Analysis
-
max time kernel
69s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220331-en -
submitted
11-04-2022 15:54
Static task
static1
Behavioral task
behavioral1
Sample
7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe
Resource
win7-20220331-en
Behavioral task
behavioral2
Sample
7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe
Resource
win10v2004-20220331-en
General
-
Target
7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe
-
Size
175KB
-
MD5
f746ea39c0c5ff9d0a1f2d250170ad80
-
SHA1
dac28369f5a4436b2556f9b4f875e78d5c233edb
-
SHA256
7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907
-
SHA512
dffb4eaa4119df790eb6b85ae341ee2ba4438d7983d0023320f19a4f2df201a3fc3d4d3cc4f1a67c6d1cad4809ac1b914bdad584da7df1b500354386f07fbc30
Malware Config
Extracted
C:\R3ADM3.txt
network_battalion_0065@riseup.net
Signatures
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exedescription ioc process File renamed C:\Users\Admin\Pictures\AssertSwitch.raw => C:\Users\Admin\Pictures\AssertSwitch.raw.NB65 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File renamed C:\Users\Admin\Pictures\MoveRedo.tif => C:\Users\Admin\Pictures\MoveRedo.tif.NB65 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File renamed C:\Users\Admin\Pictures\UnregisterRead.crw => C:\Users\Admin\Pictures\UnregisterRead.crw.NB65 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 46 IoCs
Processes:
7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exedescription ioc process File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\U2E1B8OT\desktop.ini 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Users\Public\desktop.ini 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Users\Public\Videos\desktop.ini 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\TPX4ME9K\desktop.ini 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\Z1DVFBW9\desktop.ini 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\T3THKBLM\desktop.ini 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Users\Admin\Music\desktop.ini 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files (x86)\desktop.ini 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Users\Admin\Links\desktop.ini 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Users\Public\Music\desktop.ini 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Users\Public\Documents\desktop.ini 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files\desktop.ini 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe -
Drops file in Program Files directory 64 IoCs
Processes:
7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exedescription ioc process File opened for modification C:\Program Files\Java\jre7\lib\zi\Antarctica\Palmer 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File created C:\Program Files (x86)\Common Files\microsoft shared\ink\R3ADM3.txt 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01875_.WMF 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Origin.xml 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\rjmx.jar 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File created C:\Program Files\VideoLAN\VLC\locale\sr\R3ADM3.txt 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BZCRD98.POC 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14656_.GIF 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHKEY.DAT 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Rainy_River 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jmx.xml 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\R3ADM3.txt 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153305.WMF 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0171847.WMF 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.attach_5.5.0.165303.jar 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files\7-Zip\Lang\ga.txt 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01749_.GIF 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21427_.GIF 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.ecore.xmi_2.10.1.v20140901-1043.jar 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-modules-appui.xml 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\tab_on.gif 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\EPSIMP32.FLT 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\EXPLODE.WAV 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\THMBNAIL.PNG 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5EDT 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\PINELUMB.JPG 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\1047x576black.png 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME38.CSS 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_config_window.html 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\feature.xml 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01253_.GIF 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\modules\sandbox.luac 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309664.JPG 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\drvSOFT.x3d 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME46.CSS 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Australia\Hobart 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\TAB_OFF.GIF 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_ButtonGraphic.png 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIconSubpi.png 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Checkers.api 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files\Common Files\System\msadc\adcvbs.inc 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\R3ADM3.txt 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCHKBRD.XML 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\MANIFEST.MF 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-core.xml 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files\7-Zip\Lang\lij.txt 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationUp_ButtonGraphic.png 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0304861.WMF 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derby.war 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-print.xml 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-actions_ja.jar 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Horizon.thmx 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\MSTAG.TLB 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0337280.JPG 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Port_Moresby 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Christmas 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-charts.xml 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File created C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\R3ADM3.txt 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02743G.GIF 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Jujuy 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Moncton 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115865.GIF 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exepid process 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
vssvc.exeWMIC.exeWMIC.exedescription pid process Token: SeBackupPrivilege 2024 vssvc.exe Token: SeRestorePrivilege 2024 vssvc.exe Token: SeAuditPrivilege 2024 vssvc.exe Token: SeIncreaseQuotaPrivilege 1436 WMIC.exe Token: SeSecurityPrivilege 1436 WMIC.exe Token: SeTakeOwnershipPrivilege 1436 WMIC.exe Token: SeLoadDriverPrivilege 1436 WMIC.exe Token: SeSystemProfilePrivilege 1436 WMIC.exe Token: SeSystemtimePrivilege 1436 WMIC.exe Token: SeProfSingleProcessPrivilege 1436 WMIC.exe Token: SeIncBasePriorityPrivilege 1436 WMIC.exe Token: SeCreatePagefilePrivilege 1436 WMIC.exe Token: SeBackupPrivilege 1436 WMIC.exe Token: SeRestorePrivilege 1436 WMIC.exe Token: SeShutdownPrivilege 1436 WMIC.exe Token: SeDebugPrivilege 1436 WMIC.exe Token: SeSystemEnvironmentPrivilege 1436 WMIC.exe Token: SeRemoteShutdownPrivilege 1436 WMIC.exe Token: SeUndockPrivilege 1436 WMIC.exe Token: SeManageVolumePrivilege 1436 WMIC.exe Token: 33 1436 WMIC.exe Token: 34 1436 WMIC.exe Token: 35 1436 WMIC.exe Token: SeIncreaseQuotaPrivilege 1436 WMIC.exe Token: SeSecurityPrivilege 1436 WMIC.exe Token: SeTakeOwnershipPrivilege 1436 WMIC.exe Token: SeLoadDriverPrivilege 1436 WMIC.exe Token: SeSystemProfilePrivilege 1436 WMIC.exe Token: SeSystemtimePrivilege 1436 WMIC.exe Token: SeProfSingleProcessPrivilege 1436 WMIC.exe Token: SeIncBasePriorityPrivilege 1436 WMIC.exe Token: SeCreatePagefilePrivilege 1436 WMIC.exe Token: SeBackupPrivilege 1436 WMIC.exe Token: SeRestorePrivilege 1436 WMIC.exe Token: SeShutdownPrivilege 1436 WMIC.exe Token: SeDebugPrivilege 1436 WMIC.exe Token: SeSystemEnvironmentPrivilege 1436 WMIC.exe Token: SeRemoteShutdownPrivilege 1436 WMIC.exe Token: SeUndockPrivilege 1436 WMIC.exe Token: SeManageVolumePrivilege 1436 WMIC.exe Token: 33 1436 WMIC.exe Token: 34 1436 WMIC.exe Token: 35 1436 WMIC.exe Token: SeIncreaseQuotaPrivilege 824 WMIC.exe Token: SeSecurityPrivilege 824 WMIC.exe Token: SeTakeOwnershipPrivilege 824 WMIC.exe Token: SeLoadDriverPrivilege 824 WMIC.exe Token: SeSystemProfilePrivilege 824 WMIC.exe Token: SeSystemtimePrivilege 824 WMIC.exe Token: SeProfSingleProcessPrivilege 824 WMIC.exe Token: SeIncBasePriorityPrivilege 824 WMIC.exe Token: SeCreatePagefilePrivilege 824 WMIC.exe Token: SeBackupPrivilege 824 WMIC.exe Token: SeRestorePrivilege 824 WMIC.exe Token: SeShutdownPrivilege 824 WMIC.exe Token: SeDebugPrivilege 824 WMIC.exe Token: SeSystemEnvironmentPrivilege 824 WMIC.exe Token: SeRemoteShutdownPrivilege 824 WMIC.exe Token: SeUndockPrivilege 824 WMIC.exe Token: SeManageVolumePrivilege 824 WMIC.exe Token: 33 824 WMIC.exe Token: 34 824 WMIC.exe Token: 35 824 WMIC.exe Token: SeIncreaseQuotaPrivilege 824 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1884 wrote to memory of 1868 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe cmd.exe PID 1884 wrote to memory of 1868 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe cmd.exe PID 1884 wrote to memory of 1868 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe cmd.exe PID 1884 wrote to memory of 1868 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe cmd.exe PID 1868 wrote to memory of 1436 1868 cmd.exe WMIC.exe PID 1868 wrote to memory of 1436 1868 cmd.exe WMIC.exe PID 1868 wrote to memory of 1436 1868 cmd.exe WMIC.exe PID 1884 wrote to memory of 812 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe cmd.exe PID 1884 wrote to memory of 812 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe cmd.exe PID 1884 wrote to memory of 812 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe cmd.exe PID 1884 wrote to memory of 812 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe cmd.exe PID 812 wrote to memory of 824 812 cmd.exe WMIC.exe PID 812 wrote to memory of 824 812 cmd.exe WMIC.exe PID 812 wrote to memory of 824 812 cmd.exe WMIC.exe PID 1884 wrote to memory of 1528 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe cmd.exe PID 1884 wrote to memory of 1528 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe cmd.exe PID 1884 wrote to memory of 1528 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe cmd.exe PID 1884 wrote to memory of 1528 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe cmd.exe PID 1528 wrote to memory of 1352 1528 cmd.exe WMIC.exe PID 1528 wrote to memory of 1352 1528 cmd.exe WMIC.exe PID 1528 wrote to memory of 1352 1528 cmd.exe WMIC.exe PID 1884 wrote to memory of 1056 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe cmd.exe PID 1884 wrote to memory of 1056 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe cmd.exe PID 1884 wrote to memory of 1056 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe cmd.exe PID 1884 wrote to memory of 1056 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe cmd.exe PID 1056 wrote to memory of 1480 1056 cmd.exe WMIC.exe PID 1056 wrote to memory of 1480 1056 cmd.exe WMIC.exe PID 1056 wrote to memory of 1480 1056 cmd.exe WMIC.exe PID 1884 wrote to memory of 1536 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe cmd.exe PID 1884 wrote to memory of 1536 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe cmd.exe PID 1884 wrote to memory of 1536 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe cmd.exe PID 1884 wrote to memory of 1536 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe cmd.exe PID 1536 wrote to memory of 1400 1536 cmd.exe WMIC.exe PID 1536 wrote to memory of 1400 1536 cmd.exe WMIC.exe PID 1536 wrote to memory of 1400 1536 cmd.exe WMIC.exe PID 1884 wrote to memory of 1752 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe cmd.exe PID 1884 wrote to memory of 1752 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe cmd.exe PID 1884 wrote to memory of 1752 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe cmd.exe PID 1884 wrote to memory of 1752 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe cmd.exe PID 1752 wrote to memory of 1748 1752 cmd.exe WMIC.exe PID 1752 wrote to memory of 1748 1752 cmd.exe WMIC.exe PID 1752 wrote to memory of 1748 1752 cmd.exe WMIC.exe PID 1884 wrote to memory of 992 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe cmd.exe PID 1884 wrote to memory of 992 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe cmd.exe PID 1884 wrote to memory of 992 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe cmd.exe PID 1884 wrote to memory of 992 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe cmd.exe PID 992 wrote to memory of 672 992 cmd.exe WMIC.exe PID 992 wrote to memory of 672 992 cmd.exe WMIC.exe PID 992 wrote to memory of 672 992 cmd.exe WMIC.exe PID 1884 wrote to memory of 1436 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe cmd.exe PID 1884 wrote to memory of 1436 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe cmd.exe PID 1884 wrote to memory of 1436 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe cmd.exe PID 1884 wrote to memory of 1436 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe cmd.exe PID 1436 wrote to memory of 1964 1436 cmd.exe WMIC.exe PID 1436 wrote to memory of 1964 1436 cmd.exe WMIC.exe PID 1436 wrote to memory of 1964 1436 cmd.exe WMIC.exe PID 1884 wrote to memory of 1788 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe cmd.exe PID 1884 wrote to memory of 1788 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe cmd.exe PID 1884 wrote to memory of 1788 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe cmd.exe PID 1884 wrote to memory of 1788 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe cmd.exe PID 1788 wrote to memory of 1328 1788 cmd.exe WMIC.exe PID 1788 wrote to memory of 1328 1788 cmd.exe WMIC.exe PID 1788 wrote to memory of 1328 1788 cmd.exe WMIC.exe PID 1884 wrote to memory of 1620 1884 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe"C:\Users\Admin\AppData\Local\Temp\7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{ADAE1393-DF90-4092-A904-A24381147848}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{ADAE1393-DF90-4092-A904-A24381147848}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D07965EF-6A2A-4F04-A796-0DDF2758DD9A}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D07965EF-6A2A-4F04-A796-0DDF2758DD9A}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{257AA580-846B-4DF3-AF3D-EB71DAE11085}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{257AA580-846B-4DF3-AF3D-EB71DAE11085}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7B92F43E-539D-4471-B92B-6FE4F217D625}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7B92F43E-539D-4471-B92B-6FE4F217D625}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{90D8A32C-BB30-46D2-9415-F9CB20BF00AE}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{90D8A32C-BB30-46D2-9415-F9CB20BF00AE}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{479D3C64-906D-4805-A5AF-8BB47A9EC2BD}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{479D3C64-906D-4805-A5AF-8BB47A9EC2BD}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C4F878F1-5869-41F5-A8E2-B9652BF639B3}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C4F878F1-5869-41F5-A8E2-B9652BF639B3}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{52F310AE-9E84-49A7-9BEA-BEB4FC07BDE9}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{52F310AE-9E84-49A7-9BEA-BEB4FC07BDE9}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{55970A64-43E7-4AB4-9648-191BF48CDCF6}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{55970A64-43E7-4AB4-9648-191BF48CDCF6}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{63EA98CA-1312-4816-922E-5F1E5A35E8F4}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{63EA98CA-1312-4816-922E-5F1E5A35E8F4}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{398D8D55-DE4F-44DB-A0A6-8BE33BEACE95}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{398D8D55-DE4F-44DB-A0A6-8BE33BEACE95}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9E0586DD-8F2B-450B-A15E-C5BBE1DA3079}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9E0586DD-8F2B-450B-A15E-C5BBE1DA3079}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{79D961E6-6071-4930-9E21-4F8327BE781F}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{79D961E6-6071-4930-9E21-4F8327BE781F}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{DA0B5B71-925D-4F27-91FE-A1A7C09CFA98}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{DA0B5B71-925D-4F27-91FE-A1A7C09CFA98}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E4255D44-FF7B-4B34-9B08-C7A299744356}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E4255D44-FF7B-4B34-9B08-C7A299744356}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{19C372D6-A6E9-4F6B-90B0-8FD1ED6A431E}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{19C372D6-A6E9-4F6B-90B0-8FD1ED6A431E}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{24EE15D5-EDED-4F0F-ADB0-362B3BE5DC24}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{24EE15D5-EDED-4F0F-ADB0-362B3BE5DC24}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1BB765B6-A1C3-4995-975A-E692C4BD3DE6}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1BB765B6-A1C3-4995-975A-E692C4BD3DE6}'" delete3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/428-90-0x0000000000000000-mapping.dmp
-
memory/512-86-0x0000000000000000-mapping.dmp
-
memory/620-84-0x0000000000000000-mapping.dmp
-
memory/672-68-0x0000000000000000-mapping.dmp
-
memory/812-57-0x0000000000000000-mapping.dmp
-
memory/824-58-0x0000000000000000-mapping.dmp
-
memory/848-79-0x0000000000000000-mapping.dmp
-
memory/940-85-0x0000000000000000-mapping.dmp
-
memory/992-67-0x0000000000000000-mapping.dmp
-
memory/1056-61-0x0000000000000000-mapping.dmp
-
memory/1132-82-0x0000000000000000-mapping.dmp
-
memory/1204-74-0x0000000000000000-mapping.dmp
-
memory/1300-78-0x0000000000000000-mapping.dmp
-
memory/1328-72-0x0000000000000000-mapping.dmp
-
memory/1336-83-0x0000000000000000-mapping.dmp
-
memory/1352-60-0x0000000000000000-mapping.dmp
-
memory/1400-64-0x0000000000000000-mapping.dmp
-
memory/1436-69-0x0000000000000000-mapping.dmp
-
memory/1436-56-0x0000000000000000-mapping.dmp
-
memory/1480-62-0x0000000000000000-mapping.dmp
-
memory/1480-76-0x0000000000000000-mapping.dmp
-
memory/1500-75-0x0000000000000000-mapping.dmp
-
memory/1528-59-0x0000000000000000-mapping.dmp
-
memory/1536-63-0x0000000000000000-mapping.dmp
-
memory/1544-80-0x0000000000000000-mapping.dmp
-
memory/1620-73-0x0000000000000000-mapping.dmp
-
memory/1628-87-0x0000000000000000-mapping.dmp
-
memory/1684-88-0x0000000000000000-mapping.dmp
-
memory/1748-66-0x0000000000000000-mapping.dmp
-
memory/1752-65-0x0000000000000000-mapping.dmp
-
memory/1788-71-0x0000000000000000-mapping.dmp
-
memory/1868-55-0x0000000000000000-mapping.dmp
-
memory/1884-54-0x0000000075821000-0x0000000075823000-memory.dmpFilesize
8KB
-
memory/1888-77-0x0000000000000000-mapping.dmp
-
memory/1964-70-0x0000000000000000-mapping.dmp
-
memory/1968-89-0x0000000000000000-mapping.dmp
-
memory/2008-81-0x0000000000000000-mapping.dmp