Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
02/02/2023, 23:08
Behavioral task
behavioral1
Sample
134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
Resource
win10v2004-20220901-en
General
-
Target
134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
-
Size
12.0MB
-
MD5
a067491773524cf499e7a0bc77ceec96
-
SHA1
e8034dfd3468dcd3d5a6d09f3fde7f63dcc9ec13
-
SHA256
134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457
-
SHA512
c759d0ace38c842f98d4a9d4a8cc342c89d40ab4238ff52625db13a4e50714aedf701798f6ea22e755e3599c4e002b4ba49ed3f9b06c56e4d95ac7ce6800fa4c
-
SSDEEP
98304:QnLu1TIRtUOV5ZQ+5jZArLu1OWWqXpy05QP:QnTRtBYk405QP
Malware Config
Extracted
C:\Readme_Instructions.html
href="mailto:[email protected]">[email protected]</a><br><br>
http-equiv="X-UA-Compatible"
Signatures
-
Modifies extensions of user files 16 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\SetRemove.raw => C:\Users\Admin\Pictures\SetRemove.raw.CRYPT 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File renamed C:\Users\Admin\Pictures\StepResume.crw => C:\Users\Admin\Pictures\StepResume.crw.CRYPT 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File renamed C:\Users\Admin\Pictures\ConfirmConvert.tif => C:\Users\Admin\Pictures\ConfirmConvert.tif.CRYPT 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Users\Admin\Pictures\ReadHide.tiff 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File renamed C:\Users\Admin\Pictures\RestoreStart.tif => C:\Users\Admin\Pictures\RestoreStart.tif.CRYPT 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Users\Admin\Pictures\InvokeStep.tiff 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File renamed C:\Users\Admin\Pictures\ReadHide.tiff => C:\Users\Admin\Pictures\ReadHide.tiff.CRYPT 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File renamed C:\Users\Admin\Pictures\RedoUnlock.tif => C:\Users\Admin\Pictures\RedoUnlock.tif.CRYPT 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File renamed C:\Users\Admin\Pictures\InvokeStep.tiff => C:\Users\Admin\Pictures\InvokeStep.tiff.CRYPT 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File renamed C:\Users\Admin\Pictures\MeasureInstall.tif => C:\Users\Admin\Pictures\MeasureInstall.tif.CRYPT 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File renamed C:\Users\Admin\Pictures\RestoreOut.raw => C:\Users\Admin\Pictures\RestoreOut.raw.CRYPT 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File renamed C:\Users\Admin\Pictures\StepSwitch.png => C:\Users\Admin\Pictures\StepSwitch.png.CRYPT 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File renamed C:\Users\Admin\Pictures\UninstallProtect.raw => C:\Users\Admin\Pictures\UninstallProtect.raw.CRYPT 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Users\Admin\Pictures\ConnectSkip.tiff 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File renamed C:\Users\Admin\Pictures\ConnectSkip.tiff => C:\Users\Admin\Pictures\ConnectSkip.tiff.CRYPT 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File renamed C:\Users\Admin\Pictures\DisconnectNew.png => C:\Users\Admin\Pictures\DisconnectNew.png.CRYPT 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Readme_Instructions.html 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sk-sk\ui-strings.js 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\vlc-48.png 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\lt_get.svg 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-ul-oob.xrm-ms 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_pt_BR.jar 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\Readme_Instructions.html 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\preloaded_data.pb 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECHO\PREVIEW.GIF 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\booklist.gif 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ja-jp\ui-strings.js 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ko-kr\Readme_Instructions.html 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ppd.xrm-ms 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Interceptor.tlb 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\management\jmxremote.access 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\de-de\ui-strings.js 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\hr-hr\ui-strings.js 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\README.txt 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-pl.xrm-ms 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSWORD.OLB 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\mr.pak 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.metadataprovider.exsd 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pl-pl\ui-strings.js 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\s_listview_18.svg 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nl-nl\ui-strings.js 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fr-ma\ui-strings.js 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ul-phn.xrm-ms 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwclassic.dotx 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\PROFILE.ELM 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\RECOVR32.CNV 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\he-il\Readme_Instructions.html 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nl-nl\ui-strings.js 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\zh-cn\Readme_Instructions.html 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fr-fr\Readme_Instructions.html 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.services.nl_ja_4.4.0.v20140623020002.jar 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\da-dk\ui-strings.js 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ca-es\Readme_Instructions.html 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\vlc.mo 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\Readme_Instructions.html 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-si\ui-strings.js 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_2x.png 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\new_icons.png 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ul-oob.xrm-ms 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ul-oob.xrm-ms 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7ES.LEX 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-phn.xrm-ms 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\Readme_Instructions.html 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\ink\Readme_Instructions.html 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\classlist 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File created C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\Readme_Instructions.html 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.RSA 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\selector.js 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\Readme_Instructions.html 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fr-fr\ui-strings.js 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\Readme_Instructions.html 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentDemoR_BypassTrial180-ul-oob.xrm-ms 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\DUBAI-LIGHT.TTF 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSJH.TTC 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\nb-no\Readme_Instructions.html 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\StepInitialize.vdw 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo_small.png 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeBackupPrivilege 2436 vssvc.exe Token: SeRestorePrivilege 2436 vssvc.exe Token: SeAuditPrivilege 2436 vssvc.exe Token: SeIncreaseQuotaPrivilege 1860 WMIC.exe Token: SeSecurityPrivilege 1860 WMIC.exe Token: SeTakeOwnershipPrivilege 1860 WMIC.exe Token: SeLoadDriverPrivilege 1860 WMIC.exe Token: SeSystemProfilePrivilege 1860 WMIC.exe Token: SeSystemtimePrivilege 1860 WMIC.exe Token: SeProfSingleProcessPrivilege 1860 WMIC.exe Token: SeIncBasePriorityPrivilege 1860 WMIC.exe Token: SeCreatePagefilePrivilege 1860 WMIC.exe Token: SeBackupPrivilege 1860 WMIC.exe Token: SeRestorePrivilege 1860 WMIC.exe Token: SeShutdownPrivilege 1860 WMIC.exe Token: SeDebugPrivilege 1860 WMIC.exe Token: SeSystemEnvironmentPrivilege 1860 WMIC.exe Token: SeRemoteShutdownPrivilege 1860 WMIC.exe Token: SeUndockPrivilege 1860 WMIC.exe Token: SeManageVolumePrivilege 1860 WMIC.exe Token: 33 1860 WMIC.exe Token: 34 1860 WMIC.exe Token: 35 1860 WMIC.exe Token: 36 1860 WMIC.exe Token: SeIncreaseQuotaPrivilege 1860 WMIC.exe Token: SeSecurityPrivilege 1860 WMIC.exe Token: SeTakeOwnershipPrivilege 1860 WMIC.exe Token: SeLoadDriverPrivilege 1860 WMIC.exe Token: SeSystemProfilePrivilege 1860 WMIC.exe Token: SeSystemtimePrivilege 1860 WMIC.exe Token: SeProfSingleProcessPrivilege 1860 WMIC.exe Token: SeIncBasePriorityPrivilege 1860 WMIC.exe Token: SeCreatePagefilePrivilege 1860 WMIC.exe Token: SeBackupPrivilege 1860 WMIC.exe Token: SeRestorePrivilege 1860 WMIC.exe Token: SeShutdownPrivilege 1860 WMIC.exe Token: SeDebugPrivilege 1860 WMIC.exe Token: SeSystemEnvironmentPrivilege 1860 WMIC.exe Token: SeRemoteShutdownPrivilege 1860 WMIC.exe Token: SeUndockPrivilege 1860 WMIC.exe Token: SeManageVolumePrivilege 1860 WMIC.exe Token: 33 1860 WMIC.exe Token: 34 1860 WMIC.exe Token: 35 1860 WMIC.exe Token: 36 1860 WMIC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 5016 wrote to memory of 4300 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 83 PID 5016 wrote to memory of 4300 5016 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 83 PID 4300 wrote to memory of 1860 4300 cmd.exe 85 PID 4300 wrote to memory of 1860 4300 cmd.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe"C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C8E5A4D4-6E8F-4ECA-830A-CA63F6A2AC4B}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C8E5A4D4-6E8F-4ECA-830A-CA63F6A2AC4B}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1860
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2436