b620fe3c4475b1e66a363f32a02402ddbf8b704c1d5b57cd33c2faf9d113c9c8

Analysis

max time kernel
130s
max time network
54s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
21-03-2023 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
Size

210KB
MD5

f486b69dc261cbf3ffac231324015ebb
SHA1

ee1fc0b7350559fac9c23f7d832bdf2760e80b03
SHA256

c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb
SHA512

16a1d8c6a371506525c488355e799b2fd04173a4dd6e771e1fcddb380d8a4d16f1f5bd310858f3f151a9c860c3636712a63b536ca55bc2b63f03263f4e50f12b
SSDEEP

3072:QV+V98GoDHlXb6hyhwOfFAc/ZICFzhb9wl/mjF5I6yAJKybo:LVPo76y5NAcB5x9wk1VJKybo

Score

8^/10

ransomware spyware stealer

Malware Config

Signatures

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\WaitResolve.tiff	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File renamed	C:\Users\Admin\Pictures\WaitResolve.tiff => C:\Users\Admin\Pictures\WaitResolve.tiff.KREMLIN	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File renamed	C:\Users\Admin\Pictures\DenyStep.png => C:\Users\Admin\Pictures\DenyStep.png.KREMLIN	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File renamed	C:\Users\Admin\Pictures\MergeCopy.crw => C:\Users\Admin\Pictures\MergeCopy.crw.KREMLIN	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File renamed	C:\Users\Admin\Pictures\ResolveStop.raw => C:\Users\Admin\Pictures\ResolveStop.raw.KREMLIN	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 46 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\0TVDPZFS\desktop.ini	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\DDR67LLW\desktop.ini	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\DRI6H3TS\desktop.ini	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files\desktop.ini	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Users\Public\desktop.ini	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\WAOMFATN\desktop.ini	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\README.txt	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Orange Circles.htm	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02386_.WMF	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02423_.WMF	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR11F.GIF	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets.nl_ja_4.4.0.v20140623020002.jar	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\GrooveFormsMetaData.xml	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090149.WMF	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_zh_CN.jar	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.rcp_4.3.100.v20141007-2301.jar	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\README.txt	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Chita	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-api.xml	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00262_.WMF	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CATALOG.XML	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\browse.xml	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-uihandler.xml	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\DataMatrix.pmp	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281243.WMF	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107314.WMF	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0301050.WMF	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\README.txt	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Gaza	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\README.txt	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-api.xml	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00525_.WMF	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\README.txt	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\sysinfo	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPreviewTemplate.html	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00623_.WMF	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PPTIRMV.XML	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02106_.GIF	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File created	C:\Program Files (x86)\Reference Assemblies\README.txt	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sk.pak	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\TOOT.WAV	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_SelectionSubpicture.png	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\vlc.mo	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL026.XML	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR5F.GIF	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\README.txt	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.app_1.3.200.v20130910-1609.jar	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\FrameworkList.xml	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Amsterdam	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR43F.GIF	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01015_.WMF	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\dragHandle.png	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft.Office.InfoPath.targets	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0186346.WMF	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01777_.WMF	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\MakeAccessible.api	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-tools.jar	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_SelectionSubpicture.png	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Aspect.xml	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\README.txt	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0168644.WMF	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Dawson	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Irkutsk	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	1636	vssvc.exe
Token: SeRestorePrivilege	1636	vssvc.exe
Token: SeAuditPrivilege	1636	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1464	WMIC.exe
Token: SeSecurityPrivilege	1464	WMIC.exe
Token: SeTakeOwnershipPrivilege	1464	WMIC.exe
Token: SeLoadDriverPrivilege	1464	WMIC.exe
Token: SeSystemProfilePrivilege	1464	WMIC.exe
Token: SeSystemtimePrivilege	1464	WMIC.exe
Token: SeProfSingleProcessPrivilege	1464	WMIC.exe
Token: SeIncBasePriorityPrivilege	1464	WMIC.exe
Token: SeCreatePagefilePrivilege	1464	WMIC.exe
Token: SeBackupPrivilege	1464	WMIC.exe
Token: SeRestorePrivilege	1464	WMIC.exe
Token: SeShutdownPrivilege	1464	WMIC.exe
Token: SeDebugPrivilege	1464	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1464	WMIC.exe
Token: SeRemoteShutdownPrivilege	1464	WMIC.exe
Token: SeUndockPrivilege	1464	WMIC.exe
Token: SeManageVolumePrivilege	1464	WMIC.exe
Token: 33	1464	WMIC.exe
Token: 34	1464	WMIC.exe
Token: 35	1464	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1464	WMIC.exe
Token: SeSecurityPrivilege	1464	WMIC.exe
Token: SeTakeOwnershipPrivilege	1464	WMIC.exe
Token: SeLoadDriverPrivilege	1464	WMIC.exe
Token: SeSystemProfilePrivilege	1464	WMIC.exe
Token: SeSystemtimePrivilege	1464	WMIC.exe
Token: SeProfSingleProcessPrivilege	1464	WMIC.exe
Token: SeIncBasePriorityPrivilege	1464	WMIC.exe
Token: SeCreatePagefilePrivilege	1464	WMIC.exe
Token: SeBackupPrivilege	1464	WMIC.exe
Token: SeRestorePrivilege	1464	WMIC.exe
Token: SeShutdownPrivilege	1464	WMIC.exe
Token: SeDebugPrivilege	1464	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1464	WMIC.exe
Token: SeRemoteShutdownPrivilege	1464	WMIC.exe
Token: SeUndockPrivilege	1464	WMIC.exe
Token: SeManageVolumePrivilege	1464	WMIC.exe
Token: 33	1464	WMIC.exe
Token: 34	1464	WMIC.exe
Token: 35	1464	WMIC.exe
Token: SeIncreaseQuotaPrivilege	108	WMIC.exe
Token: SeSecurityPrivilege	108	WMIC.exe
Token: SeTakeOwnershipPrivilege	108	WMIC.exe
Token: SeLoadDriverPrivilege	108	WMIC.exe
Token: SeSystemProfilePrivilege	108	WMIC.exe
Token: SeSystemtimePrivilege	108	WMIC.exe
Token: SeProfSingleProcessPrivilege	108	WMIC.exe
Token: SeIncBasePriorityPrivilege	108	WMIC.exe
Token: SeCreatePagefilePrivilege	108	WMIC.exe
Token: SeBackupPrivilege	108	WMIC.exe
Token: SeRestorePrivilege	108	WMIC.exe
Token: SeShutdownPrivilege	108	WMIC.exe
Token: SeDebugPrivilege	108	WMIC.exe
Token: SeSystemEnvironmentPrivilege	108	WMIC.exe
Token: SeRemoteShutdownPrivilege	108	WMIC.exe
Token: SeUndockPrivilege	108	WMIC.exe
Token: SeManageVolumePrivilege	108	WMIC.exe
Token: 33	108	WMIC.exe
Token: 34	108	WMIC.exe
Token: 35	108	WMIC.exe
Token: SeIncreaseQuotaPrivilege	108	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 292	1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe	33
PID 1708 wrote to memory of 292	1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe	33
PID 1708 wrote to memory of 292	1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe	33
PID 1708 wrote to memory of 292	1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe	33
PID 292 wrote to memory of 1464	292	cmd.exe	31
PID 292 wrote to memory of 1464	292	cmd.exe	31
PID 292 wrote to memory of 1464	292	cmd.exe	31
PID 1708 wrote to memory of 328	1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe	34
PID 1708 wrote to memory of 328	1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe	34
PID 1708 wrote to memory of 328	1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe	34
PID 1708 wrote to memory of 328	1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe	34
PID 328 wrote to memory of 108	328	cmd.exe	36
PID 328 wrote to memory of 108	328	cmd.exe	36
PID 328 wrote to memory of 108	328	cmd.exe	36
PID 1708 wrote to memory of 1628	1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe	37
PID 1708 wrote to memory of 1628	1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe	37
PID 1708 wrote to memory of 1628	1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe	37
PID 1708 wrote to memory of 1628	1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe	37
PID 1628 wrote to memory of 1808	1628	cmd.exe	39
PID 1628 wrote to memory of 1808	1628	cmd.exe	39
PID 1628 wrote to memory of 1808	1628	cmd.exe	39
PID 1708 wrote to memory of 824	1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe	40
PID 1708 wrote to memory of 824	1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe	40
PID 1708 wrote to memory of 824	1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe	40
PID 1708 wrote to memory of 824	1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe	40
PID 824 wrote to memory of 396	824	cmd.exe	42
PID 824 wrote to memory of 396	824	cmd.exe	42
PID 824 wrote to memory of 396	824	cmd.exe	42
PID 1708 wrote to memory of 1784	1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe	43
PID 1708 wrote to memory of 1784	1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe	43
PID 1708 wrote to memory of 1784	1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe	43
PID 1708 wrote to memory of 1784	1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe	43
PID 1784 wrote to memory of 1632	1784	cmd.exe	45
PID 1784 wrote to memory of 1632	1784	cmd.exe	45
PID 1784 wrote to memory of 1632	1784	cmd.exe	45
PID 1708 wrote to memory of 832	1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe	46
PID 1708 wrote to memory of 832	1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe	46
PID 1708 wrote to memory of 832	1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe	46
PID 1708 wrote to memory of 832	1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe	46
PID 832 wrote to memory of 1260	832	cmd.exe	48
PID 832 wrote to memory of 1260	832	cmd.exe	48
PID 832 wrote to memory of 1260	832	cmd.exe	48
PID 1708 wrote to memory of 1932	1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe	49
PID 1708 wrote to memory of 1932	1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe	49
PID 1708 wrote to memory of 1932	1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe	49
PID 1708 wrote to memory of 1932	1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe	49
PID 1932 wrote to memory of 1880	1932	cmd.exe	51
PID 1932 wrote to memory of 1880	1932	cmd.exe	51
PID 1932 wrote to memory of 1880	1932	cmd.exe	51
PID 1708 wrote to memory of 1592	1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe	52
PID 1708 wrote to memory of 1592	1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe	52
PID 1708 wrote to memory of 1592	1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe	52
PID 1708 wrote to memory of 1592	1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe	52
PID 1592 wrote to memory of 1812	1592	cmd.exe	54
PID 1592 wrote to memory of 1812	1592	cmd.exe	54
PID 1592 wrote to memory of 1812	1592	cmd.exe	54
PID 1708 wrote to memory of 1144	1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe	55
PID 1708 wrote to memory of 1144	1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe	55
PID 1708 wrote to memory of 1144	1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe	55
PID 1708 wrote to memory of 1144	1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe	55
PID 1144 wrote to memory of 564	1144	cmd.exe	57
PID 1144 wrote to memory of 564	1144	cmd.exe	57
PID 1144 wrote to memory of 564	1144	cmd.exe	57
PID 1708 wrote to memory of 1624	1708	c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe	58

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
"C:\Users\Admin\AppData\Local\Temp\c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{40530E52-D859-4288-8535-7A1E7BF38742}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:292
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{362F9380-A10B-4293-BDFE-E2ABDECA2DAF}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:328
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{362F9380-A10B-4293-BDFE-E2ABDECA2DAF}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:108
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BD5FDCA8-7209-40FA-9A5C-CEDEDC37256E}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BD5FDCA8-7209-40FA-9A5C-CEDEDC37256E}'" delete
    3⤵
    PID:1808
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{93FAE12C-833C-441A-939F-52258540534E}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:824
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{93FAE12C-833C-441A-939F-52258540534E}'" delete
    3⤵
    PID:396
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4AC7E78B-CB66-4825-B5F5-1F514EAB0111}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4AC7E78B-CB66-4825-B5F5-1F514EAB0111}'" delete
    3⤵
    PID:1632
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{68742572-A9EF-406D-8825-1474A4A3AE2F}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:832
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{68742572-A9EF-406D-8825-1474A4A3AE2F}'" delete
    3⤵
    PID:1260
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{46A7E154-E116-4937-9D32-DC8C7C02E8A8}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{46A7E154-E116-4937-9D32-DC8C7C02E8A8}'" delete
    3⤵
    PID:1880
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{DE8D6635-6769-4349-B17F-DFC50B9CD9B0}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{DE8D6635-6769-4349-B17F-DFC50B9CD9B0}'" delete
    3⤵
    PID:1812
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D8A2D3A5-A46A-4D2A-9520-2932D9ABB035}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1144
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D8A2D3A5-A46A-4D2A-9520-2932D9ABB035}'" delete
    3⤵
    PID:564
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{86B65306-46B3-4B33-A700-490BDE2E46FC}'" delete
  2⤵
  PID:1624
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{86B65306-46B3-4B33-A700-490BDE2E46FC}'" delete
    3⤵
    PID:820
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7BF24B04-491E-47A4-A279-BD67AC36C7EF}'" delete
  2⤵
  PID:1872
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7BF24B04-491E-47A4-A279-BD67AC36C7EF}'" delete
    3⤵
    PID:1752
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{93A01BCD-1CE1-4859-8D37-BA4FEA28BD2D}'" delete
  2⤵
  PID:1672
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{93A01BCD-1CE1-4859-8D37-BA4FEA28BD2D}'" delete
    3⤵
    PID:948
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3C8D665A-144E-455D-9C50-3B972749B177}'" delete
  2⤵
  PID:1044
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3C8D665A-144E-455D-9C50-3B972749B177}'" delete
    3⤵
    PID:752
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{06A0C767-A751-4562-9A96-8A6BDBB5178D}'" delete
  2⤵
  PID:916
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{06A0C767-A751-4562-9A96-8A6BDBB5178D}'" delete
    3⤵
    PID:1568
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{94367333-C515-4BAD-8EDC-5D79B53C5D0E}'" delete
  2⤵
  PID:1564
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{94367333-C515-4BAD-8EDC-5D79B53C5D0E}'" delete
    3⤵
    PID:1880
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3AA386E9-758B-4161-A1B6-15ED24FC93BB}'" delete
  2⤵
  PID:1528
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3AA386E9-758B-4161-A1B6-15ED24FC93BB}'" delete
    3⤵
    PID:1704
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BF94CE8D-CB56-45BC-9D93-B88CC180A09F}'" delete
  2⤵
  PID:1500
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BF94CE8D-CB56-45BC-9D93-B88CC180A09F}'" delete
    3⤵
    PID:1876
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A6C9FDDD-2105-402F-B9BD-770535EDBE41}'" delete
  2⤵
  PID:2020
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A6C9FDDD-2105-402F-B9BD-770535EDBE41}'" delete
    3⤵
    PID:848

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{40530E52-D859-4288-8535-7A1E7BF38742}'" delete
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\README.txt

Filesize
122B

MD5
818d78ec097f2a03ae2dafeb16e1de7f

SHA1
204ba20483435f1b6b4a8dea41c4e4f104adf59c

SHA256
9e930a6bbe9443c3683df6639f5007afd6f2213d8c0abeadd281fc5e8a59a8ae

SHA512
d28e3a81645f8541e2f5cd2d89f23c02dff12b6430dc6d47e9156ccd20d092ce9d91cf6b7ca68cab744752b7d42d4b71ae1679dc79f0cc1d73a91cbba5151396

Download Submit