conti | 61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b

Analysis

max time kernel
152s
max time network
53s
platform
windows7_x64
resource
win7-20220331-en
submitted
29-03-2022 20:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
Size

310KB
MD5

bafabf22676cb0516d39a29e4b1f6bba
SHA1

901d0dd5488f9d76021ea94c75c77b17e55ced4a
SHA256

61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b
SHA512

e5f696a0d142cc201de54898557fac38778e8ce5e9969b3d8666bf8a5e8331b3bada65a6de17ce16a5a4cff533ccffbff09d5d949d3f2ae6db5bc632619d209b

Score

10^/10

conti dave ransomware

Malware Config

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI ransomware. If you try to use any additional recovery software - the files might be damaged or lost. To make sure that we REALLY CAN recover data - we offer you to decrypt samples. You can contact us for further instructions through: Our email [email protected] Our website TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid.onion HTTPS VERSION : contirecovery.best YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded your data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us ASAP ---BEGIN ID--- r1m0powNo66txhNNT8jbLjxSeYwak8M9MWeYiUHeWKV1wjW46XyPao2FejwARuCT ---END ID---

Emails

[email protected]

URLs

http://m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid.onion

https://contirecovery.best

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti

Dave packer 1 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

resource	yara_rule
behavioral1/memory/1796-64-0x00000000002B0000-0x00000000002E3000-memory.dmp	dave

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\DebugGet.crw => C:\Users\Admin\Pictures\DebugGet.crw.FXGVE	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File renamed	C:\Users\Admin\Pictures\PingInvoke.crw => C:\Users\Admin\Pictures\PingInvoke.crw.FXGVE	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File renamed	C:\Users\Admin\Pictures\StartInstall.crw => C:\Users\Admin\Pictures\StartInstall.crw.FXGVE	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File renamed	C:\Users\Admin\Pictures\UndoSync.crw => C:\Users\Admin\Pictures\UndoSync.crw.FXGVE	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe

Drops desktop.ini file(s) 38 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files\desktop.ini	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Users\Public\desktop.ini	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\readme.txt	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME24.CSS	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_1.emf	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\PICTIM32.FLT	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01172_.WMF	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00487_.WMF	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00132_.WMF	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NavigationButtonSubpicture.png	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_pt_BR.jar	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\readme.txt	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00932_.WMF	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\GRID_01.MID	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0217698.WMF	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0233070.WMF	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BS2BARB.POC	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\youtube.luac	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.jpg	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS01638_.WMF	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0090386.WMF	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21334_.GIF	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\cloud_Thumbnail.bmp	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Essential.xml	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\LucidaTypewriterBold.ttf	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain.wmv	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\StatusOnline.ico	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02439_.WMF	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FS3BOX.POC	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files\Java\jre7\bin\server\Xusage.txt	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(inch).wmf	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0300840.WMF	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-split.avi	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\readme.txt	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REMOTE.CFG	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SECURE.CFG	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\readme.txt	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\modules\sandbox.luac	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\SUMIPNTG.ELM	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR40F.GIF	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\readme.txt	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00452_.WMF	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\POSTCD98.POC	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\readme.txt	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\readme.txt	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files\Java\jre7\lib\jfr\default.jfc	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\PREVIEW.GIF	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115868.GIF	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Foundry.thmx	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287641.JPG	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\TECHTOOL.HTM	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18199_.WMF	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files\Internet Explorer\ie9props.propdesc	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01221K.JPG	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSTORE_F_COL.HXK	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_PT\readme.txt	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10290_.GIF	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\te.pak	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_sv.properties	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\trusted.libraries	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152898.WMF	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01748_.GIF	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATHEDITOR_COL.HXT	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\notepad.exe	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	1720	vssvc.exe
Token: SeRestorePrivilege	1720	vssvc.exe
Token: SeAuditPrivilege	1720	vssvc.exe
Token: SeIncreaseQuotaPrivilege	848	WMIC.exe
Token: SeSecurityPrivilege	848	WMIC.exe
Token: SeTakeOwnershipPrivilege	848	WMIC.exe
Token: SeLoadDriverPrivilege	848	WMIC.exe
Token: SeSystemProfilePrivilege	848	WMIC.exe
Token: SeSystemtimePrivilege	848	WMIC.exe
Token: SeProfSingleProcessPrivilege	848	WMIC.exe
Token: SeIncBasePriorityPrivilege	848	WMIC.exe
Token: SeCreatePagefilePrivilege	848	WMIC.exe
Token: SeBackupPrivilege	848	WMIC.exe
Token: SeRestorePrivilege	848	WMIC.exe
Token: SeShutdownPrivilege	848	WMIC.exe
Token: SeDebugPrivilege	848	WMIC.exe
Token: SeSystemEnvironmentPrivilege	848	WMIC.exe
Token: SeRemoteShutdownPrivilege	848	WMIC.exe
Token: SeUndockPrivilege	848	WMIC.exe
Token: SeManageVolumePrivilege	848	WMIC.exe
Token: 33	848	WMIC.exe
Token: 34	848	WMIC.exe
Token: 35	848	WMIC.exe
Token: SeIncreaseQuotaPrivilege	848	WMIC.exe
Token: SeSecurityPrivilege	848	WMIC.exe
Token: SeTakeOwnershipPrivilege	848	WMIC.exe
Token: SeLoadDriverPrivilege	848	WMIC.exe
Token: SeSystemProfilePrivilege	848	WMIC.exe
Token: SeSystemtimePrivilege	848	WMIC.exe
Token: SeProfSingleProcessPrivilege	848	WMIC.exe
Token: SeIncBasePriorityPrivilege	848	WMIC.exe
Token: SeCreatePagefilePrivilege	848	WMIC.exe
Token: SeBackupPrivilege	848	WMIC.exe
Token: SeRestorePrivilege	848	WMIC.exe
Token: SeShutdownPrivilege	848	WMIC.exe
Token: SeDebugPrivilege	848	WMIC.exe
Token: SeSystemEnvironmentPrivilege	848	WMIC.exe
Token: SeRemoteShutdownPrivilege	848	WMIC.exe
Token: SeUndockPrivilege	848	WMIC.exe
Token: SeManageVolumePrivilege	848	WMIC.exe
Token: 33	848	WMIC.exe
Token: 34	848	WMIC.exe
Token: 35	848	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1060	WMIC.exe
Token: SeSecurityPrivilege	1060	WMIC.exe
Token: SeTakeOwnershipPrivilege	1060	WMIC.exe
Token: SeLoadDriverPrivilege	1060	WMIC.exe
Token: SeSystemProfilePrivilege	1060	WMIC.exe
Token: SeSystemtimePrivilege	1060	WMIC.exe
Token: SeProfSingleProcessPrivilege	1060	WMIC.exe
Token: SeIncBasePriorityPrivilege	1060	WMIC.exe
Token: SeCreatePagefilePrivilege	1060	WMIC.exe
Token: SeBackupPrivilege	1060	WMIC.exe
Token: SeRestorePrivilege	1060	WMIC.exe
Token: SeShutdownPrivilege	1060	WMIC.exe
Token: SeDebugPrivilege	1060	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1060	WMIC.exe
Token: SeRemoteShutdownPrivilege	1060	WMIC.exe
Token: SeUndockPrivilege	1060	WMIC.exe
Token: SeManageVolumePrivilege	1060	WMIC.exe
Token: 33	1060	WMIC.exe
Token: 34	1060	WMIC.exe
Token: 35	1060	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1060	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 1800	1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe	53
PID 1796 wrote to memory of 1800	1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe	53
PID 1796 wrote to memory of 1800	1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe	53
PID 1796 wrote to memory of 1800	1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe	53
PID 1800 wrote to memory of 848	1800	conhost.exe	32
PID 1800 wrote to memory of 848	1800	conhost.exe	32
PID 1800 wrote to memory of 848	1800	conhost.exe	32
PID 1796 wrote to memory of 1620	1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe	76
PID 1796 wrote to memory of 1620	1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe	76
PID 1796 wrote to memory of 1620	1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe	76
PID 1796 wrote to memory of 1620	1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe	76
PID 1620 wrote to memory of 1060	1620	conhost.exe	77
PID 1620 wrote to memory of 1060	1620	conhost.exe	77
PID 1620 wrote to memory of 1060	1620	conhost.exe	77
PID 1796 wrote to memory of 1916	1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe	38
PID 1796 wrote to memory of 1916	1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe	38
PID 1796 wrote to memory of 1916	1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe	38
PID 1796 wrote to memory of 1916	1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe	38
PID 1916 wrote to memory of 812	1916	cmd.exe	39
PID 1916 wrote to memory of 812	1916	cmd.exe	39
PID 1916 wrote to memory of 812	1916	cmd.exe	39
PID 1796 wrote to memory of 1328	1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe	42
PID 1796 wrote to memory of 1328	1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe	42
PID 1796 wrote to memory of 1328	1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe	42
PID 1796 wrote to memory of 1328	1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe	42
PID 1328 wrote to memory of 1612	1328	cmd.exe	41
PID 1328 wrote to memory of 1612	1328	cmd.exe	41
PID 1328 wrote to memory of 1612	1328	cmd.exe	41
PID 1796 wrote to memory of 1728	1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe	43
PID 1796 wrote to memory of 1728	1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe	43
PID 1796 wrote to memory of 1728	1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe	43
PID 1796 wrote to memory of 1728	1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe	43
PID 1728 wrote to memory of 1936	1728	cmd.exe	85
PID 1728 wrote to memory of 1936	1728	cmd.exe	85
PID 1728 wrote to memory of 1936	1728	cmd.exe	85
PID 1796 wrote to memory of 924	1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe	46
PID 1796 wrote to memory of 924	1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe	46
PID 1796 wrote to memory of 924	1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe	46
PID 1796 wrote to memory of 924	1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe	46
PID 924 wrote to memory of 2024	924	cmd.exe	48
PID 924 wrote to memory of 2024	924	cmd.exe	48
PID 924 wrote to memory of 2024	924	cmd.exe	48
PID 1796 wrote to memory of 1348	1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe	51
PID 1796 wrote to memory of 1348	1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe	51
PID 1796 wrote to memory of 1348	1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe	51
PID 1796 wrote to memory of 1348	1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe	51
PID 1348 wrote to memory of 616	1348	cmd.exe	50
PID 1348 wrote to memory of 616	1348	cmd.exe	50
PID 1348 wrote to memory of 616	1348	cmd.exe	50
PID 1796 wrote to memory of 1600	1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe	54
PID 1796 wrote to memory of 1600	1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe	54
PID 1796 wrote to memory of 1600	1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe	54
PID 1796 wrote to memory of 1600	1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe	54
PID 1600 wrote to memory of 1604	1600	cmd.exe	52
PID 1600 wrote to memory of 1604	1600	cmd.exe	52
PID 1600 wrote to memory of 1604	1600	cmd.exe	52
PID 1796 wrote to memory of 532	1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe	57
PID 1796 wrote to memory of 532	1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe	57
PID 1796 wrote to memory of 532	1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe	57
PID 1796 wrote to memory of 532	1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe	57
PID 532 wrote to memory of 760	532	cmd.exe	55
PID 532 wrote to memory of 760	532	cmd.exe	55
PID 532 wrote to memory of 760	532	cmd.exe	55
PID 1796 wrote to memory of 1568	1796	61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe	60

C:\Users\Admin\AppData\Local\Temp\61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe
"C:\Users\Admin\AppData\Local\Temp\61a17892a491b33ce44c7c62950bdc7a4e5e14defa0e53e41d4ebdaf2ebac04b.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{ADAE1393-DF90-4092-A904-A24381147848}'" delete
  2⤵
  PID:1800
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{ADAE1393-DF90-4092-A904-A24381147848}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:848
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D07965EF-6A2A-4F04-A796-0DDF2758DD9A}'" delete
  2⤵
  PID:1620
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D07965EF-6A2A-4F04-A796-0DDF2758DD9A}'" delete
    3⤵
    PID:1060
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{257AA580-846B-4DF3-AF3D-EB71DAE11085}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{257AA580-846B-4DF3-AF3D-EB71DAE11085}'" delete
    3⤵
    PID:812
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7B92F43E-539D-4471-B92B-6FE4F217D625}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1328
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{90D8A32C-BB30-46D2-9415-F9CB20BF00AE}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{90D8A32C-BB30-46D2-9415-F9CB20BF00AE}'" delete
    3⤵
    PID:1936
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{479D3C64-906D-4805-A5AF-8BB47A9EC2BD}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:924
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{479D3C64-906D-4805-A5AF-8BB47A9EC2BD}'" delete
    3⤵
    PID:2024
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C4F878F1-5869-41F5-A8E2-B9652BF639B3}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1348
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{52F310AE-9E84-49A7-9BEA-BEB4FC07BDE9}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1600
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{55970A64-43E7-4AB4-9648-191BF48CDCF6}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:532
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{63EA98CA-1312-4816-922E-5F1E5A35E8F4}'" delete
  2⤵
  PID:1568
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{398D8D55-DE4F-44DB-A0A6-8BE33BEACE95}'" delete
  2⤵
  PID:2020
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{398D8D55-DE4F-44DB-A0A6-8BE33BEACE95}'" delete
    3⤵
    PID:1676
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9E0586DD-8F2B-450B-A15E-C5BBE1DA3079}'" delete
  2⤵
  PID:556
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{79D961E6-6071-4930-9E21-4F8327BE781F}'" delete
  2⤵
  PID:1232
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{DA0B5B71-925D-4F27-91FE-A1A7C09CFA98}'" delete
  2⤵
  PID:1240
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E4255D44-FF7B-4B34-9B08-C7A299744356}'" delete
  2⤵
  PID:1548
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{19C372D6-A6E9-4F6B-90B0-8FD1ED6A431E}'" delete
  2⤵
  PID:1776
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{24EE15D5-EDED-4F0F-ADB0-362B3BE5DC24}'" delete
  2⤵
  PID:336
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1BB765B6-A1C3-4995-975A-E692C4BD3DE6}'" delete
  2⤵
  PID:1056

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7B92F43E-539D-4471-B92B-6FE4F217D625}'" delete
1⤵
PID:1612

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C4F878F1-5869-41F5-A8E2-B9652BF639B3}'" delete
1⤵
PID:616

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{52F310AE-9E84-49A7-9BEA-BEB4FC07BDE9}'" delete
1⤵
PID:1604

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-631703864-168158157513274622-20073343892146584834-1098223633524736765-315338834"
1⤵
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{55970A64-43E7-4AB4-9648-191BF48CDCF6}'" delete
1⤵
PID:760

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{63EA98CA-1312-4816-922E-5F1E5A35E8F4}'" delete
1⤵
PID:1156

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9E0586DD-8F2B-450B-A15E-C5BBE1DA3079}'" delete
1⤵
PID:272

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{79D961E6-6071-4930-9E21-4F8327BE781F}'" delete
1⤵
PID:564

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{DA0B5B71-925D-4F27-91FE-A1A7C09CFA98}'" delete
1⤵
PID:1700

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E4255D44-FF7B-4B34-9B08-C7A299744356}'" delete
1⤵
PID:1580

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-764163926-1969676294490145870193189922233219-2091619224-693783902-908184904"
1⤵
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{19C372D6-A6E9-4F6B-90B0-8FD1ED6A431E}'" delete
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1060

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{24EE15D5-EDED-4F0F-ADB0-362B3BE5DC24}'" delete
1⤵
PID:1388

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1BB765B6-A1C3-4995-975A-E692C4BD3DE6}'" delete
1⤵
PID:1108

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:1936

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1796-54-0x00000000002F0000-0x0000000000325000-memory.dmp

Filesize
212KB

Download
memory/1796-64-0x00000000002B0000-0x00000000002E3000-memory.dmp

Filesize
204KB

Download
memory/1796-63-0x0000000075721000-0x0000000075723000-memory.dmp

Filesize
8KB

Download
memory/1796-58-0x0000000000360000-0x0000000000395000-memory.dmp

Filesize
212KB

Download