conti | 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9

Analysis

max time kernel
110s
max time network
55s
platform
windows7_x64
resource
win7-20220414-en
submitted
06-05-2022 10:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
Size

190KB
MD5

2dc5a4338d438ea4e78878cff4cfe2cf
SHA1

cfdd6e3a69b12d43af94cb0441db3e1ef93f74f8
SHA256

1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9
SHA512

32a8d6f2fa1e472aefa8cc41cb59b5b67e84d336ca35c5b1f5d2a2ad2eae5a7ba1cbfba17f75261b0220a5d896b72bb4b95c5c86a6c8bda4b9bf50463f2222fc

Score

10^/10

conti ransomware spyware stealer

Malware Config

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI ransomware. If you try to use any additional recovery software - the files might be damaged or lost. To make sure that we REALLY CAN recover data - we offer you to decrypt samples. You can contact us for further instructions through: Our website TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.top/ YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded your data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us ASAP ---BEGIN ID--- FQ6C1V320lsGoEpDS1i4SFkTzLnOQ9vSXpwMwYdsE7CL2myTZeHVHuuqtzHQGOpB ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.top/

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\SwitchRead.tiff	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File renamed	C:\Users\Admin\Pictures\SwitchRead.tiff => C:\Users\Admin\Pictures\SwitchRead.tiff.YEKRW	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File renamed	C:\Users\Admin\Pictures\InvokeOpen.raw => C:\Users\Admin\Pictures\InvokeOpen.raw.YEKRW	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File renamed	C:\Users\Admin\Pictures\MeasureCompress.tif => C:\Users\Admin\Pictures\MeasureCompress.tif.YEKRW	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File renamed	C:\Users\Admin\Pictures\MeasureInitialize.raw => C:\Users\Admin\Pictures\MeasureInitialize.raw.YEKRW	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Admin\Pictures\OpenSync.tiff	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File renamed	C:\Users\Admin\Pictures\OpenSync.tiff => C:\Users\Admin\Pictures\OpenSync.tiff.YEKRW	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File renamed	C:\Users\Admin\Pictures\PopSelect.crw => C:\Users\Admin\Pictures\PopSelect.crw.YEKRW	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 46 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\9BAYTI1Z\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\GA2W0K9L\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Public\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\1O80FYZJ\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\TP9I05FL\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR34F.GIF	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Creston	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File created	C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\readme.txt	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\TAB_ON.GIF	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-print_zh_CN.jar	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-print.xml_hidden	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\NewExpand.m4v	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_ButtonGraphic.png	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Java\jre7\lib\security\blacklist	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl.css	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kamchatka	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14984_.GIF	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs_ja.jar	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00122_.WMF	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_F_COL.HXK	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_ja.jar	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\readme.txt	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\readme.txt	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.config	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\babyblue.png	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme_0.9.300.v20140424-2042.jar	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_Buttongraphic.png	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107042.WMF	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multiview.xml	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions_Response.css	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\readme.txt	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\MTEXTRA.TTF	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-next-static.png	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00720_.WMF	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\ACT3.SAM	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-7	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File created	C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\readme.txt	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\VBHW6.CHM	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00222_.WMF	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_07.MID	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_2.emf	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\ChessIconImagesMask.bmp	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR43B.GIF	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR20F.GIF	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\EMAIL11.POC	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_ButtonGraphic.png	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\MENU98.POC	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\LucidaBrightDemiBold.ttf	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File created	C:\Program Files\Java\jre7\lib\zi\Antarctica\readme.txt	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewAttachmentIcons.jpg	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187893.WMF	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LETTHEAD.DPV	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-over-select.png	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow.css	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04225_.WMF	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099187.JPG	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153508.WMF	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\readme.txt	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\rjmx.jar	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewAttachmentIconsMask.bmp	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0282928.WMF	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01240_.GIF	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME18.CSS	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR22F.GIF	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository.nl_ja_4.4.0.v20140623020002.jar	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow\HEADER.GIF	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\mset7fr.kic	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\Discussion14.gta	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	320	vssvc.exe
Token: SeRestorePrivilege	320	vssvc.exe
Token: SeAuditPrivilege	320	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1004	WMIC.exe
Token: SeSecurityPrivilege	1004	WMIC.exe
Token: SeTakeOwnershipPrivilege	1004	WMIC.exe
Token: SeLoadDriverPrivilege	1004	WMIC.exe
Token: SeSystemProfilePrivilege	1004	WMIC.exe
Token: SeSystemtimePrivilege	1004	WMIC.exe
Token: SeProfSingleProcessPrivilege	1004	WMIC.exe
Token: SeIncBasePriorityPrivilege	1004	WMIC.exe
Token: SeCreatePagefilePrivilege	1004	WMIC.exe
Token: SeBackupPrivilege	1004	WMIC.exe
Token: SeRestorePrivilege	1004	WMIC.exe
Token: SeShutdownPrivilege	1004	WMIC.exe
Token: SeDebugPrivilege	1004	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1004	WMIC.exe
Token: SeRemoteShutdownPrivilege	1004	WMIC.exe
Token: SeUndockPrivilege	1004	WMIC.exe
Token: SeManageVolumePrivilege	1004	WMIC.exe
Token: 33	1004	WMIC.exe
Token: 34	1004	WMIC.exe
Token: 35	1004	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1004	WMIC.exe
Token: SeSecurityPrivilege	1004	WMIC.exe
Token: SeTakeOwnershipPrivilege	1004	WMIC.exe
Token: SeLoadDriverPrivilege	1004	WMIC.exe
Token: SeSystemProfilePrivilege	1004	WMIC.exe
Token: SeSystemtimePrivilege	1004	WMIC.exe
Token: SeProfSingleProcessPrivilege	1004	WMIC.exe
Token: SeIncBasePriorityPrivilege	1004	WMIC.exe
Token: SeCreatePagefilePrivilege	1004	WMIC.exe
Token: SeBackupPrivilege	1004	WMIC.exe
Token: SeRestorePrivilege	1004	WMIC.exe
Token: SeShutdownPrivilege	1004	WMIC.exe
Token: SeDebugPrivilege	1004	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1004	WMIC.exe
Token: SeRemoteShutdownPrivilege	1004	WMIC.exe
Token: SeUndockPrivilege	1004	WMIC.exe
Token: SeManageVolumePrivilege	1004	WMIC.exe
Token: 33	1004	WMIC.exe
Token: 34	1004	WMIC.exe
Token: 35	1004	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1268	WMIC.exe
Token: SeSecurityPrivilege	1268	WMIC.exe
Token: SeTakeOwnershipPrivilege	1268	WMIC.exe
Token: SeLoadDriverPrivilege	1268	WMIC.exe
Token: SeSystemProfilePrivilege	1268	WMIC.exe
Token: SeSystemtimePrivilege	1268	WMIC.exe
Token: SeProfSingleProcessPrivilege	1268	WMIC.exe
Token: SeIncBasePriorityPrivilege	1268	WMIC.exe
Token: SeCreatePagefilePrivilege	1268	WMIC.exe
Token: SeBackupPrivilege	1268	WMIC.exe
Token: SeRestorePrivilege	1268	WMIC.exe
Token: SeShutdownPrivilege	1268	WMIC.exe
Token: SeDebugPrivilege	1268	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1268	WMIC.exe
Token: SeRemoteShutdownPrivilege	1268	WMIC.exe
Token: SeUndockPrivilege	1268	WMIC.exe
Token: SeManageVolumePrivilege	1268	WMIC.exe
Token: 33	1268	WMIC.exe
Token: 34	1268	WMIC.exe
Token: 35	1268	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1268	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 1700	1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe	29
PID 1884 wrote to memory of 1700	1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe	29
PID 1884 wrote to memory of 1700	1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe	29
PID 1884 wrote to memory of 1700	1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe	29
PID 1700 wrote to memory of 1004	1700	cmd.exe	31
PID 1700 wrote to memory of 1004	1700	cmd.exe	31
PID 1700 wrote to memory of 1004	1700	cmd.exe	31
PID 1884 wrote to memory of 1248	1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe	32
PID 1884 wrote to memory of 1248	1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe	32
PID 1884 wrote to memory of 1248	1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe	32
PID 1884 wrote to memory of 1248	1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe	32
PID 1248 wrote to memory of 1268	1248	cmd.exe	34
PID 1248 wrote to memory of 1268	1248	cmd.exe	34
PID 1248 wrote to memory of 1268	1248	cmd.exe	34
PID 1884 wrote to memory of 1848	1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe	35
PID 1884 wrote to memory of 1848	1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe	35
PID 1884 wrote to memory of 1848	1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe	35
PID 1884 wrote to memory of 1848	1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe	35
PID 1848 wrote to memory of 1732	1848	cmd.exe	37
PID 1848 wrote to memory of 1732	1848	cmd.exe	37
PID 1848 wrote to memory of 1732	1848	cmd.exe	37
PID 1884 wrote to memory of 1864	1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe	38
PID 1884 wrote to memory of 1864	1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe	38
PID 1884 wrote to memory of 1864	1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe	38
PID 1884 wrote to memory of 1864	1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe	38
PID 1864 wrote to memory of 1876	1864	cmd.exe	40
PID 1864 wrote to memory of 1876	1864	cmd.exe	40
PID 1864 wrote to memory of 1876	1864	cmd.exe	40
PID 1884 wrote to memory of 1980	1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe	41
PID 1884 wrote to memory of 1980	1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe	41
PID 1884 wrote to memory of 1980	1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe	41
PID 1884 wrote to memory of 1980	1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe	41
PID 1980 wrote to memory of 1308	1980	cmd.exe	43
PID 1980 wrote to memory of 1308	1980	cmd.exe	43
PID 1980 wrote to memory of 1308	1980	cmd.exe	43
PID 1884 wrote to memory of 624	1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe	44
PID 1884 wrote to memory of 624	1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe	44
PID 1884 wrote to memory of 624	1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe	44
PID 1884 wrote to memory of 624	1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe	44
PID 624 wrote to memory of 1180	624	cmd.exe	46
PID 624 wrote to memory of 1180	624	cmd.exe	46
PID 624 wrote to memory of 1180	624	cmd.exe	46
PID 1884 wrote to memory of 1292	1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe	47
PID 1884 wrote to memory of 1292	1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe	47
PID 1884 wrote to memory of 1292	1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe	47
PID 1884 wrote to memory of 1292	1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe	47
PID 1292 wrote to memory of 1260	1292	cmd.exe	49
PID 1292 wrote to memory of 1260	1292	cmd.exe	49
PID 1292 wrote to memory of 1260	1292	cmd.exe	49
PID 1884 wrote to memory of 916	1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe	50
PID 1884 wrote to memory of 916	1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe	50
PID 1884 wrote to memory of 916	1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe	50
PID 1884 wrote to memory of 916	1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe	50
PID 916 wrote to memory of 1512	916	cmd.exe	52
PID 916 wrote to memory of 1512	916	cmd.exe	52
PID 916 wrote to memory of 1512	916	cmd.exe	52
PID 1884 wrote to memory of 1940	1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe	53
PID 1884 wrote to memory of 1940	1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe	53
PID 1884 wrote to memory of 1940	1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe	53
PID 1884 wrote to memory of 1940	1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe	53
PID 1940 wrote to memory of 928	1940	cmd.exe	55
PID 1940 wrote to memory of 928	1940	cmd.exe	55
PID 1940 wrote to memory of 928	1940	cmd.exe	55
PID 1884 wrote to memory of 756	1884	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe	56

C:\Users\Admin\AppData\Local\Temp\1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
"C:\Users\Admin\AppData\Local\Temp\1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{89697DE0-8AFD-4B41-886A-B7EB72DF3AA8}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{89697DE0-8AFD-4B41-886A-B7EB72DF3AA8}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1004
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{004F80FF-D134-40FF-896B-3B02EA9DF238}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1248
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{004F80FF-D134-40FF-896B-3B02EA9DF238}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1268
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1CA373D3-0720-4AF4-934C-F884960206D5}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1848
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1CA373D3-0720-4AF4-934C-F884960206D5}'" delete
    3⤵
    PID:1732
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C951ED94-9E18-4B0F-97B7-40AF0998ADB0}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C951ED94-9E18-4B0F-97B7-40AF0998ADB0}'" delete
    3⤵
    PID:1876
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4231B339-4EB3-41AB-80A3-508C3288E141}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4231B339-4EB3-41AB-80A3-508C3288E141}'" delete
    3⤵
    PID:1308
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{41589B6B-50A3-47D7-925E-FED6576DD211}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:624
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{41589B6B-50A3-47D7-925E-FED6576DD211}'" delete
    3⤵
    PID:1180
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1BB9D07F-059E-4013-BE7F-701EA09F706A}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1BB9D07F-059E-4013-BE7F-701EA09F706A}'" delete
    3⤵
    PID:1260
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FFA87842-5434-47D1-B0BB-BECA3260BE04}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FFA87842-5434-47D1-B0BB-BECA3260BE04}'" delete
    3⤵
    PID:1512
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5E19154F-51FA-43F7-8302-9500D51540D3}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5E19154F-51FA-43F7-8302-9500D51540D3}'" delete
    3⤵
    PID:928
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B9AEA514-75F1-434E-9AA1-C39F88C95D1D}'" delete
  2⤵
  PID:756
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B9AEA514-75F1-434E-9AA1-C39F88C95D1D}'" delete
    3⤵
    PID:1956
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2A0AA1B9-E21E-4FDC-81D9-A624B1BB2B8F}'" delete
  2⤵
  PID:1128
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2A0AA1B9-E21E-4FDC-81D9-A624B1BB2B8F}'" delete
    3⤵
    PID:1948
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5AE464CA-8460-4455-AAA6-62AFB5670AE2}'" delete
  2⤵
  PID:1468
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5AE464CA-8460-4455-AAA6-62AFB5670AE2}'" delete
    3⤵
    PID:1876
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B16F72DE-243A-40E3-9640-F63AFEB59182}'" delete
  2⤵
  PID:684
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B16F72DE-243A-40E3-9640-F63AFEB59182}'" delete
    3⤵
    PID:1924
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8D2703CB-4AC0-4A10-B0F6-CFE9ADDD388D}'" delete
  2⤵
  PID:1668
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8D2703CB-4AC0-4A10-B0F6-CFE9ADDD388D}'" delete
    3⤵
    PID:1788
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7F205D07-EA20-493C-BD37-BD4B6671BC69}'" delete
  2⤵
  PID:1616
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7F205D07-EA20-493C-BD37-BD4B6671BC69}'" delete
    3⤵
    PID:2032
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5106895C-48BE-4DB1-BF9C-EAE864E896FA}'" delete
  2⤵
  PID:1444
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5106895C-48BE-4DB1-BF9C-EAE864E896FA}'" delete
    3⤵
    PID:1480
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EF76A732-49C6-4961-8222-635072F634E0}'" delete
  2⤵
  PID:1608
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EF76A732-49C6-4961-8222-635072F634E0}'" delete
    3⤵
    PID:1068
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D35CD01D-C9C4-48E2-9FCB-16447CF65EAE}'" delete
  2⤵
  PID:1440
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D35CD01D-C9C4-48E2-9FCB-16447CF65EAE}'" delete
    3⤵
    PID:1268

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1884-54-0x00000000759E1000-0x00000000759E3000-memory.dmp

Filesize
8KB

Download