\SkipRename.tiff.YWSCE 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File renamed C:\Users\Admin\Pictures\UnpublishAssert.png => C:\Users\Admin\Pictures\UnpublishAssert.png.YWSCE 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File renamed C:\Users\Admin\Pictures\BlockUnblock.tif => C:\Users\Admin\Pictures\BlockUnblock.tif.YWSCE 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File renamed C:\Users\Admin\Pictures\MoveResume.crw => C:\Users\Admin\Pictures\MoveResume.crw.YWSCE 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File renamed C:\Users\Admin\Pictures\PublishBackup.crw => C:\Users\Admin\Pictures\PublishBackup.crw.YWSCE 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File renamed C:\Users\Admin\Pictures\RemoveTrace.png => C:\Users\Admin\Pictures\RemoveTrace.png.YWSCE 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File renamed C:\Users\Admin\Pictures\ResetConnect.crw => C:\Users\Admin\Pictures\ResetConnect.crw.YWSCE 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe -
Drops desktop.ini file(s) 37 IoCs
Processes:
5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exedescription ioc process File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Users\Public\Documents\desktop.ini 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Users\Admin\Music\desktop.ini 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Users\Public\Music\desktop.ini 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Users\Public\Videos\desktop.ini 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files\desktop.ini 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files (x86)\desktop.ini 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Users\Public\desktop.ini 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Users\Admin\Links\desktop.ini 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe -
Drops file in Program Files directory 64 IoCs
Processes:
5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0233992.WMF 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00092_.WMF 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00308_.WMF 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\TALK21.COM.XML 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00681_.WMF 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099180.WMF 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099186.JPG 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02443_.WMF 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS01636_.WMF 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00779_.WMF 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02417U.BMP 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBCOLOR.SCM 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107492.WMF 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0285780.WMF 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office Classic 2.xml 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107342.WMF 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File created C:\Program Files\Microsoft Games\Chess\ja-JP\readme.txt 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Slipstream.xml 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\OFFICE10.MMW 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\COPYRIGHT 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01777_.WMF 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\osppobjs-spp-plugin-manifest-signed.xrm-ms 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\Xlate_Complete.xsn 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files (x86)\Common Files\System\ado\msado25.tlb 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02252_.WMF 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Newsprint.xml 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0302827.JPG 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files\VideoLAN\VLC\THANKS.txt 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\sa-jdi.jar 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\readme.txt 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03425I.JPG 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_F_COL.HXK 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS_K_COL.HXK 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\VBAOWS10.CHM 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WORDREP.DPV 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_1.emf 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01849_.WMF 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02829J.JPG 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DOTS.POC 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01161_.WMF 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\readme.txt 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152878.WMF 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WNTER_01.MID 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Thatch.xml 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBWZINT.REST.IDX_DLL 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\readme.txt 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLPERF.H 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENV98.POC 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File created C:\Program Files\Mozilla Firefox\gmp-clearkey\readme.txt 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0291794.WMF 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_04.MID 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File created C:\Program Files\Microsoft Games\More Games\en-US\readme.txt 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0157763.WMF 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL104.XML 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00402_.WMF 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Aspect.eftx 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN108.XML 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VSTO\readme.txt 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00038_.GIF 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02291U.BMP 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02748U.BMP 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7ES.LEX 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe -
Modifies registry class 18 IoCs
Processes:
5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DnD.Document\ = "DnD Document" 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DnD.Document\shell\printto 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.dnd\ShellNew 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DnD.Document 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DnD.Document\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5ACE33~1.EXE,1" 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DnD.Document\shell\open 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DnD.Document\shell\print\command 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dnd\ = "DnD.Document" 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DnD.Document\shell\open\command 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DnD.Document\shell\print 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.dnd 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DnD.Document\shell\printto\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5ACE33~1.EXE /pt \"%1\" \"%2\" \"%3\" \"%4\"" 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dnd\ShellNew\NullFile 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DnD.Document\DefaultIcon 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DnD.Document\shell 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DnD.Document\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5ACE33~1.EXE \"%1\"" 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DnD.Document\shell\print\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5ACE33~1.EXE /p \"%1\"" 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DnD.Document\shell\printto\command 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exepid process 1600 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
vssvc.exeWMIC.exeWMIC.exedescription pid process Token: SeBackupPrivilege 568 vssvc.exe Token: SeRestorePrivilege 568 vssvc.exe Token: SeAuditPrivilege 568 vssvc.exe Token: SeIncreaseQuotaPrivilege 960 WMIC.exe Token: SeSecurityPrivilege 960 WMIC.exe Token: SeTakeOwnershipPrivilege 960 WMIC.exe Token: SeLoadDriverPrivilege 960 WMIC.exe Token: SeSystemProfilePrivilege 960 WMIC.exe Token: SeSystemtimePrivilege 960 WMIC.exe Token: SeProfSingleProcessPrivilege 960 WMIC.exe Token: SeIncBasePriorityPrivilege 960 WMIC.exe Token: SeCreatePagefilePrivilege 960 WMIC.exe Token: SeBackupPrivilege 960 WMIC.exe Token: SeRestorePrivilege 960 WMIC.exe Token: SeShutdownPrivilege 960 WMIC.exe Token: SeDebugPrivilege 960 WMIC.exe Token: SeSystemEnvironmentPrivilege 960 WMIC.exe Token: SeRemoteShutdownPrivilege 960 WMIC.exe Token: SeUndockPrivilege 960 WMIC.exe Token: SeManageVolumePrivilege 960 WMIC.exe Token: 33 960 WMIC.exe Token: 34 960 WMIC.exe Token: 35 960 WMIC.exe Token: SeIncreaseQuotaPrivilege 960 WMIC.exe Token: SeSecurityPrivilege 960 WMIC.exe Token: SeTakeOwnershipPrivilege 960 WMIC.exe Token: SeLoadDriverPrivilege 960 WMIC.exe Token: SeSystemProfilePrivilege 960 WMIC.exe Token: SeSystemtimePrivilege 960 WMIC.exe Token: SeProfSingleProcessPrivilege 960 WMIC.exe Token: SeIncBasePriorityPrivilege 960 WMIC.exe Token: SeCreatePagefilePrivilege 960 WMIC.exe Token: SeBackupPrivilege 960 WMIC.exe Token: SeRestorePrivilege 960 WMIC.exe Token: SeShutdownPrivilege 960 WMIC.exe Token: SeDebugPrivilege 960 WMIC.exe Token: SeSystemEnvironmentPrivilege 960 WMIC.exe Token: SeRemoteShutdownPrivilege 960 WMIC.exe Token: SeUndockPrivilege 960 WMIC.exe Token: SeManageVolumePrivilege 960 WMIC.exe Token: 33 960 WMIC.exe Token: 34 960 WMIC.exe Token: 35 960 WMIC.exe Token: SeIncreaseQuotaPrivilege 1808 WMIC.exe Token: SeSecurityPrivilege 1808 WMIC.exe Token: SeTakeOwnershipPrivilege 1808 WMIC.exe Token: SeLoadDriverPrivilege 1808 WMIC.exe Token: SeSystemProfilePrivilege 1808 WMIC.exe Token: SeSystemtimePrivilege 1808 WMIC.exe Token: SeProfSingleProcessPrivilege 1808 WMIC.exe Token: SeIncBasePriorityPrivilege 1808 WMIC.exe Token: SeCreatePagefilePrivilege 1808 WMIC.exe Token: SeBackupPrivilege 1808 WMIC.exe Token: SeRestorePrivilege 1808 WMIC.exe Token: SeShutdownPrivilege 1808 WMIC.exe Token: SeDebugPrivilege 1808 WMIC.exe Token: SeSystemEnvironmentPrivilege 1808 WMIC.exe Token: SeRemoteShutdownPrivilege 1808 WMIC.exe Token: SeUndockPrivilege 1808 WMIC.exe Token: SeManageVolumePrivilege 1808 WMIC.exe Token: 33 1808 WMIC.exe Token: 34 1808 WMIC.exe Token: 35 1808 WMIC.exe Token: SeIncreaseQuotaPrivilege 1808 WMIC.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exepid process 1600 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe 1600 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1600 wrote to memory of 1516 1600 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe cmd.exe PID 1600 wrote to memory of 1516 1600 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe cmd.exe PID 1600 wrote to memory of 1516 1600 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe cmd.exe PID 1600 wrote to memory of 1516 1600 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe cmd.exe PID 1516 wrote to memory of 960 1516 cmd.exe WMIC.exe PID 1516 wrote to memory of 960 1516 cmd.exe WMIC.exe PID 1516 wrote to memory of 960 1516 cmd.exe WMIC.exe PID 1600 wrote to memory of 780 1600 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe cmd.exe PID 1600 wrote to memory of 780 1600 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe cmd.exe PID 1600 wrote to memory of 780 1600 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe cmd.exe PID 1600 wrote to memory of 780 1600 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe cmd.exe PID 780 wrote to memory of 1808 780 cmd.exe WMIC.exe PID 780 wrote to memory of 1808 780 cmd.exe WMIC.exe PID 780 wrote to memory of 1808 780 cmd.exe WMIC.exe PID 1600 wrote to memory of 1096 1600 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe cmd.exe PID 1600 wrote to memory of 1096 1600 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe cmd.exe PID 1600 wrote to memory of 1096 1600 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe cmd.exe PID 1600 wrote to memory of 1096 1600 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe cmd.exe PID 1096 wrote to memory of 1508 1096 cmd.exe WMIC.exe PID 1096 wrote to memory of 1508 1096 cmd.exe WMIC.exe PID 1096 wrote to memory of 1508 1096 cmd.exe WMIC.exe PID 1600 wrote to memory of 964 1600 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe cmd.exe PID 1600 wrote to memory of 964 1600 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe cmd.exe PID 1600 wrote to memory of 964 1600 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe cmd.exe PID 1600 wrote to memory of 964 1600 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe cmd.exe PID 964 wrote to memory of 1360 964 cmd.exe WMIC.exe PID 964 wrote to memory of 1360 964 cmd.exe WMIC.exe PID 964 wrote to memory of 1360 964 cmd.exe WMIC.exe PID 1600 wrote to memory of 1528 1600 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe cmd.exe PID 1600 wrote to memory of 1528 1600 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe cmd.exe PID 1600 wrote to memory of 1528 1600 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe cmd.exe PID 1600 wrote to memory of 1528 1600 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe cmd.exe PID 1528 wrote to memory of 1988 1528 cmd.exe WMIC.exe PID 1528 wrote to memory of 1988 1528 cmd.exe WMIC.exe PID 1528 wrote to memory of 1988 1528 cmd.exe WMIC.exe PID 1600 wrote to memory of 1740 1600 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe cmd.exe PID 1600 wrote to memory of 1740 1600 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe cmd.exe PID 1600 wrote to memory of 1740 1600 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe cmd.exe PID 1600 wrote to memory of 1740 1600 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe cmd.exe PID 1740 wrote to memory of 280 1740 cmd.exe WMIC.exe PID 1740 wrote to memory of 280 1740 cmd.exe WMIC.exe PID 1740 wrote to memory of 280 1740 cmd.exe WMIC.exe PID 1600 wrote to memory of 868 1600 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe cmd.exe PID 1600 wrote to memory of 868 1600 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe cmd.exe PID 1600 wrote to memory of 868 1600 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe cmd.exe PID 1600 wrote to memory of 868 1600 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe cmd.exe PID 868 wrote to memory of 1108 868 cmd.exe WMIC.exe PID 868 wrote to memory of 1108 868 cmd.exe WMIC.exe PID 868 wrote to memory of 1108 868 cmd.exe WMIC.exe PID 1600 wrote to memory of 1572 1600 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe cmd.exe PID 1600 wrote to memory of 1572 1600 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe cmd.exe PID 1600 wrote to memory of 1572 1600 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe cmd.exe PID 1600 wrote to memory of 1572 1600 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe cmd.exe PID 1572 wrote to memory of 1548 1572 cmd.exe WMIC.exe PID 1572 wrote to memory of 1548 1572 cmd.exe WMIC.exe PID 1572 wrote to memory of 1548 1572 cmd.exe WMIC.exe PID 1600 wrote to memory of 1656 1600 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe cmd.exe PID 1600 wrote to memory of 1656 1600 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe cmd.exe PID 1600 wrote to memory of 1656 1600 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe cmd.exe PID 1600 wrote to memory of 1656 1600 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe cmd.exe PID 1656 wrote to memory of 752 1656 cmd.exe WMIC.exe PID 1656 wrote to memory of 752 1656 cmd.exe WMIC.exe PID 1656 wrote to memory of 752 1656 cmd.exe WMIC.exe PID 1600 wrote to memory of 960 1600 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe"C:\Users\Admin\AppData\Local\Temp\5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9E6B4C83-E397-4517-8DA9-3484AF0AD84A}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9E6B4C83-E397-4517-8DA9-3484AF0AD84A}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:960 -
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C39B6211-31BD-4714-8535-1220FA86C225}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C39B6211-31BD-4714-8535-1220FA86C225}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1808 -
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{00CC08EC-00AD-4AA8-AF16-B3F4F224E56A}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{00CC08EC-00AD-4AA8-AF16-B3F4F224E56A}'" delete3⤵PID:1508
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9B0FF658-0C54-4EB3-9B69-1DA1FB9B2C27}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9B0FF658-0C54-4EB3-9B69-1DA1FB9B2C27}'" delete3⤵PID:1360
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BD3219A2-9723-4FB9-975E-9F39890481B3}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BD3219A2-9723-4FB9-975E-9F39890481B3}'" delete3⤵PID:1988
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5106A401-EE5E-40A2-BB45-05B36DB087C7}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5106A401-EE5E-40A2-BB45-05B36DB087C7}'" delete3⤵PID:280
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8183FD06-C119-473D-B4A2-E73D4BF85C63}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8183FD06-C119-473D-B4A2-E73D4BF85C63}'" delete3⤵PID:1108
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AC1A004E-B2DB-49B0-9331-2F2CC053D3DA}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AC1A004E-B2DB-49B0-9331-2F2CC053D3DA}'" delete3⤵PID:1548
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{ADB940AD-0A35-462E-9FEB-ACC3FC9BC5A1}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{ADB940AD-0A35-462E-9FEB-ACC3FC9BC5A1}'" delete3⤵PID:752
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7A2524F2-6C16-47EF-938D-0890A33A8DBA}'" delete2⤵PID:960
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7A2524F2-6C16-47EF-938D-0890A33A8DBA}'" delete3⤵PID:1256
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{703828D3-18E3-4962-B702-5FA1F0BACDF6}'" delete2⤵PID:1808
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{703828D3-18E3-4962-B702-5FA1F0BACDF6}'" delete3⤵PID:828
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{00AFFCD2-8CEA-41F5-8D20-3B81FD754182}'" delete2⤵PID:1508
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{00AFFCD2-8CEA-41F5-8D20-3B81FD754182}'" delete3⤵PID:1824
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1FC5D151-5000-4A63-8B37-619EA4D209F3}'" delete2⤵PID:1360
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1FC5D151-5000-4A63-8B37-619EA4D209F3}'" delete3⤵PID:524
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:568