1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420

General

Target

1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
Size

740KB
MD5

95b62355385af3d2711b7a8e759ed664
SHA1

6c66c4005b14c14a1029a601eeed55cab21ae713
SHA256

1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420
SHA512

2b32851fd222e4fc06748b1f6f1f9b6b9ffd1e7d95e5c2c8665de0d55a825cd1918763d2b0af0200c2332dd5c5b33a5fe1183dc565046a7f457a00c4bee180dd

Score

8^/10

dave ransomware spyware stealer

Malware Config

Signatures

Dave packer 1 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

Processes:

resource	yara_rule
behavioral1/memory/736-64-0x0000000001D70000-0x0000000001DA2000-memory.dmp	dave

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\ConvertToSet.raw => C:\Users\Admin\Pictures\ConvertToSet.raw.QMIBK	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File renamed	C:\Users\Admin\Pictures\GrantWait.png => C:\Users\Admin\Pictures\GrantWait.png.QMIBK	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File renamed	C:\Users\Admin\Pictures\ImportComplete.raw => C:\Users\Admin\Pictures\ImportComplete.raw.QMIBK	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Users\Admin\Pictures\NewBackup.tiff	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File renamed	C:\Users\Admin\Pictures\NewBackup.tiff => C:\Users\Admin\Pictures\NewBackup.tiff.QMIBK	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Users\Admin\Pictures\ResumeEdit.tiff	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File renamed	C:\Users\Admin\Pictures\ResumeEdit.tiff => C:\Users\Admin\Pictures\ResumeEdit.tiff.QMIBK	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File renamed	C:\Users\Admin\Pictures\UnregisterGrant.raw => C:\Users\Admin\Pictures\UnregisterGrant.raw.QMIBK	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 46 IoCs

Processes:

1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VP7YQ4XO\desktop.ini	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\A9INZ3MO\desktop.ini	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\N6KW9TJE\desktop.ini	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VCRELHVT\desktop.ini	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files\desktop.ini	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Users\Public\desktop.ini	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe

Drops file in Program Files directory 64 IoCs

Processes:

1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\R3ADM3.txt	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD07831_.WMF	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107358.WMF	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0197979.WMF	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationUp_ButtonGraphic.png	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21370_.GIF	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\TAB_OFF.GIF	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-compat.xml	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\R3ADM3.txt	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain_PAL.wmv	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Lord_Howe	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-6	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pohnpei	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-threaddump.jar	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File created	C:\Program Files\Internet Explorer\R3ADM3.txt	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099160.JPG	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CONFLICT.ICO	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\jmxremote.access	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_right_over.gif	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\mailapi.jar	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana.css	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\R3ADM3.txt	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\MENU.XML	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WEB11.POC	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\THMBNAIL.PNG	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18191_.WMF	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR47F.GIF	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\RCLRPT.CFG	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf_3.4.0.v20140827-1444.jar	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\R3ADM3.txt	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE05870_.WMF	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\anevia_xml.luac	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\CASCADE.ELM	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\THROAT.WAV	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\COPYRIGHT	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\R3ADM3.txt	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\SERVWRAP.ASP	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow\TAB_OFF.GIF	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\R3ADM3.txt	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00270_.WMF	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\SETLANG.HXS	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-execution.xml	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01219_.GIF	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7TSFrame.png	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File created	C:\Program Files\Microsoft Games\Purble Place\R3ADM3.txt	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sl\R3ADM3.txt	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01236U.BMP	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02045_.WMF	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_zh_TW.jar	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\NUMERIC.JPG	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Roses.jpg	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Horizon.xml	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OIS_COL.HXT	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyclient.jar	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18241_.WMF	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR40F.GIF	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Fiji	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Kerguelen	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe

pid	process
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

vssvc.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	1724	vssvc.exe
Token: SeRestorePrivilege	1724	vssvc.exe
Token: SeAuditPrivilege	1724	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1152	WMIC.exe
Token: SeSecurityPrivilege	1152	WMIC.exe
Token: SeTakeOwnershipPrivilege	1152	WMIC.exe
Token: SeLoadDriverPrivilege	1152	WMIC.exe
Token: SeSystemProfilePrivilege	1152	WMIC.exe
Token: SeSystemtimePrivilege	1152	WMIC.exe
Token: SeProfSingleProcessPrivilege	1152	WMIC.exe
Token: SeIncBasePriorityPrivilege	1152	WMIC.exe
Token: SeCreatePagefilePrivilege	1152	WMIC.exe
Token: SeBackupPrivilege	1152	WMIC.exe
Token: SeRestorePrivilege	1152	WMIC.exe
Token: SeShutdownPrivilege	1152	WMIC.exe
Token: SeDebugPrivilege	1152	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1152	WMIC.exe
Token: SeRemoteShutdownPrivilege	1152	WMIC.exe
Token: SeUndockPrivilege	1152	WMIC.exe
Token: SeManageVolumePrivilege	1152	WMIC.exe
Token: 33	1152	WMIC.exe
Token: 34	1152	WMIC.exe
Token: 35	1152	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1152	WMIC.exe
Token: SeSecurityPrivilege	1152	WMIC.exe
Token: SeTakeOwnershipPrivilege	1152	WMIC.exe
Token: SeLoadDriverPrivilege	1152	WMIC.exe
Token: SeSystemProfilePrivilege	1152	WMIC.exe
Token: SeSystemtimePrivilege	1152	WMIC.exe
Token: SeProfSingleProcessPrivilege	1152	WMIC.exe
Token: SeIncBasePriorityPrivilege	1152	WMIC.exe
Token: SeCreatePagefilePrivilege	1152	WMIC.exe
Token: SeBackupPrivilege	1152	WMIC.exe
Token: SeRestorePrivilege	1152	WMIC.exe
Token: SeShutdownPrivilege	1152	WMIC.exe
Token: SeDebugPrivilege	1152	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1152	WMIC.exe
Token: SeRemoteShutdownPrivilege	1152	WMIC.exe
Token: SeUndockPrivilege	1152	WMIC.exe
Token: SeManageVolumePrivilege	1152	WMIC.exe
Token: 33	1152	WMIC.exe
Token: 34	1152	WMIC.exe
Token: 35	1152	WMIC.exe
Token: SeIncreaseQuotaPrivilege	292	WMIC.exe
Token: SeSecurityPrivilege	292	WMIC.exe
Token: SeTakeOwnershipPrivilege	292	WMIC.exe
Token: SeLoadDriverPrivilege	292	WMIC.exe
Token: SeSystemProfilePrivilege	292	WMIC.exe
Token: SeSystemtimePrivilege	292	WMIC.exe
Token: SeProfSingleProcessPrivilege	292	WMIC.exe
Token: SeIncBasePriorityPrivilege	292	WMIC.exe
Token: SeCreatePagefilePrivilege	292	WMIC.exe
Token: SeBackupPrivilege	292	WMIC.exe
Token: SeRestorePrivilege	292	WMIC.exe
Token: SeShutdownPrivilege	292	WMIC.exe
Token: SeDebugPrivilege	292	WMIC.exe
Token: SeSystemEnvironmentPrivilege	292	WMIC.exe
Token: SeRemoteShutdownPrivilege	292	WMIC.exe
Token: SeUndockPrivilege	292	WMIC.exe
Token: SeManageVolumePrivilege	292	WMIC.exe
Token: 33	292	WMIC.exe
Token: 34	292	WMIC.exe
Token: 35	292	WMIC.exe
Token: SeIncreaseQuotaPrivilege	292	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe

pid process

736 1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 736 wrote to memory of 1660	736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe	cmd.exe
PID 736 wrote to memory of 1660	736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe	cmd.exe
PID 736 wrote to memory of 1660	736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe	cmd.exe
PID 736 wrote to memory of 1660	736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe	cmd.exe
PID 1660 wrote to memory of 1152	1660	cmd.exe	WMIC.exe
PID 1660 wrote to memory of 1152	1660	cmd.exe	WMIC.exe
PID 1660 wrote to memory of 1152	1660	cmd.exe	WMIC.exe
PID 736 wrote to memory of 808	736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe	cmd.exe
PID 736 wrote to memory of 808	736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe	cmd.exe
PID 736 wrote to memory of 808	736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe	cmd.exe
PID 736 wrote to memory of 808	736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe	cmd.exe
PID 808 wrote to memory of 292	808	cmd.exe	WMIC.exe
PID 808 wrote to memory of 292	808	cmd.exe	WMIC.exe
PID 808 wrote to memory of 292	808	cmd.exe	WMIC.exe
PID 736 wrote to memory of 1460	736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe	cmd.exe
PID 736 wrote to memory of 1460	736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe	cmd.exe
PID 736 wrote to memory of 1460	736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe	cmd.exe
PID 736 wrote to memory of 1460	736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe	cmd.exe
PID 1460 wrote to memory of 1852	1460	cmd.exe	WMIC.exe
PID 1460 wrote to memory of 1852	1460	cmd.exe	WMIC.exe
PID 1460 wrote to memory of 1852	1460	cmd.exe	WMIC.exe
PID 736 wrote to memory of 1732	736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe	cmd.exe
PID 736 wrote to memory of 1732	736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe	cmd.exe
PID 736 wrote to memory of 1732	736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe	cmd.exe
PID 736 wrote to memory of 1732	736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe	cmd.exe
PID 1732 wrote to memory of 1520	1732	cmd.exe	WMIC.exe
PID 1732 wrote to memory of 1520	1732	cmd.exe	WMIC.exe
PID 1732 wrote to memory of 1520	1732	cmd.exe	WMIC.exe
PID 736 wrote to memory of 576	736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe	cmd.exe
PID 736 wrote to memory of 576	736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe	cmd.exe
PID 736 wrote to memory of 576	736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe	cmd.exe
PID 736 wrote to memory of 576	736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe	cmd.exe
PID 576 wrote to memory of 1924	576	cmd.exe	WMIC.exe
PID 576 wrote to memory of 1924	576	cmd.exe	WMIC.exe
PID 576 wrote to memory of 1924	576	cmd.exe	WMIC.exe
PID 736 wrote to memory of 1360	736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe	cmd.exe
PID 736 wrote to memory of 1360	736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe	cmd.exe
PID 736 wrote to memory of 1360	736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe	cmd.exe
PID 736 wrote to memory of 1360	736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe	cmd.exe
PID 1360 wrote to memory of 908	1360	cmd.exe	WMIC.exe
PID 1360 wrote to memory of 908	1360	cmd.exe	WMIC.exe
PID 1360 wrote to memory of 908	1360	cmd.exe	WMIC.exe
PID 736 wrote to memory of 1588	736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe	cmd.exe
PID 736 wrote to memory of 1588	736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe	cmd.exe
PID 736 wrote to memory of 1588	736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe	cmd.exe
PID 736 wrote to memory of 1588	736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe	cmd.exe
PID 1588 wrote to memory of 1596	1588	cmd.exe	WMIC.exe
PID 1588 wrote to memory of 1596	1588	cmd.exe	WMIC.exe
PID 1588 wrote to memory of 1596	1588	cmd.exe	WMIC.exe
PID 736 wrote to memory of 1056	736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe	cmd.exe
PID 736 wrote to memory of 1056	736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe	cmd.exe
PID 736 wrote to memory of 1056	736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe	cmd.exe
PID 736 wrote to memory of 1056	736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe	cmd.exe
PID 1056 wrote to memory of 1280	1056	cmd.exe	WMIC.exe
PID 1056 wrote to memory of 1280	1056	cmd.exe	WMIC.exe
PID 1056 wrote to memory of 1280	1056	cmd.exe	WMIC.exe
PID 736 wrote to memory of 752	736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe	cmd.exe
PID 736 wrote to memory of 752	736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe	cmd.exe
PID 736 wrote to memory of 752	736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe	cmd.exe
PID 736 wrote to memory of 752	736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe	cmd.exe
PID 752 wrote to memory of 972	752	cmd.exe	WMIC.exe
PID 752 wrote to memory of 972	752	cmd.exe	WMIC.exe
PID 752 wrote to memory of 972	752	cmd.exe	WMIC.exe
PID 736 wrote to memory of 1168	736	1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
"C:\Users\Admin\AppData\Local\Temp\1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:736

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EDCFA4FE-1F6C-442C-8EF3-9995E441F70D}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EDCFA4FE-1F6C-442C-8EF3-9995E441F70D}'" delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1152

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0E532BCB-120D-4D19-962B-2BB905B2BD42}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:808

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0E532BCB-120D-4D19-962B-2BB905B2BD42}'" delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:292

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{06DE4A3E-25E2-40DF-93F8-A8E22F682ABA}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{06DE4A3E-25E2-40DF-93F8-A8E22F682ABA}'" delete
3⤵
PID:1852

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C8A8043D-FF62-4E61-85AD-2A438E353E18}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C8A8043D-FF62-4E61-85AD-2A438E353E18}'" delete
3⤵
PID:1520

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{203BFC31-E561-44FB-B2A1-88ACF2C92243}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{203BFC31-E561-44FB-B2A1-88ACF2C92243}'" delete
3⤵
PID:1924

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{89F5BFE8-FBAE-45FC-A688-4566209A3232}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{89F5BFE8-FBAE-45FC-A688-4566209A3232}'" delete
3⤵
PID:908

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{40BCF200-47C0-41AC-91FA-0D446BABEB4D}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{40BCF200-47C0-41AC-91FA-0D446BABEB4D}'" delete
3⤵
PID:1596

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8ADC23FB-816F-4E3A-B37D-131A51A1B4E3}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8ADC23FB-816F-4E3A-B37D-131A51A1B4E3}'" delete
3⤵
PID:1280

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5C9333B9-35AA-4E5F-B471-A6F7871710A0}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5C9333B9-35AA-4E5F-B471-A6F7871710A0}'" delete
3⤵
PID:972

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3B8B9F13-14EB-4E2B-8A39-F8F9883D9B09}'" delete
2⤵
PID:1168

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3B8B9F13-14EB-4E2B-8A39-F8F9883D9B09}'" delete
3⤵
PID:1556

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FDCAB913-132C-4F5E-9D24-632273DB574D}'" delete
2⤵
PID:1104

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FDCAB913-132C-4F5E-9D24-632273DB574D}'" delete
3⤵
PID:1756

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1AFB1A4D-CF63-42AA-8277-B539C726A3FE}'" delete
2⤵
PID:1728

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1AFB1A4D-CF63-42AA-8277-B539C726A3FE}'" delete
3⤵
PID:1112

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{97D2D227-D356-42E4-9F1E-F0E2C39F04A8}'" delete
2⤵
PID:984

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{97D2D227-D356-42E4-9F1E-F0E2C39F04A8}'" delete
3⤵
PID:1748

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FB6CA420-4030-4B5A-BE77-7CE219FD5560}'" delete
2⤵
PID:760

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FB6CA420-4030-4B5A-BE77-7CE219FD5560}'" delete
3⤵
PID:2000

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7F7E739E-02C8-4213-841E-D52E6F6C4CDA}'" delete
2⤵
PID:1392

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7F7E739E-02C8-4213-841E-D52E6F6C4CDA}'" delete
3⤵
PID:892

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{25279260-6A38-46F0-B974-0A42D6DAC829}'" delete
2⤵
PID:292

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{25279260-6A38-46F0-B974-0A42D6DAC829}'" delete
3⤵
PID:808

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A355AA25-0156-45D2-97A4-253D64FB7F34}'" delete
2⤵
PID:1852

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A355AA25-0156-45D2-97A4-253D64FB7F34}'" delete
3⤵
PID:544

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F2FD0C5D-9578-479A-ABF4-C79131ED53FC}'" delete
2⤵
PID:1520

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F2FD0C5D-9578-479A-ABF4-C79131ED53FC}'" delete
3⤵
PID:1484

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1724

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/292-95-0x0000000000000000-mapping.dmp

Download
memory/292-68-0x0000000000000000-mapping.dmp

Download
memory/544-98-0x0000000000000000-mapping.dmp

Download
memory/576-73-0x0000000000000000-mapping.dmp

Download
memory/736-55-0x0000000001DE0000-0x0000000001E14000-memory.dmp

Filesize
208KB

Download
memory/736-59-0x0000000001E20000-0x0000000001E53000-memory.dmp

Filesize
204KB

Download
memory/736-64-0x0000000001D70000-0x0000000001DA2000-memory.dmp

Filesize
200KB

Download
memory/736-54-0x0000000076851000-0x0000000076853000-memory.dmp

Filesize
8KB

Download
memory/752-81-0x0000000000000000-mapping.dmp

Download
memory/760-91-0x0000000000000000-mapping.dmp

Download
memory/808-67-0x0000000000000000-mapping.dmp

Download
memory/808-96-0x0000000000000000-mapping.dmp

Download
memory/892-94-0x0000000000000000-mapping.dmp

Download
memory/908-76-0x0000000000000000-mapping.dmp

Download
memory/972-82-0x0000000000000000-mapping.dmp

Download
memory/984-89-0x0000000000000000-mapping.dmp

Download
memory/1056-79-0x0000000000000000-mapping.dmp

Download
memory/1104-85-0x0000000000000000-mapping.dmp

Download
memory/1112-88-0x0000000000000000-mapping.dmp

Download
memory/1152-66-0x0000000000000000-mapping.dmp

Download
memory/1168-83-0x0000000000000000-mapping.dmp

Download
memory/1280-80-0x0000000000000000-mapping.dmp

Download
memory/1360-75-0x0000000000000000-mapping.dmp

Download
memory/1392-93-0x0000000000000000-mapping.dmp

Download
memory/1460-69-0x0000000000000000-mapping.dmp

Download
memory/1484-100-0x0000000000000000-mapping.dmp

Download
memory/1520-99-0x0000000000000000-mapping.dmp

Download
memory/1520-72-0x0000000000000000-mapping.dmp

Download
memory/1556-84-0x0000000000000000-mapping.dmp

Download
memory/1588-77-0x0000000000000000-mapping.dmp

Download
memory/1596-78-0x0000000000000000-mapping.dmp

Download
memory/1660-65-0x0000000000000000-mapping.dmp

Download
memory/1728-87-0x0000000000000000-mapping.dmp

Download
memory/1732-71-0x0000000000000000-mapping.dmp

Download
memory/1748-90-0x0000000000000000-mapping.dmp

Download
memory/1756-86-0x0000000000000000-mapping.dmp

Download
memory/1852-97-0x0000000000000000-mapping.dmp

Download
memory/1852-70-0x0000000000000000-mapping.dmp

Download
memory/1924-74-0x0000000000000000-mapping.dmp

Download
memory/2000-92-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads