Malware Analysis Report

2024-10-16 03:19

Sample ID 220318-r8kmcababr
Target efa0d4a79c4c971c680ef8020bb526b07a13061f4eb68ee6f5af9e42c6364bd8
SHA256 efa0d4a79c4c971c680ef8020bb526b07a13061f4eb68ee6f5af9e42c6364bd8
Tags
conti ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

efa0d4a79c4c971c680ef8020bb526b07a13061f4eb68ee6f5af9e42c6364bd8

Threat Level: Known bad

The file efa0d4a79c4c971c680ef8020bb526b07a13061f4eb68ee6f5af9e42c6364bd8 was found to be: Known bad.

Malicious Activity Summary

conti ransomware spyware stealer

Conti Ransomware

Modifies extensions of user files

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Drops file in Program Files directory

Drops file in Windows directory

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-18 14:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-18 14:51

Reported

2022-03-18 14:54

Platform

win7-20220311-en

Max time kernel

4294179s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\efa0d4a79c4c971c680ef8020bb526b07a13061f4eb68ee6f5af9e42c6364bd8.dll,#1

Signatures

Conti Ransomware

ransomware conti

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\CheckpointDisconnect.tiff C:\Windows\SysWOW64\rundll32.exe N/A
File renamed C:\Users\Admin\Pictures\CheckpointDisconnect.tiff => C:\Users\Admin\Pictures\CheckpointDisconnect.tiff.XXNQL C:\Windows\SysWOW64\rundll32.exe N/A
File renamed C:\Users\Admin\Pictures\DenyShow.crw => C:\Users\Admin\Pictures\DenyShow.crw.XXNQL C:\Windows\SysWOW64\rundll32.exe N/A
File renamed C:\Users\Admin\Pictures\GetRegister.png => C:\Users\Admin\Pictures\GetRegister.png.XXNQL C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\Pictures\NewPop.tiff C:\Windows\SysWOW64\rundll32.exe N/A
File renamed C:\Users\Admin\Pictures\NewPop.tiff => C:\Users\Admin\Pictures\NewPop.tiff.XXNQL C:\Windows\SysWOW64\rundll32.exe N/A
File renamed C:\Users\Admin\Pictures\RedoBlock.crw => C:\Users\Admin\Pictures\RedoBlock.crw.XXNQL C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\5ZSPI9ZZ\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\DL4J84XN\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VCDJSRLN\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\GMEWETP4\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\LICENSE C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\VERSION.txt C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\readme.txt C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\readme.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions_Response.css C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\SERVWRAP.ASP C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\LAYERS.ELM C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\vlc.mo C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\readme.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Godthab C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\readme.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sendopts_zh_CN.jar C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Concourse.thmx C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Installed_schemas14.xss C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_ButtonGraphic.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR35F.GIF C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Nicosia C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_increaseindent.gif C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\MSBuild\readme.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01164_.WMF C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-services.jar C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-windows.xml C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH00780U.BMP C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\QUERIES\readme.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR32F.GIF C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageMask.bmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\AD98.POC C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\lv\readme.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\GMT C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Guyana C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiling.xml C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-openide-execution.xml_hidden C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\Accessible.tlb C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL016.XML C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\readme.txt C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\readme.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Rankin_Inlet C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Palau C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-charts.xml C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\ext\access-bridge-64.jar C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\view.html C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR51F.GIF C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR44B.GIF C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Rarotonga C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\dialogs\readme.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\Proof.XML C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsColorChart.html C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-lib-uihandler.xml C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01748_.GIF C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Module.xml C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14514_.GIF C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14656_.GIF C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\feature.properties C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT_F_COL.HXK C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN111.XML C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\readme.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-jvm.jar C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-utilities_zh_CN.jar C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\readme.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeAUM_rootCert.cer C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02398_.WMF C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1104 wrote to memory of 972 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1104 wrote to memory of 972 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1104 wrote to memory of 972 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1104 wrote to memory of 972 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1104 wrote to memory of 972 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1104 wrote to memory of 972 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1104 wrote to memory of 972 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 972 wrote to memory of 1904 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 972 wrote to memory of 1904 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 972 wrote to memory of 1904 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 972 wrote to memory of 1904 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1904 wrote to memory of 2044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 1904 wrote to memory of 2044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 1904 wrote to memory of 2044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 1904 wrote to memory of 2044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 972 wrote to memory of 832 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 972 wrote to memory of 832 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 972 wrote to memory of 832 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 972 wrote to memory of 832 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 832 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 832 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 832 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 832 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 972 wrote to memory of 836 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 972 wrote to memory of 836 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 972 wrote to memory of 836 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 972 wrote to memory of 836 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 836 wrote to memory of 1436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 836 wrote to memory of 1436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 836 wrote to memory of 1436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 836 wrote to memory of 1436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 972 wrote to memory of 1636 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 972 wrote to memory of 1636 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 972 wrote to memory of 1636 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 972 wrote to memory of 1636 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 1468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 1636 wrote to memory of 1468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 1636 wrote to memory of 1468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 1636 wrote to memory of 1468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 972 wrote to memory of 1880 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 972 wrote to memory of 1880 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 972 wrote to memory of 1880 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 972 wrote to memory of 1880 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1880 wrote to memory of 656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 1880 wrote to memory of 656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 1880 wrote to memory of 656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 1880 wrote to memory of 656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 972 wrote to memory of 544 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 972 wrote to memory of 544 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 972 wrote to memory of 544 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 972 wrote to memory of 544 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 544 wrote to memory of 860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 544 wrote to memory of 860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 544 wrote to memory of 860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 544 wrote to memory of 860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 972 wrote to memory of 288 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 972 wrote to memory of 288 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 972 wrote to memory of 288 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 972 wrote to memory of 288 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 288 wrote to memory of 1496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 288 wrote to memory of 1496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 288 wrote to memory of 1496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 288 wrote to memory of 1496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 972 wrote to memory of 1732 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\efa0d4a79c4c971c680ef8020bb526b07a13061f4eb68ee6f5af9e42c6364bd8.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\efa0d4a79c4c971c680ef8020bb526b07a13061f4eb68ee6f5af9e42c6364bd8.dll,#1

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{DA557F00-6186-45EC-B466-71242AAC470E}'" delete

C:\Windows\SysWOW64\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{DA557F00-6186-45EC-B466-71242AAC470E}'" delete

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6F0EC44C-A83A-4A97-9001-21A10B35465B}'" delete

C:\Windows\SysWOW64\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6F0EC44C-A83A-4A97-9001-21A10B35465B}'" delete

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2B424206-4FC6-459D-B8D6-AFF5FAD364F4}'" delete

C:\Windows\SysWOW64\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2B424206-4FC6-459D-B8D6-AFF5FAD364F4}'" delete

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{866E478C-A567-466F-86B4-2E706BFC5E3F}'" delete

C:\Windows\SysWOW64\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{866E478C-A567-466F-86B4-2E706BFC5E3F}'" delete

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{98ACD6C5-AB25-4AB8-87F1-D04AE4EF861F}'" delete

C:\Windows\SysWOW64\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{98ACD6C5-AB25-4AB8-87F1-D04AE4EF861F}'" delete

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4EE865EB-55C9-483C-B431-35CEA8585A95}'" delete

C:\Windows\SysWOW64\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4EE865EB-55C9-483C-B431-35CEA8585A95}'" delete

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AE370812-4B5A-4447-8B8A-E866F6584339}'" delete

C:\Windows\SysWOW64\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AE370812-4B5A-4447-8B8A-E866F6584339}'" delete

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{253D4845-6D95-4E1D-A690-62ED372FD28E}'" delete

C:\Windows\SysWOW64\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{253D4845-6D95-4E1D-A690-62ED372FD28E}'" delete

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{338D74E8-18C2-4C2C-9212-47C0A8C9C4A7}'" delete

C:\Windows\SysWOW64\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{338D74E8-18C2-4C2C-9212-47C0A8C9C4A7}'" delete

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{45BBA95D-F9EF-4FCD-ABE2-865D4B53F661}'" delete

C:\Windows\SysWOW64\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{45BBA95D-F9EF-4FCD-ABE2-865D4B53F661}'" delete

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CEB7F9EC-6EF1-48E4-A758-4C3ECF22E10A}'" delete

C:\Windows\SysWOW64\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CEB7F9EC-6EF1-48E4-A758-4C3ECF22E10A}'" delete

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{10A9C517-B618-4617-82EA-2CE1CDDF1E75}'" delete

C:\Windows\SysWOW64\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{10A9C517-B618-4617-82EA-2CE1CDDF1E75}'" delete

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{ADC5D82B-88FD-4989-906A-F161FBB47604}'" delete

C:\Windows\SysWOW64\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{ADC5D82B-88FD-4989-906A-F161FBB47604}'" delete

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0B62459D-CCF7-486A-8395-65ED2B2FF546}'" delete

C:\Windows\SysWOW64\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0B62459D-CCF7-486A-8395-65ED2B2FF546}'" delete

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{74BDBEEA-5831-4799-9E93-72FB40B7735C}'" delete

C:\Windows\SysWOW64\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{74BDBEEA-5831-4799-9E93-72FB40B7735C}'" delete

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7EA17382-DBD9-43DD-8F5B-0F1D4E6F4298}'" delete

C:\Windows\SysWOW64\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7EA17382-DBD9-43DD-8F5B-0F1D4E6F4298}'" delete

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E059F5C8-1528-4C9F-9811-21B413BC2DEE}'" delete

C:\Windows\SysWOW64\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E059F5C8-1528-4C9F-9811-21B413BC2DEE}'" delete

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EACCCEC4-0D75-4ABA-B43E-9F185E6C1E53}'" delete

C:\Windows\SysWOW64\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EACCCEC4-0D75-4ABA-B43E-9F185E6C1E53}'" delete

Network

Country Destination Domain Proto
N/A 10.127.0.0:445 tcp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.2:445 tcp
N/A 10.127.0.3:445 tcp
N/A 10.127.0.4:445 tcp
N/A 10.127.0.5:445 tcp
N/A 10.127.0.6:445 tcp
N/A 10.127.0.7:445 tcp
N/A 10.127.0.8:445 tcp
N/A 10.127.0.9:445 tcp
N/A 10.127.0.10:445 tcp
N/A 10.127.0.11:445 tcp
N/A 10.127.0.12:445 tcp
N/A 10.127.0.13:445 tcp
N/A 10.127.0.14:445 tcp
N/A 10.127.0.15:445 tcp
N/A 10.127.0.16:445 tcp
N/A 10.127.0.17:445 tcp
N/A 10.127.0.18:445 tcp
N/A 10.127.0.19:445 tcp
N/A 10.127.0.20:445 tcp
N/A 10.127.0.21:445 tcp
N/A 10.127.0.22:445 tcp
N/A 10.127.0.23:445 tcp
N/A 10.127.0.24:445 tcp
N/A 10.127.0.25:445 tcp
N/A 10.127.0.26:445 tcp
N/A 10.127.0.27:445 tcp
N/A 10.127.0.28:445 tcp
N/A 10.127.0.29:445 tcp
N/A 10.127.0.30:445 tcp
N/A 10.127.0.31:445 tcp
N/A 10.127.0.32:445 tcp
N/A 10.127.0.33:445 tcp
N/A 10.127.0.34:445 tcp
N/A 10.127.0.35:445 tcp
N/A 10.127.0.36:445 tcp
N/A 10.127.0.37:445 tcp
N/A 10.127.0.38:445 tcp
N/A 10.127.0.39:445 tcp
N/A 10.127.0.40:445 tcp
N/A 10.127.0.41:445 tcp
N/A 10.127.0.42:445 tcp
N/A 10.127.0.43:445 tcp
N/A 10.127.0.44:445 tcp
N/A 10.127.0.45:445 tcp
N/A 10.127.0.46:445 tcp
N/A 10.127.0.47:445 tcp
N/A 10.127.0.48:445 tcp
N/A 10.127.0.49:445 tcp
N/A 10.127.0.50:445 tcp
N/A 10.127.0.51:445 tcp
N/A 10.127.0.52:445 tcp
N/A 10.127.0.53:445 tcp
N/A 10.127.0.54:445 tcp
N/A 10.127.0.55:445 tcp
N/A 10.127.0.56:445 tcp
N/A 10.127.0.57:445 tcp
N/A 10.127.0.58:445 tcp
N/A 10.127.0.59:445 tcp
N/A 10.127.0.60:445 tcp
N/A 10.127.0.61:445 tcp
N/A 10.127.0.62:445 tcp
N/A 10.127.0.63:445 tcp
N/A 10.127.0.64:445 tcp
N/A 10.127.0.65:445 tcp
N/A 10.127.0.66:445 tcp
N/A 10.127.0.67:445 tcp
N/A 10.127.0.68:445 tcp
N/A 10.127.0.69:445 tcp
N/A 10.127.0.70:445 tcp
N/A 10.127.0.71:445 tcp
N/A 10.127.0.72:445 tcp
N/A 10.127.0.73:445 tcp
N/A 10.127.0.74:445 tcp
N/A 10.127.0.75:445 tcp
N/A 10.127.0.76:445 tcp
N/A 10.127.0.77:445 tcp
N/A 10.127.0.78:445 tcp
N/A 10.127.0.79:445 tcp
N/A 10.127.0.80:445 tcp
N/A 10.127.0.81:445 tcp
N/A 10.127.0.82:445 tcp
N/A 10.127.0.83:445 tcp
N/A 10.127.0.84:445 tcp
N/A 10.127.0.85:445 tcp
N/A 10.127.0.86:445 tcp
N/A 10.127.0.87:445 tcp
N/A 10.127.0.88:445 tcp
N/A 10.127.0.89:445 tcp
N/A 10.127.0.90:445 tcp
N/A 10.127.0.91:445 tcp
N/A 10.127.0.92:445 tcp
N/A 10.127.0.93:445 tcp
N/A 10.127.0.94:445 tcp
N/A 10.127.0.95:445 tcp
N/A 10.127.0.96:445 tcp
N/A 10.127.0.97:445 tcp
N/A 10.127.0.98:445 tcp
N/A 10.127.0.99:445 tcp
N/A 10.127.0.100:445 tcp
N/A 10.127.0.101:445 tcp
N/A 10.127.0.102:445 tcp
N/A 10.127.0.103:445 tcp
N/A 10.127.0.104:445 tcp
N/A 10.127.0.105:445 tcp
N/A 10.127.0.106:445 tcp
N/A 10.127.0.107:445 tcp
N/A 10.127.0.108:445 tcp
N/A 10.127.0.109:445 tcp
N/A 10.127.0.110:445 tcp
N/A 10.127.0.111:445 tcp
N/A 10.127.0.112:445 tcp
N/A 10.127.0.113:445 tcp
N/A 10.127.0.114:445 tcp
N/A 10.127.0.115:445 tcp
N/A 10.127.0.116:445 tcp
N/A 10.127.0.117:445 tcp
N/A 10.127.0.118:445 tcp
N/A 10.127.0.119:445 tcp
N/A 10.127.0.120:445 tcp
N/A 10.127.0.121:445 tcp
N/A 10.127.0.122:445 tcp
N/A 10.127.0.123:445 tcp
N/A 10.127.0.124:445 tcp
N/A 10.127.0.125:445 tcp
N/A 10.127.0.126:445 tcp
N/A 10.127.0.127:445 tcp
N/A 10.127.0.128:445 tcp
N/A 10.127.0.129:445 tcp
N/A 10.127.0.130:445 tcp
N/A 10.127.0.131:445 tcp
N/A 10.127.0.132:445 tcp
N/A 10.127.0.133:445 tcp
N/A 10.127.0.134:445 tcp
N/A 10.127.0.135:445 tcp
N/A 10.127.0.136:445 tcp
N/A 10.127.0.137:445 tcp
N/A 10.127.0.138:445 tcp
N/A 10.127.0.139:445 tcp
N/A 10.127.0.140:445 tcp
N/A 10.127.0.141:445 tcp
N/A 10.127.0.142:445 tcp
N/A 10.127.0.143:445 tcp
N/A 10.127.0.144:445 tcp
N/A 10.127.0.145:445 tcp
N/A 10.127.0.146:445 tcp
N/A 10.127.0.147:445 tcp
N/A 10.127.0.148:445 tcp
N/A 10.127.0.149:445 tcp
N/A 10.127.0.150:445 tcp
N/A 10.127.0.151:445 tcp
N/A 10.127.0.152:445 tcp
N/A 10.127.0.153:445 tcp
N/A 10.127.0.154:445 tcp
N/A 10.127.0.155:445 tcp
N/A 10.127.0.156:445 tcp
N/A 10.127.0.157:445 tcp
N/A 10.127.0.158:445 tcp
N/A 10.127.0.159:445 tcp
N/A 10.127.0.160:445 tcp
N/A 10.127.0.161:445 tcp
N/A 10.127.0.162:445 tcp
N/A 10.127.0.163:445 tcp
N/A 10.127.0.164:445 tcp
N/A 10.127.0.165:445 tcp
N/A 10.127.0.166:445 tcp
N/A 10.127.0.167:445 tcp
N/A 10.127.0.168:445 tcp
N/A 10.127.0.169:445 tcp
N/A 10.127.0.170:445 tcp
N/A 10.127.0.171:445 tcp
N/A 10.127.0.172:445 tcp
N/A 10.127.0.173:445 tcp
N/A 10.127.0.174:445 tcp
N/A 10.127.0.175:445 tcp
N/A 10.127.0.176:445 tcp
N/A 10.127.0.177:445 tcp
N/A 10.127.0.178:445 tcp
N/A 10.127.0.179:445 tcp
N/A 10.127.0.180:445 tcp
N/A 10.127.0.181:445 tcp
N/A 10.127.0.182:445 tcp
N/A 10.127.0.183:445 tcp
N/A 10.127.0.184:445 tcp
N/A 10.127.0.185:445 tcp
N/A 10.127.0.186:445 tcp
N/A 10.127.0.187:445 tcp
N/A 10.127.0.188:445 tcp
N/A 10.127.0.189:445 tcp
N/A 10.127.0.190:445 tcp
N/A 10.127.0.191:445 tcp
N/A 10.127.0.192:445 tcp
N/A 10.127.0.193:445 tcp
N/A 10.127.0.194:445 tcp
N/A 10.127.0.195:445 tcp
N/A 10.127.0.196:445 tcp
N/A 10.127.0.197:445 tcp
N/A 10.127.0.198:445 tcp
N/A 10.127.0.199:445 tcp
N/A 10.127.0.200:445 tcp
N/A 10.127.0.201:445 tcp
N/A 10.127.0.202:445 tcp
N/A 10.127.0.203:445 tcp
N/A 10.127.0.204:445 tcp
N/A 10.127.0.205:445 tcp
N/A 10.127.0.206:445 tcp
N/A 10.127.0.207:445 tcp
N/A 10.127.0.208:445 tcp
N/A 10.127.0.209:445 tcp
N/A 10.127.0.210:445 tcp
N/A 10.127.0.211:445 tcp
N/A 10.127.0.212:445 tcp
N/A 10.127.0.213:445 tcp
N/A 10.127.0.214:445 tcp
N/A 10.127.0.215:445 tcp
N/A 10.127.0.216:445 tcp
N/A 10.127.0.217:445 tcp
N/A 10.127.0.218:445 tcp
N/A 10.127.0.219:445 tcp
N/A 10.127.0.220:445 tcp
N/A 10.127.0.221:445 tcp
N/A 10.127.0.222:445 tcp
N/A 10.127.0.223:445 tcp
N/A 10.127.0.224:445 tcp
N/A 10.127.0.225:445 tcp
N/A 10.127.0.226:445 tcp
N/A 10.127.0.227:445 tcp
N/A 10.127.0.228:445 tcp
N/A 10.127.0.229:445 tcp
N/A 10.127.0.230:445 tcp
N/A 10.127.0.231:445 tcp
N/A 10.127.0.232:445 tcp
N/A 10.127.0.233:445 tcp
N/A 10.127.0.234:445 tcp
N/A 10.127.0.235:445 tcp
N/A 10.127.0.236:445 tcp
N/A 10.127.0.237:445 tcp
N/A 10.127.0.238:445 tcp
N/A 10.127.0.239:445 tcp
N/A 10.127.0.240:445 tcp
N/A 10.127.0.241:445 tcp
N/A 10.127.0.242:445 tcp
N/A 10.127.0.243:445 tcp
N/A 10.127.0.244:445 tcp
N/A 10.127.0.245:445 tcp
N/A 10.127.0.246:445 tcp
N/A 10.127.0.247:445 tcp
N/A 10.127.0.248:445 tcp
N/A 10.127.0.249:445 tcp
N/A 10.127.0.250:445 tcp
N/A 10.127.0.251:445 tcp
N/A 10.127.0.252:445 tcp
N/A 10.127.0.253:445 tcp
N/A 10.127.0.254:445 tcp
N/A 10.127.255.0:445 tcp
N/A 10.127.255.1:445 tcp
N/A 10.127.255.2:445 tcp
N/A 10.127.255.3:445 tcp
N/A 10.127.255.4:445 tcp
N/A 10.127.255.5:445 tcp
N/A 10.127.255.6:445 tcp
N/A 10.127.255.7:445 tcp
N/A 10.127.255.8:445 tcp
N/A 10.127.255.9:445 tcp
N/A 10.127.255.10:445 tcp
N/A 10.127.255.11:445 tcp
N/A 10.127.255.12:445 tcp
N/A 10.127.255.13:445 tcp
N/A 10.127.255.14:445 tcp
N/A 10.127.255.15:445 tcp
N/A 10.127.255.16:445 tcp
N/A 10.127.255.17:445 tcp
N/A 10.127.255.18:445 tcp
N/A 10.127.255.19:445 tcp
N/A 10.127.255.20:445 tcp
N/A 10.127.255.21:445 tcp
N/A 10.127.255.22:445 tcp
N/A 10.127.255.23:445 tcp
N/A 10.127.255.24:445 tcp
N/A 10.127.255.25:445 tcp
N/A 10.127.255.26:445 tcp
N/A 10.127.255.27:445 tcp
N/A 10.127.255.28:445 tcp
N/A 10.127.255.29:445 tcp
N/A 10.127.255.30:445 tcp
N/A 10.127.255.31:445 tcp
N/A 10.127.255.32:445 tcp
N/A 10.127.255.33:445 tcp
N/A 10.127.255.34:445 tcp
N/A 10.127.255.35:445 tcp
N/A 10.127.255.36:445 tcp
N/A 10.127.255.37:445 tcp
N/A 10.127.255.38:445 tcp
N/A 10.127.255.39:445 tcp
N/A 10.127.255.40:445 tcp
N/A 10.127.255.41:445 tcp
N/A 10.127.255.42:445 tcp
N/A 10.127.255.43:445 tcp
N/A 10.127.255.44:445 tcp
N/A 10.127.255.45:445 tcp
N/A 10.127.255.46:445 tcp
N/A 10.127.255.47:445 tcp
N/A 10.127.255.48:445 tcp
N/A 10.127.255.49:445 tcp
N/A 10.127.255.50:445 tcp
N/A 10.127.255.51:445 tcp
N/A 10.127.255.52:445 tcp
N/A 10.127.255.53:445 tcp
N/A 10.127.255.54:445 tcp
N/A 10.127.255.55:445 tcp
N/A 10.127.255.56:445 tcp
N/A 10.127.255.57:445 tcp
N/A 10.127.255.58:445 tcp
N/A 10.127.255.59:445 tcp
N/A 10.127.255.60:445 tcp
N/A 10.127.255.61:445 tcp
N/A 10.127.255.62:445 tcp
N/A 10.127.255.63:445 tcp
N/A 10.127.255.64:445 tcp
N/A 10.127.255.65:445 tcp
N/A 10.127.255.66:445 tcp
N/A 10.127.255.67:445 tcp
N/A 10.127.255.68:445 tcp
N/A 10.127.255.69:445 tcp
N/A 10.127.255.70:445 tcp
N/A 10.127.255.71:445 tcp
N/A 10.127.255.72:445 tcp
N/A 10.127.255.73:445 tcp
N/A 10.127.255.74:445 tcp
N/A 10.127.255.75:445 tcp
N/A 10.127.255.76:445 tcp
N/A 10.127.255.77:445 tcp
N/A 10.127.255.78:445 tcp
N/A 10.127.255.79:445 tcp
N/A 10.127.255.80:445 tcp
N/A 10.127.255.81:445 tcp
N/A 10.127.255.82:445 tcp
N/A 10.127.255.83:445 tcp
N/A 10.127.255.84:445 tcp
N/A 10.127.255.85:445 tcp
N/A 10.127.255.86:445 tcp
N/A 10.127.255.87:445 tcp
N/A 10.127.255.88:445 tcp
N/A 10.127.255.89:445 tcp
N/A 10.127.255.90:445 tcp
N/A 10.127.255.91:445 tcp
N/A 10.127.255.92:445 tcp
N/A 10.127.255.93:445 tcp
N/A 10.127.255.94:445 tcp
N/A 10.127.255.95:445 tcp
N/A 10.127.255.96:445 tcp
N/A 10.127.255.97:445 tcp
N/A 10.127.255.98:445 tcp
N/A 10.127.255.99:445 tcp
N/A 10.127.255.100:445 tcp
N/A 10.127.255.101:445 tcp
N/A 10.127.255.102:445 tcp
N/A 10.127.255.103:445 tcp
N/A 10.127.255.104:445 tcp
N/A 10.127.255.105:445 tcp
N/A 10.127.255.106:445 tcp
N/A 10.127.255.107:445 tcp
N/A 10.127.255.108:445 tcp
N/A 10.127.255.109:445 tcp
N/A 10.127.255.110:445 tcp
N/A 10.127.255.111:445 tcp
N/A 10.127.255.112:445 tcp
N/A 10.127.255.113:445 tcp
N/A 10.127.255.114:445 tcp
N/A 10.127.255.115:445 tcp
N/A 10.127.255.116:445 tcp
N/A 10.127.255.117:445 tcp
N/A 10.127.255.118:445 tcp
N/A 10.127.255.119:445 tcp
N/A 10.127.255.120:445 tcp
N/A 10.127.255.121:445 tcp
N/A 10.127.255.122:445 tcp
N/A 10.127.255.123:445 tcp
N/A 10.127.255.124:445 tcp
N/A 10.127.255.125:445 tcp
N/A 10.127.255.126:445 tcp
N/A 10.127.255.127:445 tcp
N/A 10.127.255.128:445 tcp
N/A 10.127.255.129:445 tcp
N/A 10.127.255.130:445 tcp
N/A 10.127.255.131:445 tcp
N/A 10.127.255.132:445 tcp
N/A 10.127.255.133:445 tcp
N/A 10.127.255.134:445 tcp
N/A 10.127.255.135:445 tcp
N/A 10.127.255.136:445 tcp
N/A 10.127.255.137:445 tcp
N/A 10.127.255.138:445 tcp
N/A 10.127.255.139:445 tcp
N/A 10.127.255.140:445 tcp
N/A 10.127.255.141:445 tcp
N/A 10.127.255.142:445 tcp
N/A 10.127.255.143:445 tcp
N/A 10.127.255.144:445 tcp
N/A 10.127.255.145:445 tcp
N/A 10.127.255.146:445 tcp
N/A 10.127.255.147:445 tcp
N/A 10.127.255.148:445 tcp
N/A 10.127.255.149:445 tcp
N/A 10.127.255.150:445 tcp
N/A 10.127.255.151:445 tcp
N/A 10.127.255.152:445 tcp
N/A 10.127.255.153:445 tcp
N/A 10.127.255.154:445 tcp
N/A 10.127.255.155:445 tcp
N/A 10.127.255.156:445 tcp
N/A 10.127.255.157:445 tcp
N/A 10.127.255.158:445 tcp
N/A 10.127.255.159:445 tcp
N/A 10.127.255.160:445 tcp
N/A 10.127.255.161:445 tcp
N/A 10.127.255.162:445 tcp
N/A 10.127.255.163:445 tcp
N/A 10.127.255.164:445 tcp
N/A 10.127.255.165:445 tcp
N/A 10.127.255.166:445 tcp
N/A 10.127.255.167:445 tcp
N/A 10.127.255.168:445 tcp
N/A 10.127.255.169:445 tcp
N/A 10.127.255.170:445 tcp
N/A 10.127.255.171:445 tcp
N/A 10.127.255.172:445 tcp
N/A 10.127.255.173:445 tcp
N/A 10.127.255.174:445 tcp
N/A 10.127.255.175:445 tcp
N/A 10.127.255.176:445 tcp
N/A 10.127.255.177:445 tcp
N/A 10.127.255.178:445 tcp
N/A 10.127.255.179:445 tcp
N/A 10.127.255.180:445 tcp
N/A 10.127.255.181:445 tcp
N/A 10.127.255.182:445 tcp
N/A 10.127.255.183:445 tcp
N/A 10.127.255.184:445 tcp
N/A 10.127.255.185:445 tcp
N/A 10.127.255.186:445 tcp
N/A 10.127.255.187:445 tcp
N/A 10.127.255.188:445 tcp
N/A 10.127.255.189:445 tcp
N/A 10.127.255.190:445 tcp
N/A 10.127.255.191:445 tcp
N/A 10.127.255.192:445 tcp
N/A 10.127.255.193:445 tcp
N/A 10.127.255.194:445 tcp
N/A 10.127.255.195:445 tcp
N/A 10.127.255.196:445 tcp
N/A 10.127.255.197:445 tcp
N/A 10.127.255.198:445 tcp
N/A 10.127.255.199:445 tcp
N/A 10.127.255.200:445 tcp
N/A 10.127.255.201:445 tcp
N/A 10.127.255.202:445 tcp
N/A 10.127.255.203:445 tcp
N/A 10.127.255.204:445 tcp
N/A 10.127.255.205:445 tcp
N/A 10.127.255.206:445 tcp
N/A 10.127.255.207:445 tcp
N/A 10.127.255.208:445 tcp
N/A 10.127.255.209:445 tcp
N/A 10.127.255.210:445 tcp
N/A 10.127.255.211:445 tcp
N/A 10.127.255.212:445 tcp
N/A 10.127.255.213:445 tcp
N/A 10.127.255.214:445 tcp
N/A 10.127.255.215:445 tcp
N/A 10.127.255.216:445 tcp
N/A 10.127.255.217:445 tcp
N/A 10.127.255.218:445 tcp
N/A 10.127.255.219:445 tcp
N/A 10.127.255.220:445 tcp
N/A 10.127.255.221:445 tcp
N/A 10.127.255.222:445 tcp
N/A 10.127.255.223:445 tcp
N/A 10.127.255.224:445 tcp
N/A 10.127.255.225:445 tcp
N/A 10.127.255.226:445 tcp
N/A 10.127.255.227:445 tcp
N/A 10.127.255.228:445 tcp
N/A 10.127.255.229:445 tcp
N/A 10.127.255.230:445 tcp
N/A 10.127.255.231:445 tcp
N/A 10.127.255.232:445 tcp
N/A 10.127.255.233:445 tcp
N/A 10.127.255.234:445 tcp
N/A 10.127.255.235:445 tcp
N/A 10.127.255.236:445 tcp
N/A 10.127.255.237:445 tcp
N/A 10.127.255.238:445 tcp
N/A 10.127.255.239:445 tcp
N/A 10.127.255.240:445 tcp
N/A 10.127.255.241:445 tcp
N/A 10.127.255.242:445 tcp
N/A 10.127.255.243:445 tcp
N/A 10.127.255.244:445 tcp
N/A 10.127.255.245:445 tcp
N/A 10.127.255.246:445 tcp
N/A 10.127.255.247:445 tcp
N/A 10.127.255.248:445 tcp
N/A 10.127.255.249:445 tcp
N/A 10.127.255.250:445 tcp
N/A 10.127.255.251:445 tcp
N/A 10.127.255.252:445 tcp
N/A 10.127.255.253:445 tcp
N/A 10.127.255.254:445 tcp

Files

memory/972-54-0x00000000760A1000-0x00000000760A3000-memory.dmp

memory/972-55-0x0000000001DE0000-0x0000000001F06000-memory.dmp

memory/972-56-0x0000000000290000-0x00000000002C3000-memory.dmp

memory/972-57-0x0000000000290000-0x00000000002C3000-memory.dmp

memory/972-58-0x00000000001D0000-0x0000000000205000-memory.dmp

memory/972-59-0x0000000000290000-0x00000000002C3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-18 14:51

Reported

2022-03-18 14:54

Platform

win10v2004-20220310-en

Max time kernel

119s

Max time network

160s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\efa0d4a79c4c971c680ef8020bb526b07a13061f4eb68ee6f5af9e42c6364bd8.dll,#1

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\BIT9F39.tmp C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\pj5OoD7hJ+dBGy+3XOjLT8WsuYwervv\BIT811F.tmp C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\pj5OoD7hJ+dBGy+3XOjLT8WsuYwervv\LZOCjtiHKk8= C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\BIT8239.tmp C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\a3f602ea4d534d006919a2613d91f9506b383314 C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\pj5OoD7hJ+dBGy+3XOjLT8WsuYwervv\BIT99CA.tmp C:\Windows\System32\svchost.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2092 wrote to memory of 648 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2092 wrote to memory of 648 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2092 wrote to memory of 648 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\efa0d4a79c4c971c680ef8020bb526b07a13061f4eb68ee6f5af9e42c6364bd8.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\efa0d4a79c4c971c680ef8020bb526b07a13061f4eb68ee6f5af9e42c6364bd8.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 648 -ip 648

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 620

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 licensing.mp.microsoft.com udp
US 20.96.63.25:443 licensing.mp.microsoft.com tcp
US 8.8.8.8:53 storesdk.dsx.mp.microsoft.com udp
NL 104.80.225.205:443 storesdk.dsx.mp.microsoft.com tcp
US 20.96.63.25:443 licensing.mp.microsoft.com tcp
US 8.8.8.8:53 licensing.mp.microsoft.com udp
US 20.96.63.25:443 licensing.mp.microsoft.com tcp
US 20.96.63.25:443 licensing.mp.microsoft.com tcp
US 8.8.8.8:53 store-images.s-microsoft.com udp
NL 104.123.41.133:80 store-images.s-microsoft.com tcp
NL 104.123.41.133:80 store-images.s-microsoft.com tcp
NL 104.123.41.133:80 store-images.s-microsoft.com tcp
US 20.96.63.25:443 licensing.mp.microsoft.com tcp
US 8.8.8.8:53 tsfe.trafficshaping.dsp.mp.microsoft.com udp
IE 20.54.110.119:443 tsfe.trafficshaping.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 dl.delivery.mp.microsoft.com udp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 tlu.dl.delivery.mp.microsoft.com udp
US 93.184.221.240:80 tlu.dl.delivery.mp.microsoft.com tcp
US 93.184.221.240:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 93.184.221.240:80 tlu.dl.delivery.mp.microsoft.com tcp
US 93.184.221.240:80 tlu.dl.delivery.mp.microsoft.com tcp
US 204.79.197.200:443 tcp

Files

memory/648-134-0x0000000002A50000-0x0000000002A85000-memory.dmp

memory/648-135-0x0000000002F10000-0x0000000002F43000-memory.dmp

memory/4072-136-0x000001355B760000-0x000001355B770000-memory.dmp

memory/4072-137-0x000001355B7C0000-0x000001355B7D0000-memory.dmp

memory/4072-138-0x000001355BB80000-0x000001355BB84000-memory.dmp

memory/4072-139-0x000001355E140000-0x000001355E144000-memory.dmp

memory/4072-140-0x000001355E140000-0x000001355E144000-memory.dmp

memory/4072-141-0x000001355E1C0000-0x000001355E1C4000-memory.dmp

memory/4072-142-0x000001355E1C0000-0x000001355E1C4000-memory.dmp