conti | 4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9

Analysis

max time kernel
152s
max time network
93s
platform
windows7_x64
resource
win7-20220414-en
submitted
08-05-2022 09:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
Size

196KB
MD5

40a5a507f169ce90ad972fb8c1feb405
SHA1

0b7b778ac244a82694c4bf7818bfbea44f8ce7d7
SHA256

4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9
SHA512

d7b7ed747175fecdbf7e35e96965de7cafff78c5fd20e351e219e01312b33836a3d26d6ee90eef662b590f2a3d8a0a5c3b3bab7ac8acdea6fbb00618218bb31a

Score

10^/10

conti ransomware

Malware Config

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.xyz/ YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- 4C5vgfrLN5lYVhVYOrHK7ENa9GytbQOmpNgUIjyeAr8lROT5z1cscxMBiZcgyIZD ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.xyz/

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\SuspendAdd.png => C:\Users\Admin\Pictures\SuspendAdd.png.IIATR	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Admin\Pictures\SuspendTrace.tiff	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File renamed	C:\Users\Admin\Pictures\SuspendTrace.tiff => C:\Users\Admin\Pictures\SuspendTrace.tiff.IIATR	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File renamed	C:\Users\Admin\Pictures\UnregisterWait.raw => C:\Users\Admin\Pictures\UnregisterWait.raw.IIATR	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File renamed	C:\Users\Admin\Pictures\ImportDismount.crw => C:\Users\Admin\Pictures\ImportDismount.crw.IIATR	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Admin\Pictures\SearchResume.tiff	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File renamed	C:\Users\Admin\Pictures\StopSync.png => C:\Users\Admin\Pictures\StopSync.png.IIATR	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File renamed	C:\Users\Admin\Pictures\UseExport.tif => C:\Users\Admin\Pictures\UseExport.tif.IIATR	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File renamed	C:\Users\Admin\Pictures\CompareApprove.crw => C:\Users\Admin\Pictures\CompareApprove.crw.IIATR	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File renamed	C:\Users\Admin\Pictures\SearchResume.tiff => C:\Users\Admin\Pictures\SearchResume.tiff.IIATR	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe

Drops desktop.ini file(s) 37 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Public\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0212751.WMF	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00917_.WMF	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSGR3ES.LEX	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21422_.GIF	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\RMNSQUE.ELM	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18251_.WMF	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File created	C:\Program Files\MSBuild\readme.txt	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Portal\readme.txt	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187851.WMF	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01805_.WMF	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMainMask_PAL.wmv	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\ICE.INF	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143754.GIF	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS01637_.WMF	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382963.JPG	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Hardcover.thmx	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\bdcmetadataresource.xsd	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\adcvbs.inc	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\readme.txt	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00152_.WMF	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0335112.WMF	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File created	C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\readme.txt	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\readme.txt	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00270_.WMF	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00965_.WMF	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00494_.WMF	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02228_.WMF	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0293832.WMF	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145669.JPG	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\readme.txt	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\readme.txt	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\readme.txt	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File created	C:\Program Files\Internet Explorer\de-DE\readme.txt	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00241_.WMF	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107512.WMF	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145373.JPG	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\readme.txt	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01777_.WMF	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Aspect.xml	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\PDDom.api	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115835.GIF	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD19988_.WMF	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00118_.WMF	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03731_.WMF	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\readme.txt	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files\Internet Explorer\SIGNUP\install.ins	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN01164_.WMF	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\dt.jar	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SCHOL_02.MID	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.IE.XML	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\THMBNAIL.PNG	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.MOF	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File created	C:\Program Files\Common Files\Microsoft Shared\TextConv\readme.txt	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00686_.WMF	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\meta-index	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\COUPON.POC	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\readme.txt	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\LEVEL.INF	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\readme.txt	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File created	C:\Program Files\Microsoft Games\Solitaire\es-ES\readme.txt	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\readme.txt	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	2040	vssvc.exe
Token: SeRestorePrivilege	2040	vssvc.exe
Token: SeAuditPrivilege	2040	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1328	WMIC.exe
Token: SeSecurityPrivilege	1328	WMIC.exe
Token: SeTakeOwnershipPrivilege	1328	WMIC.exe
Token: SeLoadDriverPrivilege	1328	WMIC.exe
Token: SeSystemProfilePrivilege	1328	WMIC.exe
Token: SeSystemtimePrivilege	1328	WMIC.exe
Token: SeProfSingleProcessPrivilege	1328	WMIC.exe
Token: SeIncBasePriorityPrivilege	1328	WMIC.exe
Token: SeCreatePagefilePrivilege	1328	WMIC.exe
Token: SeBackupPrivilege	1328	WMIC.exe
Token: SeRestorePrivilege	1328	WMIC.exe
Token: SeShutdownPrivilege	1328	WMIC.exe
Token: SeDebugPrivilege	1328	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1328	WMIC.exe
Token: SeRemoteShutdownPrivilege	1328	WMIC.exe
Token: SeUndockPrivilege	1328	WMIC.exe
Token: SeManageVolumePrivilege	1328	WMIC.exe
Token: 33	1328	WMIC.exe
Token: 34	1328	WMIC.exe
Token: 35	1328	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1328	WMIC.exe
Token: SeSecurityPrivilege	1328	WMIC.exe
Token: SeTakeOwnershipPrivilege	1328	WMIC.exe
Token: SeLoadDriverPrivilege	1328	WMIC.exe
Token: SeSystemProfilePrivilege	1328	WMIC.exe
Token: SeSystemtimePrivilege	1328	WMIC.exe
Token: SeProfSingleProcessPrivilege	1328	WMIC.exe
Token: SeIncBasePriorityPrivilege	1328	WMIC.exe
Token: SeCreatePagefilePrivilege	1328	WMIC.exe
Token: SeBackupPrivilege	1328	WMIC.exe
Token: SeRestorePrivilege	1328	WMIC.exe
Token: SeShutdownPrivilege	1328	WMIC.exe
Token: SeDebugPrivilege	1328	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1328	WMIC.exe
Token: SeRemoteShutdownPrivilege	1328	WMIC.exe
Token: SeUndockPrivilege	1328	WMIC.exe
Token: SeManageVolumePrivilege	1328	WMIC.exe
Token: 33	1328	WMIC.exe
Token: 34	1328	WMIC.exe
Token: 35	1328	WMIC.exe
Token: SeIncreaseQuotaPrivilege	428	WMIC.exe
Token: SeSecurityPrivilege	428	WMIC.exe
Token: SeTakeOwnershipPrivilege	428	WMIC.exe
Token: SeLoadDriverPrivilege	428	WMIC.exe
Token: SeSystemProfilePrivilege	428	WMIC.exe
Token: SeSystemtimePrivilege	428	WMIC.exe
Token: SeProfSingleProcessPrivilege	428	WMIC.exe
Token: SeIncBasePriorityPrivilege	428	WMIC.exe
Token: SeCreatePagefilePrivilege	428	WMIC.exe
Token: SeBackupPrivilege	428	WMIC.exe
Token: SeRestorePrivilege	428	WMIC.exe
Token: SeShutdownPrivilege	428	WMIC.exe
Token: SeDebugPrivilege	428	WMIC.exe
Token: SeSystemEnvironmentPrivilege	428	WMIC.exe
Token: SeRemoteShutdownPrivilege	428	WMIC.exe
Token: SeUndockPrivilege	428	WMIC.exe
Token: SeManageVolumePrivilege	428	WMIC.exe
Token: 33	428	WMIC.exe
Token: 34	428	WMIC.exe
Token: 35	428	WMIC.exe
Token: SeIncreaseQuotaPrivilege	428	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 1764	1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	29
PID 1480 wrote to memory of 1764	1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	29
PID 1480 wrote to memory of 1764	1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	29
PID 1480 wrote to memory of 1764	1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	29
PID 1764 wrote to memory of 1328	1764	cmd.exe	31
PID 1764 wrote to memory of 1328	1764	cmd.exe	31
PID 1764 wrote to memory of 1328	1764	cmd.exe	31
PID 1480 wrote to memory of 1208	1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	32
PID 1480 wrote to memory of 1208	1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	32
PID 1480 wrote to memory of 1208	1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	32
PID 1480 wrote to memory of 1208	1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	32
PID 1208 wrote to memory of 428	1208	cmd.exe	34
PID 1208 wrote to memory of 428	1208	cmd.exe	34
PID 1208 wrote to memory of 428	1208	cmd.exe	34
PID 1480 wrote to memory of 1788	1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	35
PID 1480 wrote to memory of 1788	1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	35
PID 1480 wrote to memory of 1788	1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	35
PID 1480 wrote to memory of 1788	1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	35
PID 1788 wrote to memory of 816	1788	cmd.exe	37
PID 1788 wrote to memory of 816	1788	cmd.exe	37
PID 1788 wrote to memory of 816	1788	cmd.exe	37
PID 1480 wrote to memory of 1912	1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	38
PID 1480 wrote to memory of 1912	1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	38
PID 1480 wrote to memory of 1912	1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	38
PID 1480 wrote to memory of 1912	1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	38
PID 1912 wrote to memory of 1908	1912	cmd.exe	40
PID 1912 wrote to memory of 1908	1912	cmd.exe	40
PID 1912 wrote to memory of 1908	1912	cmd.exe	40
PID 1480 wrote to memory of 580	1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	41
PID 1480 wrote to memory of 580	1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	41
PID 1480 wrote to memory of 580	1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	41
PID 1480 wrote to memory of 580	1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	41
PID 580 wrote to memory of 1176	580	cmd.exe	43
PID 580 wrote to memory of 1176	580	cmd.exe	43
PID 580 wrote to memory of 1176	580	cmd.exe	43
PID 1480 wrote to memory of 680	1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	44
PID 1480 wrote to memory of 680	1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	44
PID 1480 wrote to memory of 680	1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	44
PID 1480 wrote to memory of 680	1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	44
PID 680 wrote to memory of 572	680	cmd.exe	46
PID 680 wrote to memory of 572	680	cmd.exe	46
PID 680 wrote to memory of 572	680	cmd.exe	46
PID 1480 wrote to memory of 1032	1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	47
PID 1480 wrote to memory of 1032	1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	47
PID 1480 wrote to memory of 1032	1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	47
PID 1480 wrote to memory of 1032	1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	47
PID 1032 wrote to memory of 1576	1032	cmd.exe	49
PID 1032 wrote to memory of 1576	1032	cmd.exe	49
PID 1032 wrote to memory of 1576	1032	cmd.exe	49
PID 1480 wrote to memory of 1592	1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	50
PID 1480 wrote to memory of 1592	1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	50
PID 1480 wrote to memory of 1592	1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	50
PID 1480 wrote to memory of 1592	1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	50
PID 1592 wrote to memory of 1572	1592	cmd.exe	52
PID 1592 wrote to memory of 1572	1592	cmd.exe	52
PID 1592 wrote to memory of 1572	1592	cmd.exe	52
PID 1480 wrote to memory of 1732	1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	53
PID 1480 wrote to memory of 1732	1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	53
PID 1480 wrote to memory of 1732	1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	53
PID 1480 wrote to memory of 1732	1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	53
PID 1732 wrote to memory of 1708	1732	cmd.exe	55
PID 1732 wrote to memory of 1708	1732	cmd.exe	55
PID 1732 wrote to memory of 1708	1732	cmd.exe	55
PID 1480 wrote to memory of 1072	1480	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	56

C:\Users\Admin\AppData\Local\Temp\4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
"C:\Users\Admin\AppData\Local\Temp\4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{89697DE0-8AFD-4B41-886A-B7EB72DF3AA8}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{89697DE0-8AFD-4B41-886A-B7EB72DF3AA8}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1328
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{004F80FF-D134-40FF-896B-3B02EA9DF238}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1208
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{004F80FF-D134-40FF-896B-3B02EA9DF238}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:428
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1CA373D3-0720-4AF4-934C-F884960206D5}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1CA373D3-0720-4AF4-934C-F884960206D5}'" delete
    3⤵
    PID:816
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C951ED94-9E18-4B0F-97B7-40AF0998ADB0}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C951ED94-9E18-4B0F-97B7-40AF0998ADB0}'" delete
    3⤵
    PID:1908
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4231B339-4EB3-41AB-80A3-508C3288E141}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:580
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4231B339-4EB3-41AB-80A3-508C3288E141}'" delete
    3⤵
    PID:1176
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{41589B6B-50A3-47D7-925E-FED6576DD211}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:680
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{41589B6B-50A3-47D7-925E-FED6576DD211}'" delete
    3⤵
    PID:572
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1BB9D07F-059E-4013-BE7F-701EA09F706A}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1BB9D07F-059E-4013-BE7F-701EA09F706A}'" delete
    3⤵
    PID:1576
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FFA87842-5434-47D1-B0BB-BECA3260BE04}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FFA87842-5434-47D1-B0BB-BECA3260BE04}'" delete
    3⤵
    PID:1572
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5E19154F-51FA-43F7-8302-9500D51540D3}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5E19154F-51FA-43F7-8302-9500D51540D3}'" delete
    3⤵
    PID:1708
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B9AEA514-75F1-434E-9AA1-C39F88C95D1D}'" delete
  2⤵
  PID:1072
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B9AEA514-75F1-434E-9AA1-C39F88C95D1D}'" delete
    3⤵
    PID:1676
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2A0AA1B9-E21E-4FDC-81D9-A624B1BB2B8F}'" delete
  2⤵
  PID:468
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2A0AA1B9-E21E-4FDC-81D9-A624B1BB2B8F}'" delete
    3⤵
    PID:1640
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5AE464CA-8460-4455-AAA6-62AFB5670AE2}'" delete
  2⤵
  PID:1568
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5AE464CA-8460-4455-AAA6-62AFB5670AE2}'" delete
    3⤵
    PID:1604
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B16F72DE-243A-40E3-9640-F63AFEB59182}'" delete
  2⤵
  PID:836
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B16F72DE-243A-40E3-9640-F63AFEB59182}'" delete
    3⤵
    PID:856
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8D2703CB-4AC0-4A10-B0F6-CFE9ADDD388D}'" delete
  2⤵
  PID:1204
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8D2703CB-4AC0-4A10-B0F6-CFE9ADDD388D}'" delete
    3⤵
    PID:1116
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7F205D07-EA20-493C-BD37-BD4B6671BC69}'" delete
  2⤵
  PID:1700
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7F205D07-EA20-493C-BD37-BD4B6671BC69}'" delete
    3⤵
    PID:1424
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5106895C-48BE-4DB1-BF9C-EAE864E896FA}'" delete
  2⤵
  PID:1644
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5106895C-48BE-4DB1-BF9C-EAE864E896FA}'" delete
    3⤵
    PID:2020
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EF76A732-49C6-4961-8222-635072F634E0}'" delete
  2⤵
  PID:1956
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EF76A732-49C6-4961-8222-635072F634E0}'" delete
    3⤵
    PID:520
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D35CD01D-C9C4-48E2-9FCB-16447CF65EAE}'" delete
  2⤵
  PID:624
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D35CD01D-C9C4-48E2-9FCB-16447CF65EAE}'" delete
    3⤵
    PID:1676

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2040

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1480-54-0x0000000075871000-0x0000000075873000-memory.dmp

Filesize
8KB

Download