Analysis
-
max time kernel
127s -
max time network
55s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
06-12-2022 11:04
Static task
static1
Behavioral task
behavioral1
Sample
1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
Resource
win7-20220901-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
-
Size
190KB
-
MD5
2dc5a4338d438ea4e78878cff4cfe2cf
-
SHA1
cfdd6e3a69b12d43af94cb0441db3e1ef93f74f8
-
SHA256
1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9
-
SHA512
32a8d6f2fa1e472aefa8cc41cb59b5b67e84d336ca35c5b1f5d2a2ad2eae5a7ba1cbfba17f75261b0220a5d896b72bb4b95c5c86a6c8bda4b9bf50463f2222fc
-
SSDEEP
3072:mbgz9OJcW+b7d55P96aqwKDpi68oLlmqMVHKXhtK+Ux/fcVIx5xa:59uQb7V9KwKDpiSLl6B6hmplPa
Score
10/10
Malware Config
Extracted
Path
C:\readme.txt
Family
conti
Ransom Note
All of your files are currently encrypted by CONTI ransomware.
If you try to use any additional recovery software - the files might be damaged or lost.
To make sure that we REALLY CAN recover data - we offer you to decrypt samples.
You can contact us for further instructions through:
Our website
TOR VERSION :
(you should download and install TOR browser first https://torproject.org)
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
HTTPS VERSION :
https://contirecovery.top/
YOU SHOULD BE AWARE!
Just in case, if you try to ignore us. We've downloaded your data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us ASAP
---BEGIN ID---
FQ6C1V320lsGoEpDS1i4SFkTzLnOQ9vSXpwMwYdsE7CL2myTZeHVHuuqtzHQGOpB
---END ID---
URLs
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.top/
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\InvokeExit.png => C:\Users\Admin\Pictures\InvokeExit.png.YEKRW 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File renamed C:\Users\Admin\Pictures\ShowWait.png => C:\Users\Admin\Pictures\ShowWait.png.YEKRW 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File renamed C:\Users\Admin\Pictures\DismountOpen.raw => C:\Users\Admin\Pictures\DismountOpen.raw.YEKRW 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File renamed C:\Users\Admin\Pictures\GrantLimit.raw => C:\Users\Admin\Pictures\GrantLimit.raw.YEKRW 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File renamed C:\Users\Admin\Pictures\ResumeConvertFrom.png => C:\Users\Admin\Pictures\ResumeConvertFrom.png.YEKRW 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File renamed C:\Users\Admin\Pictures\SplitClear.png => C:\Users\Admin\Pictures\SplitClear.png.YEKRW 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File renamed C:\Users\Admin\Pictures\UnregisterAssert.tif => C:\Users\Admin\Pictures\UnregisterAssert.tif.YEKRW 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File renamed C:\Users\Admin\Pictures\UseAdd.png => C:\Users\Admin\Pictures\UseAdd.png.YEKRW 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File renamed C:\Users\Admin\Pictures\EnableAssert.tif => C:\Users\Admin\Pictures\EnableAssert.tif.YEKRW 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File renamed C:\Users\Admin\Pictures\ReadClose.crw => C:\Users\Admin\Pictures\ReadClose.crw.YEKRW 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 46 IoCs
description ioc Process File opened for modification C:\Users\Public\Recorded TV\desktop.ini 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\G2GR9E4N\desktop.ini 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\YZA8LC25\desktop.ini 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Users\Admin\Links\desktop.ini 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Users\Public\Documents\desktop.ini 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Users\Public\Videos\desktop.ini 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Users\Public\desktop.ini 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\16ZRL8F2\desktop.ini 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Users\Public\Music\desktop.ini 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\NFAXYLRV\desktop.ini 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files\desktop.ini 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files (x86)\desktop.ini 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Users\Admin\Music\desktop.ini 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File created C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\readme.txt 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\MST 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18243_.WMF 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\TURABIAN.XSL 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File created C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\readme.txt 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\tl\LC_MESSAGES\vlc.mo 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsFormTemplate.html 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0211981.WMF 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_SelectionSubpicture.png 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\readme.txt 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\MMSS.ICO 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\1047x576black.png 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB1B.BDR 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File created C:\Program Files\Java\jre7\lib\zi\Antarctica\readme.txt 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\readme.txt 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\GRIPMASK.BMP 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\BodyPaneBackground.jpg 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099196.GIF 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341447.JPG 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00157_.WMF 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.properties 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00438_.WMF 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02749G.GIF 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File created C:\Program Files\VideoLAN\VLC\locale\fr\readme.txt 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkHandle.png 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File created C:\Program Files\VideoLAN\VLC\locale\mk\readme.txt 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.config 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL109.XML 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15155_.GIF 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\readme.txt 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\BUTTON.GIF 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\readme.txt 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_alignleft.gif 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Elemental.thmx 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\ODBC.SAM 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files\Java\jre7\lib\ext\sunjce_provider.jar 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\readme.txt 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert.zh_CN_5.5.0.165303.jar 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Swift_Current 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_VelvetRose.gif 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01146_.WMF 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02752G.GIF 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CALHM.POC 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\tesselate.x3d 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02045_.WMF 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01242_.GIF 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\OneNoteMUI.XML 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Tijuana 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01585_.WMF 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107724.WMF 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB5A.BDR 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\readme.txt 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-io-ui.jar 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00433_.WMF 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE06450_.WMF 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.AR.XML 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Vostok 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Adjacency.xml 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\TALK21.COM.XML 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\readme.txt 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeBackupPrivilege 672 vssvc.exe Token: SeRestorePrivilege 672 vssvc.exe Token: SeAuditPrivilege 672 vssvc.exe Token: SeIncreaseQuotaPrivilege 1504 WMIC.exe Token: SeSecurityPrivilege 1504 WMIC.exe Token: SeTakeOwnershipPrivilege 1504 WMIC.exe Token: SeLoadDriverPrivilege 1504 WMIC.exe Token: SeSystemProfilePrivilege 1504 WMIC.exe Token: SeSystemtimePrivilege 1504 WMIC.exe Token: SeProfSingleProcessPrivilege 1504 WMIC.exe Token: SeIncBasePriorityPrivilege 1504 WMIC.exe Token: SeCreatePagefilePrivilege 1504 WMIC.exe Token: SeBackupPrivilege 1504 WMIC.exe Token: SeRestorePrivilege 1504 WMIC.exe Token: SeShutdownPrivilege 1504 WMIC.exe Token: SeDebugPrivilege 1504 WMIC.exe Token: SeSystemEnvironmentPrivilege 1504 WMIC.exe Token: SeRemoteShutdownPrivilege 1504 WMIC.exe Token: SeUndockPrivilege 1504 WMIC.exe Token: SeManageVolumePrivilege 1504 WMIC.exe Token: 33 1504 WMIC.exe Token: 34 1504 WMIC.exe Token: 35 1504 WMIC.exe Token: SeIncreaseQuotaPrivilege 1504 WMIC.exe Token: SeSecurityPrivilege 1504 WMIC.exe Token: SeTakeOwnershipPrivilege 1504 WMIC.exe Token: SeLoadDriverPrivilege 1504 WMIC.exe Token: SeSystemProfilePrivilege 1504 WMIC.exe Token: SeSystemtimePrivilege 1504 WMIC.exe Token: SeProfSingleProcessPrivilege 1504 WMIC.exe Token: SeIncBasePriorityPrivilege 1504 WMIC.exe Token: SeCreatePagefilePrivilege 1504 WMIC.exe Token: SeBackupPrivilege 1504 WMIC.exe Token: SeRestorePrivilege 1504 WMIC.exe Token: SeShutdownPrivilege 1504 WMIC.exe Token: SeDebugPrivilege 1504 WMIC.exe Token: SeSystemEnvironmentPrivilege 1504 WMIC.exe Token: SeRemoteShutdownPrivilege 1504 WMIC.exe Token: SeUndockPrivilege 1504 WMIC.exe Token: SeManageVolumePrivilege 1504 WMIC.exe Token: 33 1504 WMIC.exe Token: 34 1504 WMIC.exe Token: 35 1504 WMIC.exe Token: SeIncreaseQuotaPrivilege 1104 WMIC.exe Token: SeSecurityPrivilege 1104 WMIC.exe Token: SeTakeOwnershipPrivilege 1104 WMIC.exe Token: SeLoadDriverPrivilege 1104 WMIC.exe Token: SeSystemProfilePrivilege 1104 WMIC.exe Token: SeSystemtimePrivilege 1104 WMIC.exe Token: SeProfSingleProcessPrivilege 1104 WMIC.exe Token: SeIncBasePriorityPrivilege 1104 WMIC.exe Token: SeCreatePagefilePrivilege 1104 WMIC.exe Token: SeBackupPrivilege 1104 WMIC.exe Token: SeRestorePrivilege 1104 WMIC.exe Token: SeShutdownPrivilege 1104 WMIC.exe Token: SeDebugPrivilege 1104 WMIC.exe Token: SeSystemEnvironmentPrivilege 1104 WMIC.exe Token: SeRemoteShutdownPrivilege 1104 WMIC.exe Token: SeUndockPrivilege 1104 WMIC.exe Token: SeManageVolumePrivilege 1104 WMIC.exe Token: 33 1104 WMIC.exe Token: 34 1104 WMIC.exe Token: 35 1104 WMIC.exe Token: SeIncreaseQuotaPrivilege 1104 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1324 wrote to memory of 1764 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 30 PID 1324 wrote to memory of 1764 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 30 PID 1324 wrote to memory of 1764 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 30 PID 1324 wrote to memory of 1764 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 30 PID 1764 wrote to memory of 1504 1764 cmd.exe 32 PID 1764 wrote to memory of 1504 1764 cmd.exe 32 PID 1764 wrote to memory of 1504 1764 cmd.exe 32 PID 1324 wrote to memory of 988 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 33 PID 1324 wrote to memory of 988 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 33 PID 1324 wrote to memory of 988 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 33 PID 1324 wrote to memory of 988 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 33 PID 988 wrote to memory of 1104 988 cmd.exe 35 PID 988 wrote to memory of 1104 988 cmd.exe 35 PID 988 wrote to memory of 1104 988 cmd.exe 35 PID 1324 wrote to memory of 1152 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 36 PID 1324 wrote to memory of 1152 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 36 PID 1324 wrote to memory of 1152 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 36 PID 1324 wrote to memory of 1152 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 36 PID 1152 wrote to memory of 1320 1152 cmd.exe 38 PID 1152 wrote to memory of 1320 1152 cmd.exe 38 PID 1152 wrote to memory of 1320 1152 cmd.exe 38 PID 1324 wrote to memory of 2028 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 39 PID 1324 wrote to memory of 2028 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 39 PID 1324 wrote to memory of 2028 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 39 PID 1324 wrote to memory of 2028 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 39 PID 2028 wrote to memory of 1976 2028 cmd.exe 41 PID 2028 wrote to memory of 1976 2028 cmd.exe 41 PID 2028 wrote to memory of 1976 2028 cmd.exe 41 PID 1324 wrote to memory of 800 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 42 PID 1324 wrote to memory of 800 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 42 PID 1324 wrote to memory of 800 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 42 PID 1324 wrote to memory of 800 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 42 PID 800 wrote to memory of 1880 800 cmd.exe 44 PID 800 wrote to memory of 1880 800 cmd.exe 44 PID 800 wrote to memory of 1880 800 cmd.exe 44 PID 1324 wrote to memory of 880 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 45 PID 1324 wrote to memory of 880 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 45 PID 1324 wrote to memory of 880 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 45 PID 1324 wrote to memory of 880 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 45 PID 880 wrote to memory of 700 880 cmd.exe 47 PID 880 wrote to memory of 700 880 cmd.exe 47 PID 880 wrote to memory of 700 880 cmd.exe 47 PID 1324 wrote to memory of 956 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 48 PID 1324 wrote to memory of 956 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 48 PID 1324 wrote to memory of 956 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 48 PID 1324 wrote to memory of 956 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 48 PID 956 wrote to memory of 1424 956 cmd.exe 50 PID 956 wrote to memory of 1424 956 cmd.exe 50 PID 956 wrote to memory of 1424 956 cmd.exe 50 PID 1324 wrote to memory of 1720 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 51 PID 1324 wrote to memory of 1720 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 51 PID 1324 wrote to memory of 1720 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 51 PID 1324 wrote to memory of 1720 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 51 PID 1720 wrote to memory of 564 1720 cmd.exe 53 PID 1720 wrote to memory of 564 1720 cmd.exe 53 PID 1720 wrote to memory of 564 1720 cmd.exe 53 PID 1324 wrote to memory of 1304 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 54 PID 1324 wrote to memory of 1304 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 54 PID 1324 wrote to memory of 1304 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 54 PID 1324 wrote to memory of 1304 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 54 PID 1304 wrote to memory of 828 1304 cmd.exe 56 PID 1304 wrote to memory of 828 1304 cmd.exe 56 PID 1304 wrote to memory of 828 1304 cmd.exe 56 PID 1324 wrote to memory of 1612 1324 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe 57
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe"C:\Users\Admin\AppData\Local\Temp\1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C732AD79-2676-4478-8324-E2E272CAF080}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C732AD79-2676-4478-8324-E2E272CAF080}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1504
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{45550C23-6DFB-4834-9ABC-F675394A6854}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:988 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{45550C23-6DFB-4834-9ABC-F675394A6854}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1104
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F6938AA3-B544-40A1-A284-715405CED94A}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F6938AA3-B544-40A1-A284-715405CED94A}'" delete3⤵PID:1320
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8853E473-3443-449E-AAF8-26AC0385AFF7}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8853E473-3443-449E-AAF8-26AC0385AFF7}'" delete3⤵PID:1976
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{32414A6B-2923-454B-A3BB-E9B00E9B2986}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{32414A6B-2923-454B-A3BB-E9B00E9B2986}'" delete3⤵PID:1880
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BCF16990-7DF6-4662-9B38-824EDB783776}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BCF16990-7DF6-4662-9B38-824EDB783776}'" delete3⤵PID:700
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{027188E6-24B0-4B24-9D58-D7193261822A}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{027188E6-24B0-4B24-9D58-D7193261822A}'" delete3⤵PID:1424
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D681C056-F0A9-42F1-85A2-F1D5A0FE4CCE}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D681C056-F0A9-42F1-85A2-F1D5A0FE4CCE}'" delete3⤵PID:564
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B5943E2F-FD3F-483F-BBA5-85D18C020F6E}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B5943E2F-FD3F-483F-BBA5-85D18C020F6E}'" delete3⤵PID:828
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7929D406-7E7D-435F-B083-B0D09E608D4F}'" delete2⤵PID:1612
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7929D406-7E7D-435F-B083-B0D09E608D4F}'" delete3⤵PID:1396
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{36515C56-E730-408F-82A1-A9626EFDC2F1}'" delete2⤵PID:1592
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{36515C56-E730-408F-82A1-A9626EFDC2F1}'" delete3⤵PID:1920
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{87213D3E-FD2A-47BF-8D96-3FF4F798C525}'" delete2⤵PID:2000
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{87213D3E-FD2A-47BF-8D96-3FF4F798C525}'" delete3⤵PID:1384
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7A8C3DC0-DEAE-40C7-934A-660B3554D3C6}'" delete2⤵PID:1360
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7A8C3DC0-DEAE-40C7-934A-660B3554D3C6}'" delete3⤵PID:1948
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C4AF679B-8326-4DC6-B011-7C01D31BB82B}'" delete2⤵PID:524
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C4AF679B-8326-4DC6-B011-7C01D31BB82B}'" delete3⤵PID:544
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4D32BA93-B973-4E0C-9F15-8428C9A8DFB3}'" delete2⤵PID:956
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4D32BA93-B973-4E0C-9F15-8428C9A8DFB3}'" delete3⤵PID:1012
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{72BDF867-2970-424B-9779-B003388921BA}'" delete2⤵PID:1720
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{72BDF867-2970-424B-9779-B003388921BA}'" delete3⤵PID:1604
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3D7B6E54-2B77-45E2-BB4D-141B0CA58407}'" delete2⤵PID:1376
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3D7B6E54-2B77-45E2-BB4D-141B0CA58407}'" delete3⤵PID:1572
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AD0465AE-A9BC-47E2-828C-9B0AD88BD954}'" delete2⤵PID:1828
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AD0465AE-A9BC-47E2-828C-9B0AD88BD954}'" delete3⤵PID:1924
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:672