conti | 4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9

Analysis

max time kernel
109s
max time network
53s
platform
windows7_x64
resource
win7-20220414-en
submitted
09-05-2022 12:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
Size

196KB
MD5

40a5a507f169ce90ad972fb8c1feb405
SHA1

0b7b778ac244a82694c4bf7818bfbea44f8ce7d7
SHA256

4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9
SHA512

d7b7ed747175fecdbf7e35e96965de7cafff78c5fd20e351e219e01312b33836a3d26d6ee90eef662b590f2a3d8a0a5c3b3bab7ac8acdea6fbb00618218bb31a

Score

10^/10

conti ransomware spyware stealer

Malware Config

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.xyz/ YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- 4C5vgfrLN5lYVhVYOrHK7ENa9GytbQOmpNgUIjyeAr8lROT5z1cscxMBiZcgyIZD ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.xyz/

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\UndoResume.png => C:\Users\Admin\Pictures\UndoResume.png.IIATR	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File renamed	C:\Users\Admin\Pictures\JoinAssert.tif => C:\Users\Admin\Pictures\JoinAssert.tif.IIATR	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Admin\Pictures\MountGrant.tiff	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File renamed	C:\Users\Admin\Pictures\NewExit.tiff => C:\Users\Admin\Pictures\NewExit.tiff.IIATR	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File renamed	C:\Users\Admin\Pictures\SplitAssert.crw => C:\Users\Admin\Pictures\SplitAssert.crw.IIATR	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Admin\Pictures\UnblockAdd.tiff	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File renamed	C:\Users\Admin\Pictures\UnblockAdd.tiff => C:\Users\Admin\Pictures\UnblockAdd.tiff.IIATR	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File renamed	C:\Users\Admin\Pictures\MountGrant.tiff => C:\Users\Admin\Pictures\MountGrant.tiff.IIATR	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Admin\Pictures\NewExit.tiff	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 46 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Links\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\P4R98AUH\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\8WU7A3BP\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VRG14UW3\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\PWZ8QZ9F\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Public\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.jpg	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02752U.BMP	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01297_.GIF	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\readme.txt	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\readme.txt	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\local_policy.jar	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Glace_Bay	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384900.JPG	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\ZoneInfoMappings	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_Casual.gif	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_it.properties	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\rtf_spellcheck.gif	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00985_.WMF	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\readme.txt	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\AST4ADT	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File created	C:\Program Files\Common Files\SpeechEngines\readme.txt	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\FAXEXT.ECF	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Notebook.jpg	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02075_.WMF	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-uisupport.xml	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-charts_zh_CN.jar	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\COMBOBOX.JPG	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00671_.WMF	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\J0115875.GIF	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\manifest.json	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiler.xml	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl.css	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0250504.WMF	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha2.png	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files\Java\jre7\lib\security\cacerts	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Fakaofo	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\readme.txt	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_zh_CN.jar	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_20_666666_40x40.png	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382947.JPG	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02441_.WMF	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\STSLIST.CHM	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\readme.txt	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.jsp.jasper_1.0.400.v20130327-1442.jar	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files\DVD Maker\sonicsptransform.ax	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\readme.txt	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0318810.WMF	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\THMBNAIL.PNG	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\AWARDHM.POC	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\visualization\readme.txt	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.app_1.3.200.v20130910-1609.jar	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Karachi	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\readme.txt	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\platform.xml	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-editor-mimelookup.jar	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\SoftBlue.jpg	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00372_.WMF	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Urban.xml	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02116_.GIF	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.ecore.xmi_2.10.1.v20140901-1043.jar	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\Discussion.gta	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLBAR.INF	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_right.png	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_BR\readme.txt	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	2036	vssvc.exe
Token: SeRestorePrivilege	2036	vssvc.exe
Token: SeAuditPrivilege	2036	vssvc.exe
Token: SeIncreaseQuotaPrivilege	976	WMIC.exe
Token: SeSecurityPrivilege	976	WMIC.exe
Token: SeTakeOwnershipPrivilege	976	WMIC.exe
Token: SeLoadDriverPrivilege	976	WMIC.exe
Token: SeSystemProfilePrivilege	976	WMIC.exe
Token: SeSystemtimePrivilege	976	WMIC.exe
Token: SeProfSingleProcessPrivilege	976	WMIC.exe
Token: SeIncBasePriorityPrivilege	976	WMIC.exe
Token: SeCreatePagefilePrivilege	976	WMIC.exe
Token: SeBackupPrivilege	976	WMIC.exe
Token: SeRestorePrivilege	976	WMIC.exe
Token: SeShutdownPrivilege	976	WMIC.exe
Token: SeDebugPrivilege	976	WMIC.exe
Token: SeSystemEnvironmentPrivilege	976	WMIC.exe
Token: SeRemoteShutdownPrivilege	976	WMIC.exe
Token: SeUndockPrivilege	976	WMIC.exe
Token: SeManageVolumePrivilege	976	WMIC.exe
Token: 33	976	WMIC.exe
Token: 34	976	WMIC.exe
Token: 35	976	WMIC.exe
Token: SeIncreaseQuotaPrivilege	976	WMIC.exe
Token: SeSecurityPrivilege	976	WMIC.exe
Token: SeTakeOwnershipPrivilege	976	WMIC.exe
Token: SeLoadDriverPrivilege	976	WMIC.exe
Token: SeSystemProfilePrivilege	976	WMIC.exe
Token: SeSystemtimePrivilege	976	WMIC.exe
Token: SeProfSingleProcessPrivilege	976	WMIC.exe
Token: SeIncBasePriorityPrivilege	976	WMIC.exe
Token: SeCreatePagefilePrivilege	976	WMIC.exe
Token: SeBackupPrivilege	976	WMIC.exe
Token: SeRestorePrivilege	976	WMIC.exe
Token: SeShutdownPrivilege	976	WMIC.exe
Token: SeDebugPrivilege	976	WMIC.exe
Token: SeSystemEnvironmentPrivilege	976	WMIC.exe
Token: SeRemoteShutdownPrivilege	976	WMIC.exe
Token: SeUndockPrivilege	976	WMIC.exe
Token: SeManageVolumePrivilege	976	WMIC.exe
Token: 33	976	WMIC.exe
Token: 34	976	WMIC.exe
Token: 35	976	WMIC.exe
Token: SeIncreaseQuotaPrivilege	648	WMIC.exe
Token: SeSecurityPrivilege	648	WMIC.exe
Token: SeTakeOwnershipPrivilege	648	WMIC.exe
Token: SeLoadDriverPrivilege	648	WMIC.exe
Token: SeSystemProfilePrivilege	648	WMIC.exe
Token: SeSystemtimePrivilege	648	WMIC.exe
Token: SeProfSingleProcessPrivilege	648	WMIC.exe
Token: SeIncBasePriorityPrivilege	648	WMIC.exe
Token: SeCreatePagefilePrivilege	648	WMIC.exe
Token: SeBackupPrivilege	648	WMIC.exe
Token: SeRestorePrivilege	648	WMIC.exe
Token: SeShutdownPrivilege	648	WMIC.exe
Token: SeDebugPrivilege	648	WMIC.exe
Token: SeSystemEnvironmentPrivilege	648	WMIC.exe
Token: SeRemoteShutdownPrivilege	648	WMIC.exe
Token: SeUndockPrivilege	648	WMIC.exe
Token: SeManageVolumePrivilege	648	WMIC.exe
Token: 33	648	WMIC.exe
Token: 34	648	WMIC.exe
Token: 35	648	WMIC.exe
Token: SeIncreaseQuotaPrivilege	648	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 328 wrote to memory of 900	328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	30
PID 328 wrote to memory of 900	328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	30
PID 328 wrote to memory of 900	328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	30
PID 328 wrote to memory of 900	328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	30
PID 900 wrote to memory of 976	900	cmd.exe	32
PID 900 wrote to memory of 976	900	cmd.exe	32
PID 900 wrote to memory of 976	900	cmd.exe	32
PID 328 wrote to memory of 928	328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	33
PID 328 wrote to memory of 928	328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	33
PID 328 wrote to memory of 928	328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	33
PID 328 wrote to memory of 928	328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	33
PID 928 wrote to memory of 648	928	cmd.exe	35
PID 928 wrote to memory of 648	928	cmd.exe	35
PID 928 wrote to memory of 648	928	cmd.exe	35
PID 328 wrote to memory of 1996	328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	36
PID 328 wrote to memory of 1996	328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	36
PID 328 wrote to memory of 1996	328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	36
PID 328 wrote to memory of 1996	328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	36
PID 1996 wrote to memory of 688	1996	cmd.exe	38
PID 1996 wrote to memory of 688	1996	cmd.exe	38
PID 1996 wrote to memory of 688	1996	cmd.exe	38
PID 328 wrote to memory of 1972	328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	39
PID 328 wrote to memory of 1972	328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	39
PID 328 wrote to memory of 1972	328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	39
PID 328 wrote to memory of 1972	328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	39
PID 1972 wrote to memory of 1904	1972	cmd.exe	41
PID 1972 wrote to memory of 1904	1972	cmd.exe	41
PID 1972 wrote to memory of 1904	1972	cmd.exe	41
PID 328 wrote to memory of 1468	328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	42
PID 328 wrote to memory of 1468	328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	42
PID 328 wrote to memory of 1468	328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	42
PID 328 wrote to memory of 1468	328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	42
PID 1468 wrote to memory of 1432	1468	cmd.exe	44
PID 1468 wrote to memory of 1432	1468	cmd.exe	44
PID 1468 wrote to memory of 1432	1468	cmd.exe	44
PID 328 wrote to memory of 1784	328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	45
PID 328 wrote to memory of 1784	328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	45
PID 328 wrote to memory of 1784	328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	45
PID 328 wrote to memory of 1784	328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	45
PID 1784 wrote to memory of 1420	1784	cmd.exe	47
PID 1784 wrote to memory of 1420	1784	cmd.exe	47
PID 1784 wrote to memory of 1420	1784	cmd.exe	47
PID 328 wrote to memory of 1084	328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	48
PID 328 wrote to memory of 1084	328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	48
PID 328 wrote to memory of 1084	328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	48
PID 328 wrote to memory of 1084	328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	48
PID 1084 wrote to memory of 1096	1084	cmd.exe	50
PID 1084 wrote to memory of 1096	1084	cmd.exe	50
PID 1084 wrote to memory of 1096	1084	cmd.exe	50
PID 328 wrote to memory of 1672	328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	51
PID 328 wrote to memory of 1672	328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	51
PID 328 wrote to memory of 1672	328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	51
PID 328 wrote to memory of 1672	328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	51
PID 1672 wrote to memory of 1864	1672	cmd.exe	53
PID 1672 wrote to memory of 1864	1672	cmd.exe	53
PID 1672 wrote to memory of 1864	1672	cmd.exe	53
PID 328 wrote to memory of 1760	328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	54
PID 328 wrote to memory of 1760	328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	54
PID 328 wrote to memory of 1760	328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	54
PID 328 wrote to memory of 1760	328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	54
PID 1760 wrote to memory of 1612	1760	cmd.exe	56
PID 1760 wrote to memory of 1612	1760	cmd.exe	56
PID 1760 wrote to memory of 1612	1760	cmd.exe	56
PID 328 wrote to memory of 1756	328	4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe	57

C:\Users\Admin\AppData\Local\Temp\4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe
"C:\Users\Admin\AppData\Local\Temp\4f17d7fa344b970890ed1bc52a0da95146cab9fe56ecabafafacb0ad212558c9.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:328
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{76AC6197-90C7-420E-B11E-6A2516FF8E2D}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:900
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{76AC6197-90C7-420E-B11E-6A2516FF8E2D}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:976
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0E56416A-BF66-446A-B148-2A39E9FCA4B5}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:928
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0E56416A-BF66-446A-B148-2A39E9FCA4B5}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:648
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6F361F5A-1610-4BA2-9BA9-1645A9446999}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6F361F5A-1610-4BA2-9BA9-1645A9446999}'" delete
    3⤵
    PID:688
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3D610F04-AD15-4B57-9EA6-EB43E2C1C6DF}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3D610F04-AD15-4B57-9EA6-EB43E2C1C6DF}'" delete
    3⤵
    PID:1904
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A0E55958-2020-473C-9645-DF3748D6F6A4}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A0E55958-2020-473C-9645-DF3748D6F6A4}'" delete
    3⤵
    PID:1432
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{619A972D-EF4E-4B77-837E-5DE48EF820EC}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{619A972D-EF4E-4B77-837E-5DE48EF820EC}'" delete
    3⤵
    PID:1420
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D1DEBA3A-4233-4F6A-B0A6-2E017D747A9A}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1084
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D1DEBA3A-4233-4F6A-B0A6-2E017D747A9A}'" delete
    3⤵
    PID:1096
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C872AF79-0700-48FC-9D3C-620ACCCF125A}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C872AF79-0700-48FC-9D3C-620ACCCF125A}'" delete
    3⤵
    PID:1864
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{57B5DEAB-94E0-46A5-89C5-2C18E67636E4}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{57B5DEAB-94E0-46A5-89C5-2C18E67636E4}'" delete
    3⤵
    PID:1612
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AD8C89DA-2F62-4C23-BE5C-1DD2769C2420}'" delete
  2⤵
  PID:1756
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AD8C89DA-2F62-4C23-BE5C-1DD2769C2420}'" delete
    3⤵
    PID:928
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{580A970C-24DA-4D9A-A28A-962298A8D599}'" delete
  2⤵
  PID:240
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{580A970C-24DA-4D9A-A28A-962298A8D599}'" delete
    3⤵
    PID:1804
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{11C26B9A-774E-4AC8-91B6-1F37960DB3B0}'" delete
  2⤵
  PID:564
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{11C26B9A-774E-4AC8-91B6-1F37960DB3B0}'" delete
    3⤵
    PID:1988
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{52E1C6F5-6F79-493E-994C-89C84E382272}'" delete
  2⤵
  PID:1752
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{52E1C6F5-6F79-493E-994C-89C84E382272}'" delete
    3⤵
    PID:1716
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C1CD1F01-92C2-4236-9193-BF34A6AA5E16}'" delete
  2⤵
  PID:528
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C1CD1F01-92C2-4236-9193-BF34A6AA5E16}'" delete
    3⤵
    PID:1416
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9ECABC77-681B-471C-A179-460D3241734C}'" delete
  2⤵
  PID:276
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9ECABC77-681B-471C-A179-460D3241734C}'" delete
    3⤵
    PID:752
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FFB728F7-3235-4FB0-8DB0-4257DF5FE6AD}'" delete
  2⤵
  PID:580
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FFB728F7-3235-4FB0-8DB0-4257DF5FE6AD}'" delete
    3⤵
    PID:1820
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{63719DDD-2CC8-4F5D-B63D-B91C19D27CA7}'" delete
  2⤵
  PID:1440
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{63719DDD-2CC8-4F5D-B63D-B91C19D27CA7}'" delete
    3⤵
    PID:1604
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7AB29A07-C54D-4DD3-83EF-1409EA1E90FF}'" delete
  2⤵
  PID:1956
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7AB29A07-C54D-4DD3-83EF-1409EA1E90FF}'" delete
    3⤵
    PID:1544

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/328-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download