Analysis
-
max time kernel
87s -
max time network
51s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
15/02/2023, 13:38
Static task
static1
Behavioral task
behavioral1
Sample
507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe
Resource
win10v2004-20221111-en
General
-
Target
507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe
-
Size
245KB
-
MD5
648fbbdc518b7782c4d2907d2ebe8ecf
-
SHA1
fa380fae46477153957a4d3767a59b94331adb6e
-
SHA256
507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92
-
SHA512
79c5ba0e5d2f90ff2fec3722c65b72cec34f6d5fc3864479eec8ffb62231ff1713059bf0051046a778996dee6e701b20834f49af76c3249a2e143623396e7321
-
SSDEEP
3072:ZO459Ejzjz10wKaEcKBIacm6QBDOmkm9wXcIfGBF5UgbB67+0UL:T8HzKxhcKB0VQBLk7XcIkbkS0UL
Malware Config
Extracted
C:\!!!-Restore-My-Files-!!!.txt
lockbit
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion.ly
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion.ly
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion.ly
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupo7vv5vcl3jxpsdviopwvasljqcstym6efhh6oze7c6xjad.onion
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
http://lockbitsupdwon76nzykzblcplixwts4n4zoecugz2bxabtapqvmzqqd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupq3g62dni2f36snrdb4n5qzqvovbtkt5xffw3draxk6gwqd.onion
http://lockbitsupqfyacidr6upt6nhhyipujvaablubuevxj6xy3frthvr3yd.onion
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupxcjntihbmat4rrh7ktowips2qzywh6zer5r3xafhviyhqd.onion
https://gdpr.eu/what-is-gdpr/
https://gdpr-info.eu/
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Modifies extensions of user files 11 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\ApproveNew.png => C:\Users\Admin\Pictures\ApproveNew.png.b38aa23a 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Users\Admin\Pictures\ConfirmRead.tiff 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File renamed C:\Users\Admin\Pictures\GetAssert.tif => C:\Users\Admin\Pictures\GetAssert.tif.b38aa23a 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Users\Admin\Pictures\RestoreExit.tiff 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File renamed C:\Users\Admin\Pictures\UnprotectClose.raw => C:\Users\Admin\Pictures\UnprotectClose.raw.b38aa23a 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File renamed C:\Users\Admin\Pictures\AddUninstall.raw => C:\Users\Admin\Pictures\AddUninstall.raw.b38aa23a 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File renamed C:\Users\Admin\Pictures\MeasureGrant.raw => C:\Users\Admin\Pictures\MeasureGrant.raw.b38aa23a 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File renamed C:\Users\Admin\Pictures\RestoreExit.tiff => C:\Users\Admin\Pictures\RestoreExit.tiff.b38aa23a 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Users\Admin\Pictures\UnregisterComplete.tiff 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File renamed C:\Users\Admin\Pictures\UnregisterComplete.tiff => C:\Users\Admin\Pictures\UnregisterComplete.tiff.b38aa23a 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File renamed C:\Users\Admin\Pictures\ConfirmRead.tiff => C:\Users\Admin\Pictures\ConfirmRead.tiff.b38aa23a 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 46 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\8PENRVY0\desktop.ini 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files\desktop.ini 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files (x86)\desktop.ini 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RUC7JGOV\desktop.ini 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Users\Admin\Links\desktop.ini 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\OF1EYD7L\desktop.ini 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\NWV1K27G\desktop.ini 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Users\Public\desktop.ini 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Users\Public\Videos\desktop.ini 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Users\Admin\Music\desktop.ini 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Users\Public\Documents\desktop.ini 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Users\Public\Music\desktop.ini 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Windows Mail 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\[email protected] 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152626.WMF 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153398.WMF 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_zh_HK.properties 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\URBAN_01.MID 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_ja_4.4.0.v20140623020002.jar 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File created C:\Program Files\Java\jre7\lib\images\!!!-Restore-My-Files-!!!.txt 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\IRIS.ELM 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-output2_zh_CN.jar 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00417_.WMF 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Anadyr 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Tirane 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File created C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\!!!-Restore-My-Files-!!!.txt 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.properties 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\FPEXT.MSG 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04384_.WMF 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_SelectionSubpicture.png 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR17F.GIF 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\java.security 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.commands.nl_zh_4.4.0.v20140623020002.jar 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations.nl_zh_4.4.0.v20140623020002.jar 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21310_.GIF 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File created C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\!!!-Restore-My-Files-!!!.txt 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\BTOPENWORLD.COM.XML 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN075.XML 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\!!!-Restore-My-Files-!!!.txt 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR39F.GIF 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Campo_Grande 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\AddToViewArrowMask.bmp 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_VideoInset.png 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_title.png 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\!!!-Restore-My-Files-!!!.txt 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15022_.GIF 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.SF 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Horizon.thmx 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\!!!-Restore-My-Files-!!!.txt 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files\VideoLAN\VLC\skins\fonts\FreeSans.ttf 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18217_.WMF 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-queries.xml 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-spi-actions.xml_hidden 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\OliveGreen.css 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File created C:\Program Files\Common Files\Microsoft Shared\VSTO\!!!-Restore-My-Files-!!!.txt 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB7.BDR 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\cue.luac 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\as90.xsl 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Stockholm 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files\MeasureNew.mht 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\drive.crx 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.commands.nl_ja_4.4.0.v20140623020002.jar 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\!!!-Restore-My-Files-!!!.txt 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14530_.GIF 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File created C:\Program Files\DVD Maker\ja-JP\!!!-Restore-My-Files-!!!.txt 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File created C:\Program Files\Microsoft Office\Office14\!!!-Restore-My-Files-!!!.txt 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.jpg 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files\Java\jre7\lib\meta-index 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178460.JPG 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GRINTL32.REST.IDX_DLL 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Iqaluit 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrfralm.dat 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeBackupPrivilege 1748 vssvc.exe Token: SeRestorePrivilege 1748 vssvc.exe Token: SeAuditPrivilege 1748 vssvc.exe Token: SeIncreaseQuotaPrivilege 1716 WMIC.exe Token: SeSecurityPrivilege 1716 WMIC.exe Token: SeTakeOwnershipPrivilege 1716 WMIC.exe Token: SeLoadDriverPrivilege 1716 WMIC.exe Token: SeSystemProfilePrivilege 1716 WMIC.exe Token: SeSystemtimePrivilege 1716 WMIC.exe Token: SeProfSingleProcessPrivilege 1716 WMIC.exe Token: SeIncBasePriorityPrivilege 1716 WMIC.exe Token: SeCreatePagefilePrivilege 1716 WMIC.exe Token: SeBackupPrivilege 1716 WMIC.exe Token: SeRestorePrivilege 1716 WMIC.exe Token: SeShutdownPrivilege 1716 WMIC.exe Token: SeDebugPrivilege 1716 WMIC.exe Token: SeSystemEnvironmentPrivilege 1716 WMIC.exe Token: SeRemoteShutdownPrivilege 1716 WMIC.exe Token: SeUndockPrivilege 1716 WMIC.exe Token: SeManageVolumePrivilege 1716 WMIC.exe Token: 33 1716 WMIC.exe Token: 34 1716 WMIC.exe Token: 35 1716 WMIC.exe Token: SeIncreaseQuotaPrivilege 1716 WMIC.exe Token: SeSecurityPrivilege 1716 WMIC.exe Token: SeTakeOwnershipPrivilege 1716 WMIC.exe Token: SeLoadDriverPrivilege 1716 WMIC.exe Token: SeSystemProfilePrivilege 1716 WMIC.exe Token: SeSystemtimePrivilege 1716 WMIC.exe Token: SeProfSingleProcessPrivilege 1716 WMIC.exe Token: SeIncBasePriorityPrivilege 1716 WMIC.exe Token: SeCreatePagefilePrivilege 1716 WMIC.exe Token: SeBackupPrivilege 1716 WMIC.exe Token: SeRestorePrivilege 1716 WMIC.exe Token: SeShutdownPrivilege 1716 WMIC.exe Token: SeDebugPrivilege 1716 WMIC.exe Token: SeSystemEnvironmentPrivilege 1716 WMIC.exe Token: SeRemoteShutdownPrivilege 1716 WMIC.exe Token: SeUndockPrivilege 1716 WMIC.exe Token: SeManageVolumePrivilege 1716 WMIC.exe Token: 33 1716 WMIC.exe Token: 34 1716 WMIC.exe Token: 35 1716 WMIC.exe Token: SeIncreaseQuotaPrivilege 972 WMIC.exe Token: SeSecurityPrivilege 972 WMIC.exe Token: SeTakeOwnershipPrivilege 972 WMIC.exe Token: SeLoadDriverPrivilege 972 WMIC.exe Token: SeSystemProfilePrivilege 972 WMIC.exe Token: SeSystemtimePrivilege 972 WMIC.exe Token: SeProfSingleProcessPrivilege 972 WMIC.exe Token: SeIncBasePriorityPrivilege 972 WMIC.exe Token: SeCreatePagefilePrivilege 972 WMIC.exe Token: SeBackupPrivilege 972 WMIC.exe Token: SeRestorePrivilege 972 WMIC.exe Token: SeShutdownPrivilege 972 WMIC.exe Token: SeDebugPrivilege 972 WMIC.exe Token: SeSystemEnvironmentPrivilege 972 WMIC.exe Token: SeRemoteShutdownPrivilege 972 WMIC.exe Token: SeUndockPrivilege 972 WMIC.exe Token: SeManageVolumePrivilege 972 WMIC.exe Token: 33 972 WMIC.exe Token: 34 972 WMIC.exe Token: 35 972 WMIC.exe Token: SeIncreaseQuotaPrivilege 972 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2008 wrote to memory of 520 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 30 PID 2008 wrote to memory of 520 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 30 PID 2008 wrote to memory of 520 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 30 PID 520 wrote to memory of 1716 520 cmd.exe 32 PID 520 wrote to memory of 1716 520 cmd.exe 32 PID 520 wrote to memory of 1716 520 cmd.exe 32 PID 2008 wrote to memory of 676 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 33 PID 2008 wrote to memory of 676 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 33 PID 2008 wrote to memory of 676 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 33 PID 676 wrote to memory of 972 676 cmd.exe 35 PID 676 wrote to memory of 972 676 cmd.exe 35 PID 676 wrote to memory of 972 676 cmd.exe 35 PID 2008 wrote to memory of 1016 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 36 PID 2008 wrote to memory of 1016 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 36 PID 2008 wrote to memory of 1016 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 36 PID 1016 wrote to memory of 2040 1016 cmd.exe 38 PID 1016 wrote to memory of 2040 1016 cmd.exe 38 PID 1016 wrote to memory of 2040 1016 cmd.exe 38 PID 2008 wrote to memory of 1692 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 39 PID 2008 wrote to memory of 1692 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 39 PID 2008 wrote to memory of 1692 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 39 PID 1692 wrote to memory of 428 1692 cmd.exe 41 PID 1692 wrote to memory of 428 1692 cmd.exe 41 PID 1692 wrote to memory of 428 1692 cmd.exe 41 PID 2008 wrote to memory of 268 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 42 PID 2008 wrote to memory of 268 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 42 PID 2008 wrote to memory of 268 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 42 PID 268 wrote to memory of 1012 268 cmd.exe 44 PID 268 wrote to memory of 1012 268 cmd.exe 44 PID 268 wrote to memory of 1012 268 cmd.exe 44 PID 2008 wrote to memory of 1840 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 45 PID 2008 wrote to memory of 1840 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 45 PID 2008 wrote to memory of 1840 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 45 PID 1840 wrote to memory of 556 1840 cmd.exe 47 PID 1840 wrote to memory of 556 1840 cmd.exe 47 PID 1840 wrote to memory of 556 1840 cmd.exe 47 PID 2008 wrote to memory of 524 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 48 PID 2008 wrote to memory of 524 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 48 PID 2008 wrote to memory of 524 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 48 PID 524 wrote to memory of 1084 524 cmd.exe 50 PID 524 wrote to memory of 1084 524 cmd.exe 50 PID 524 wrote to memory of 1084 524 cmd.exe 50 PID 2008 wrote to memory of 1556 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 51 PID 2008 wrote to memory of 1556 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 51 PID 2008 wrote to memory of 1556 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 51 PID 1556 wrote to memory of 564 1556 cmd.exe 53 PID 1556 wrote to memory of 564 1556 cmd.exe 53 PID 1556 wrote to memory of 564 1556 cmd.exe 53 PID 2008 wrote to memory of 832 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 54 PID 2008 wrote to memory of 832 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 54 PID 2008 wrote to memory of 832 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 54 PID 832 wrote to memory of 1828 832 cmd.exe 56 PID 832 wrote to memory of 1828 832 cmd.exe 56 PID 832 wrote to memory of 1828 832 cmd.exe 56 PID 2008 wrote to memory of 1720 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 57 PID 2008 wrote to memory of 1720 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 57 PID 2008 wrote to memory of 1720 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 57 PID 1720 wrote to memory of 568 1720 cmd.exe 59 PID 1720 wrote to memory of 568 1720 cmd.exe 59 PID 1720 wrote to memory of 568 1720 cmd.exe 59 PID 2008 wrote to memory of 776 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 60 PID 2008 wrote to memory of 776 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 60 PID 2008 wrote to memory of 776 2008 507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe 60 PID 776 wrote to memory of 1560 776 cmd.exe 62
Processes
-
C:\Users\Admin\AppData\Local\Temp\507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe"C:\Users\Admin\AppData\Local\Temp\507d194b2291e3edb16357dac55f83e455d5a3ec8db1a1cd59c50ae0d66d1b92.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{309BDB4B-09FA-4B2E-A35D-461EB97EED0F}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{309BDB4B-09FA-4B2E-A35D-461EB97EED0F}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1716
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{29A0A02F-1E9E-4A50-93C4-1D938C11D8A3}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{29A0A02F-1E9E-4A50-93C4-1D938C11D8A3}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:972
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{63518277-314E-424C-927F-BE5311012F87}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{63518277-314E-424C-927F-BE5311012F87}'" delete3⤵PID:2040
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BE926DAD-1617-4795-B527-6BF393D8C84F}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BE926DAD-1617-4795-B527-6BF393D8C84F}'" delete3⤵PID:428
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CA815155-F367-44DF-81BC-9261FA314804}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CA815155-F367-44DF-81BC-9261FA314804}'" delete3⤵PID:1012
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{40CED04A-6E3E-4F2B-A898-3A91BC30C720}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{40CED04A-6E3E-4F2B-A898-3A91BC30C720}'" delete3⤵PID:556
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{84A94E09-FA64-4706-922F-1A42644841C7}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{84A94E09-FA64-4706-922F-1A42644841C7}'" delete3⤵PID:1084
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5310782C-4B83-44EF-A20A-4EF0D7F0F1CB}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5310782C-4B83-44EF-A20A-4EF0D7F0F1CB}'" delete3⤵PID:564
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C1F9BEBD-4E70-454E-8D24-DD4AE488E0DD}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C1F9BEBD-4E70-454E-8D24-DD4AE488E0DD}'" delete3⤵PID:1828
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5511917A-F208-4E79-AEC9-AE6599F02876}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5511917A-F208-4E79-AEC9-AE6599F02876}'" delete3⤵PID:568
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4B689505-5AE8-4A90-B1F2-497F7F0C4150}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4B689505-5AE8-4A90-B1F2-497F7F0C4150}'" delete3⤵PID:1560
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B3B653C1-A05E-459A-BD91-502AA66C0CEE}'" delete2⤵PID:808
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B3B653C1-A05E-459A-BD91-502AA66C0CEE}'" delete3⤵PID:1136
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A1E48722-B271-4CCD-AEF4-7F12F6FADC6A}'" delete2⤵PID:1400
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A1E48722-B271-4CCD-AEF4-7F12F6FADC6A}'" delete3⤵PID:1976
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F9276E2F-ACFF-4708-BCB1-F0A9011CD438}'" delete2⤵PID:1480
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F9276E2F-ACFF-4708-BCB1-F0A9011CD438}'" delete3⤵PID:1712
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A3C8AB8E-8532-4D1E-9214-4210D792EC6A}'" delete2⤵PID:1504
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A3C8AB8E-8532-4D1E-9214-4210D792EC6A}'" delete3⤵PID:784
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0E76C29A-2DC1-410F-80E4-1E8FD3F45D65}'" delete2⤵PID:1716
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0E76C29A-2DC1-410F-80E4-1E8FD3F45D65}'" delete3⤵PID:1604
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5B20EEB1-2BE5-498F-A1E2-70CDF5EC36A8}'" delete2⤵PID:972
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5B20EEB1-2BE5-498F-A1E2-70CDF5EC36A8}'" delete3⤵PID:1160
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{473003D3-A154-4F7C-9D8C-00BACFEAC351}'" delete2⤵PID:560
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{473003D3-A154-4F7C-9D8C-00BACFEAC351}'" delete3⤵PID:836
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1748