conti | 626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce

Analysis

max time kernel
155s
max time network
145s
platform
windows7_x64
resource
win7-en-20211208
submitted
15/02/2022, 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
Size

191KB
MD5

7e10aded8fc55ad5d1fdbf20f7a96bc5
SHA1

f514f0fd76e6f5cef392de083a10a2091031f36f
SHA256

626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce
SHA512

a04e7318d8f7e58e868653f507a61d68ae872bda831597d3a71c445649a918e5416a87aa730ce875b6af89763eab4df0ad1cad26a804a74fe9942665dfbe9c09

Score

10^/10

conti ransomware

Malware Config

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI ransomware. If you try to use any additional recovery software - the files might be damaged or lost. To make sure that we REALLY CAN recover data - we offer you to decrypt samples. You can contact us for further instructions through: Our website TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.best YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded your data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us ASAP ---BEGIN ID--- K2N1tSspdj6THjQ4ZES1GBdPX8V2f7P5unxYqgmCB2WizNnMfRVXq03p0BtFek3h ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.best

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\ReadOpen.png => C:\Users\Admin\Pictures\ReadOpen.png.EMNSX	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File renamed	C:\Users\Admin\Pictures\RepairEdit.tif => C:\Users\Admin\Pictures\RepairEdit.tif.EMNSX	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Users\Admin\Pictures\SkipBlock.tiff	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File renamed	C:\Users\Admin\Pictures\SkipBlock.tiff => C:\Users\Admin\Pictures\SkipBlock.tiff.EMNSX	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe

Drops desktop.ini file(s) 30 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\desktop.ini	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Users\Public\desktop.ini	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwresplm.dat	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File created	C:\Program Files (x86)\Internet Explorer\readme.txt	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Flow.thmx	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\Mozilla Firefox\dependentlibs.list	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\sentinel	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Waveform.thmx	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OUTLFLTR.DAT	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File created	C:\Program Files (x86)\Common Files\readme.txt	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.log	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\readme.txt	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Metro.thmx	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File created	C:\Program Files\Common Files\System\Ole DB\readme.txt	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_ButtonGraphic.png	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File created	C:\Program Files\Mozilla Firefox\browser\readme.txt	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File created	C:\Program Files\DVD Maker\fr-FR\readme.txt	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Solstice.thmx	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File created	C:\Program Files\Common Files\System\msadc\readme.txt	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_SelectionSubpicture.png	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\mscss7cm_fr.dub	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrcatlm.dat	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\SetRename.mpa	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\Parity.fx	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File created	C:\Program Files\MSBuild\Microsoft\readme.txt	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Clarity.thmx	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.MOF	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\updater.ini	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Psychedelic.jpg	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\DvdTransform.fx	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\LICENSE	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_performance_Thumbnail.bmp	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\readme.txt	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_VideoInset.png	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsfin.xml	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\README.html	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\verisign.bmp	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Angles.thmx	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\osppobjs-spp-plugin-manifest-signed.xrm-ms	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Small_News.jpg	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Equity.thmx	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.Interop.InfoPath.Xml.xml	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\readme.txt	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msadox28.tlb	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\readme.txt	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	912	vssvc.exe
Token: SeRestorePrivilege	912	vssvc.exe
Token: SeAuditPrivilege	912	vssvc.exe
Token: SeIncreaseQuotaPrivilege	820	WMIC.exe
Token: SeSecurityPrivilege	820	WMIC.exe
Token: SeTakeOwnershipPrivilege	820	WMIC.exe
Token: SeLoadDriverPrivilege	820	WMIC.exe
Token: SeSystemProfilePrivilege	820	WMIC.exe
Token: SeSystemtimePrivilege	820	WMIC.exe
Token: SeProfSingleProcessPrivilege	820	WMIC.exe
Token: SeIncBasePriorityPrivilege	820	WMIC.exe
Token: SeCreatePagefilePrivilege	820	WMIC.exe
Token: SeBackupPrivilege	820	WMIC.exe
Token: SeRestorePrivilege	820	WMIC.exe
Token: SeShutdownPrivilege	820	WMIC.exe
Token: SeDebugPrivilege	820	WMIC.exe
Token: SeSystemEnvironmentPrivilege	820	WMIC.exe
Token: SeRemoteShutdownPrivilege	820	WMIC.exe
Token: SeUndockPrivilege	820	WMIC.exe
Token: SeManageVolumePrivilege	820	WMIC.exe
Token: 33	820	WMIC.exe
Token: 34	820	WMIC.exe
Token: 35	820	WMIC.exe
Token: SeIncreaseQuotaPrivilege	820	WMIC.exe
Token: SeSecurityPrivilege	820	WMIC.exe
Token: SeTakeOwnershipPrivilege	820	WMIC.exe
Token: SeLoadDriverPrivilege	820	WMIC.exe
Token: SeSystemProfilePrivilege	820	WMIC.exe
Token: SeSystemtimePrivilege	820	WMIC.exe
Token: SeProfSingleProcessPrivilege	820	WMIC.exe
Token: SeIncBasePriorityPrivilege	820	WMIC.exe
Token: SeCreatePagefilePrivilege	820	WMIC.exe
Token: SeBackupPrivilege	820	WMIC.exe
Token: SeRestorePrivilege	820	WMIC.exe
Token: SeShutdownPrivilege	820	WMIC.exe
Token: SeDebugPrivilege	820	WMIC.exe
Token: SeSystemEnvironmentPrivilege	820	WMIC.exe
Token: SeRemoteShutdownPrivilege	820	WMIC.exe
Token: SeUndockPrivilege	820	WMIC.exe
Token: SeManageVolumePrivilege	820	WMIC.exe
Token: 33	820	WMIC.exe
Token: 34	820	WMIC.exe
Token: 35	820	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1728	WMIC.exe
Token: SeSecurityPrivilege	1728	WMIC.exe
Token: SeTakeOwnershipPrivilege	1728	WMIC.exe
Token: SeLoadDriverPrivilege	1728	WMIC.exe
Token: SeSystemProfilePrivilege	1728	WMIC.exe
Token: SeSystemtimePrivilege	1728	WMIC.exe
Token: SeProfSingleProcessPrivilege	1728	WMIC.exe
Token: SeIncBasePriorityPrivilege	1728	WMIC.exe
Token: SeCreatePagefilePrivilege	1728	WMIC.exe
Token: SeBackupPrivilege	1728	WMIC.exe
Token: SeRestorePrivilege	1728	WMIC.exe
Token: SeShutdownPrivilege	1728	WMIC.exe
Token: SeDebugPrivilege	1728	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1728	WMIC.exe
Token: SeRemoteShutdownPrivilege	1728	WMIC.exe
Token: SeUndockPrivilege	1728	WMIC.exe
Token: SeManageVolumePrivilege	1728	WMIC.exe
Token: 33	1728	WMIC.exe
Token: 34	1728	WMIC.exe
Token: 35	1728	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1728	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 1564	1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe	30
PID 1400 wrote to memory of 1564	1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe	30
PID 1400 wrote to memory of 1564	1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe	30
PID 1400 wrote to memory of 1564	1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe	30
PID 1564 wrote to memory of 820	1564	cmd.exe	32
PID 1564 wrote to memory of 820	1564	cmd.exe	32
PID 1564 wrote to memory of 820	1564	cmd.exe	32
PID 1400 wrote to memory of 1040	1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe	33
PID 1400 wrote to memory of 1040	1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe	33
PID 1400 wrote to memory of 1040	1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe	33
PID 1400 wrote to memory of 1040	1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe	33
PID 1040 wrote to memory of 1728	1040	cmd.exe	35
PID 1040 wrote to memory of 1728	1040	cmd.exe	35
PID 1040 wrote to memory of 1728	1040	cmd.exe	35
PID 1400 wrote to memory of 1048	1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe	36
PID 1400 wrote to memory of 1048	1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe	36
PID 1400 wrote to memory of 1048	1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe	36
PID 1400 wrote to memory of 1048	1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe	36
PID 1048 wrote to memory of 1072	1048	cmd.exe	38
PID 1048 wrote to memory of 1072	1048	cmd.exe	38
PID 1048 wrote to memory of 1072	1048	cmd.exe	38
PID 1400 wrote to memory of 1644	1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe	39
PID 1400 wrote to memory of 1644	1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe	39
PID 1400 wrote to memory of 1644	1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe	39
PID 1400 wrote to memory of 1644	1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe	39
PID 1644 wrote to memory of 1280	1644	cmd.exe	41
PID 1644 wrote to memory of 1280	1644	cmd.exe	41
PID 1644 wrote to memory of 1280	1644	cmd.exe	41
PID 1400 wrote to memory of 1776	1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe	42
PID 1400 wrote to memory of 1776	1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe	42
PID 1400 wrote to memory of 1776	1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe	42
PID 1400 wrote to memory of 1776	1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe	42
PID 1776 wrote to memory of 1364	1776	cmd.exe	44
PID 1776 wrote to memory of 1364	1776	cmd.exe	44
PID 1776 wrote to memory of 1364	1776	cmd.exe	44
PID 1400 wrote to memory of 1380	1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe	45
PID 1400 wrote to memory of 1380	1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe	45
PID 1400 wrote to memory of 1380	1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe	45
PID 1400 wrote to memory of 1380	1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe	45
PID 1380 wrote to memory of 776	1380	cmd.exe	47
PID 1380 wrote to memory of 776	1380	cmd.exe	47
PID 1380 wrote to memory of 776	1380	cmd.exe	47
PID 1400 wrote to memory of 1900	1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe	48
PID 1400 wrote to memory of 1900	1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe	48
PID 1400 wrote to memory of 1900	1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe	48
PID 1400 wrote to memory of 1900	1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe	48
PID 1900 wrote to memory of 896	1900	cmd.exe	50
PID 1900 wrote to memory of 896	1900	cmd.exe	50
PID 1900 wrote to memory of 896	1900	cmd.exe	50
PID 1400 wrote to memory of 1984	1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe	51
PID 1400 wrote to memory of 1984	1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe	51
PID 1400 wrote to memory of 1984	1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe	51
PID 1400 wrote to memory of 1984	1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe	51
PID 1984 wrote to memory of 1612	1984	cmd.exe	53
PID 1984 wrote to memory of 1612	1984	cmd.exe	53
PID 1984 wrote to memory of 1612	1984	cmd.exe	53
PID 1400 wrote to memory of 792	1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe	54
PID 1400 wrote to memory of 792	1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe	54
PID 1400 wrote to memory of 792	1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe	54
PID 1400 wrote to memory of 792	1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe	54
PID 792 wrote to memory of 588	792	cmd.exe	56
PID 792 wrote to memory of 588	792	cmd.exe	56
PID 792 wrote to memory of 588	792	cmd.exe	56
PID 1400 wrote to memory of 820	1400	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe	57

C:\Users\Admin\AppData\Local\Temp\626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
"C:\Users\Admin\AppData\Local\Temp\626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E44615B8-B9B5-4870-9DD9-8A8542723199}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E44615B8-B9B5-4870-9DD9-8A8542723199}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:820
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{84F4B8C3-25A2-4458-A56F-8519E36811F7}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1040
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{84F4B8C3-25A2-4458-A56F-8519E36811F7}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1728
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{744FE292-20A5-4AFC-BD35-933034B0EF11}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1048
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{744FE292-20A5-4AFC-BD35-933034B0EF11}'" delete
    3⤵
    PID:1072
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A95C7851-06D0-4CCA-A3E1-B1F1626F096E}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A95C7851-06D0-4CCA-A3E1-B1F1626F096E}'" delete
    3⤵
    PID:1280
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{14A1A80C-9E7C-48D0-86C2-448827344C94}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{14A1A80C-9E7C-48D0-86C2-448827344C94}'" delete
    3⤵
    PID:1364
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{44676B88-09A9-4F29-B5AA-1A29E20A4F75}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1380
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{44676B88-09A9-4F29-B5AA-1A29E20A4F75}'" delete
    3⤵
    PID:776
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A848EC9E-3173-4948-B6B3-92AA790A398D}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A848EC9E-3173-4948-B6B3-92AA790A398D}'" delete
    3⤵
    PID:896
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{847CDF19-2016-4A38-AFDE-ACAACC042E32}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{847CDF19-2016-4A38-AFDE-ACAACC042E32}'" delete
    3⤵
    PID:1612
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{149E22FF-26D8-4174-B024-D9A099D41A26}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:792
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{149E22FF-26D8-4174-B024-D9A099D41A26}'" delete
    3⤵
    PID:588
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7AB0E411-B327-4F16-BBD1-9AE4F37B7704}'" delete
  2⤵
  PID:820
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7AB0E411-B327-4F16-BBD1-9AE4F37B7704}'" delete
    3⤵
    PID:960
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{469B32FA-07FA-4E77-BD92-42CDE468BDF3}'" delete
  2⤵
  PID:1728
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{469B32FA-07FA-4E77-BD92-42CDE468BDF3}'" delete
    3⤵
    PID:1464
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6531F51C-FE63-4790-8958-D5812779895E}'" delete
  2⤵
  PID:1072
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6531F51C-FE63-4790-8958-D5812779895E}'" delete
    3⤵
    PID:456
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{410940A4-BA5D-4F4E-B015-F25CD66FA904}'" delete
  2⤵
  PID:1844
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{410940A4-BA5D-4F4E-B015-F25CD66FA904}'" delete
    3⤵
    PID:724

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:912

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1400-54-0x0000000076C91000-0x0000000076C93000-memory.dmp

Filesize
8KB

Download