conti | 837c0f1e9749121e4f8204c2b5546964c10d4e3d85a514458c35cbc021762d5c

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
08-08-2023 11:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
Size

201KB
MD5

3c7db7d387c900cc26000af2feba7e9a
SHA1

bbafa2f1af8ca8c692f9bb70cbd36d6ec7bb7b49
SHA256

837c0f1e9749121e4f8204c2b5546964c10d4e3d85a514458c35cbc021762d5c
SHA512

505d332083e402f52ce35f5954646fd16efcc1c03b0f2e8df62d6dc6374c151bf5f4f65790e849ba29d8fc21d568a789a66bb123be1d8a7a52ba6032bed2c5d4
SSDEEP

3072:RLJGBP1t82ETTwPAobQ3tOqmb14Gul22QZkN7S44EXZN0Rx6kFn:tJEPCTwPp03YqyNulakLu6K

Score

10^/10

conti ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files (x86)\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.xyz/ YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- UER3GkowzzbBdoDPcmyBX9VeFqJwjP3eaRdqiYnKkc9wCu2jcHrnl8Vstgl447Ve ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.xyz/

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti
Renames multiple (7924) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 46 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\6C1HE16Q\desktop.ini	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files\desktop.ini	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\7N1WTHAY\desktop.ini	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\WQH5U7RP\desktop.ini	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Users\Public\desktop.ini	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\S87W4FRX\desktop.ini	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00783_.WMF	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\readme.txt	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENFR\MSB1ENFR.ITS	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\readme.txt	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\MANIFEST.MF	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02263_.WMF	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR6F.GIF	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Beirut	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sa.xml	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\vlm_export.html	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21297_.GIF	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\readme.txt	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-nodes.jar	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7ES.dub	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-charts.xml	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\readme.txt	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+9	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK.HOL	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.XLS	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nb\readme.txt	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_win.css	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File created	C:\Program Files\Microsoft Games\More Games\es-ES\readme.txt	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\LucidaBrightRegular.ttf	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\readme.txt	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Berlin	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.syntheticattribute.exsd	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.http_8.1.14.v20131031.jar	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-execution.jar	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-core-kit.xml	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Solstice.thmx	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105410.WMF	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NEWS98.POC	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\MakeAccessible.api	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-modules-appui_ja.jar	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107516.WMF	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE01797_.WMF	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\THMBNAIL.PNG	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\status.xml	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tet\readme.txt	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\readme.txt	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Monterrey	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_SelectionSubpicture.png	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21307_.GIF	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Nassau	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msadox28.tlb	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\profile.jfc	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\MessageBoxIconImages.jpg	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\MANIFEST.MF	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\TAB_ON.GIF	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.TLB	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0304875.WMF	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00734_.WMF	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15135_.GIF	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui_5.5.0.165303.jar	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL081.XML	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SMIMES.CFG	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	2752	vssvc.exe
Token: SeRestorePrivilege	2752	vssvc.exe
Token: SeAuditPrivilege	2752	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2124	WMIC.exe
Token: SeSecurityPrivilege	2124	WMIC.exe
Token: SeTakeOwnershipPrivilege	2124	WMIC.exe
Token: SeLoadDriverPrivilege	2124	WMIC.exe
Token: SeSystemProfilePrivilege	2124	WMIC.exe
Token: SeSystemtimePrivilege	2124	WMIC.exe
Token: SeProfSingleProcessPrivilege	2124	WMIC.exe
Token: SeIncBasePriorityPrivilege	2124	WMIC.exe
Token: SeCreatePagefilePrivilege	2124	WMIC.exe
Token: SeBackupPrivilege	2124	WMIC.exe
Token: SeRestorePrivilege	2124	WMIC.exe
Token: SeShutdownPrivilege	2124	WMIC.exe
Token: SeDebugPrivilege	2124	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2124	WMIC.exe
Token: SeRemoteShutdownPrivilege	2124	WMIC.exe
Token: SeUndockPrivilege	2124	WMIC.exe
Token: SeManageVolumePrivilege	2124	WMIC.exe
Token: 33	2124	WMIC.exe
Token: 34	2124	WMIC.exe
Token: 35	2124	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2124	WMIC.exe
Token: SeSecurityPrivilege	2124	WMIC.exe
Token: SeTakeOwnershipPrivilege	2124	WMIC.exe
Token: SeLoadDriverPrivilege	2124	WMIC.exe
Token: SeSystemProfilePrivilege	2124	WMIC.exe
Token: SeSystemtimePrivilege	2124	WMIC.exe
Token: SeProfSingleProcessPrivilege	2124	WMIC.exe
Token: SeIncBasePriorityPrivilege	2124	WMIC.exe
Token: SeCreatePagefilePrivilege	2124	WMIC.exe
Token: SeBackupPrivilege	2124	WMIC.exe
Token: SeRestorePrivilege	2124	WMIC.exe
Token: SeShutdownPrivilege	2124	WMIC.exe
Token: SeDebugPrivilege	2124	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2124	WMIC.exe
Token: SeRemoteShutdownPrivilege	2124	WMIC.exe
Token: SeUndockPrivilege	2124	WMIC.exe
Token: SeManageVolumePrivilege	2124	WMIC.exe
Token: 33	2124	WMIC.exe
Token: 34	2124	WMIC.exe
Token: 35	2124	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2820	WMIC.exe
Token: SeSecurityPrivilege	2820	WMIC.exe
Token: SeTakeOwnershipPrivilege	2820	WMIC.exe
Token: SeLoadDriverPrivilege	2820	WMIC.exe
Token: SeSystemProfilePrivilege	2820	WMIC.exe
Token: SeSystemtimePrivilege	2820	WMIC.exe
Token: SeProfSingleProcessPrivilege	2820	WMIC.exe
Token: SeIncBasePriorityPrivilege	2820	WMIC.exe
Token: SeCreatePagefilePrivilege	2820	WMIC.exe
Token: SeBackupPrivilege	2820	WMIC.exe
Token: SeRestorePrivilege	2820	WMIC.exe
Token: SeShutdownPrivilege	2820	WMIC.exe
Token: SeDebugPrivilege	2820	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2820	WMIC.exe
Token: SeRemoteShutdownPrivilege	2820	WMIC.exe
Token: SeUndockPrivilege	2820	WMIC.exe
Token: SeManageVolumePrivilege	2820	WMIC.exe
Token: 33	2820	WMIC.exe
Token: 34	2820	WMIC.exe
Token: 35	2820	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2820	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2952	2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe	31
PID 2068 wrote to memory of 2952	2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe	31
PID 2068 wrote to memory of 2952	2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe	31
PID 2068 wrote to memory of 2952	2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe	31
PID 2952 wrote to memory of 2124	2952	cmd.exe	32
PID 2952 wrote to memory of 2124	2952	cmd.exe	32
PID 2952 wrote to memory of 2124	2952	cmd.exe	32
PID 2068 wrote to memory of 2108	2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe	34
PID 2068 wrote to memory of 2108	2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe	34
PID 2068 wrote to memory of 2108	2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe	34
PID 2068 wrote to memory of 2108	2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe	34
PID 2108 wrote to memory of 2820	2108	cmd.exe	36
PID 2108 wrote to memory of 2820	2108	cmd.exe	36
PID 2108 wrote to memory of 2820	2108	cmd.exe	36
PID 2068 wrote to memory of 2412	2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe	37
PID 2068 wrote to memory of 2412	2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe	37
PID 2068 wrote to memory of 2412	2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe	37
PID 2068 wrote to memory of 2412	2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe	37
PID 2412 wrote to memory of 2832	2412	cmd.exe	39
PID 2412 wrote to memory of 2832	2412	cmd.exe	39
PID 2412 wrote to memory of 2832	2412	cmd.exe	39
PID 2068 wrote to memory of 2656	2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe	40
PID 2068 wrote to memory of 2656	2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe	40
PID 2068 wrote to memory of 2656	2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe	40
PID 2068 wrote to memory of 2656	2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe	40
PID 2656 wrote to memory of 2704	2656	cmd.exe	42
PID 2656 wrote to memory of 2704	2656	cmd.exe	42
PID 2656 wrote to memory of 2704	2656	cmd.exe	42
PID 2068 wrote to memory of 2296	2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe	43
PID 2068 wrote to memory of 2296	2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe	43
PID 2068 wrote to memory of 2296	2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe	43
PID 2068 wrote to memory of 2296	2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe	43
PID 2296 wrote to memory of 2528	2296	cmd.exe	45
PID 2296 wrote to memory of 2528	2296	cmd.exe	45
PID 2296 wrote to memory of 2528	2296	cmd.exe	45
PID 2068 wrote to memory of 548	2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe	46
PID 2068 wrote to memory of 548	2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe	46
PID 2068 wrote to memory of 548	2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe	46
PID 2068 wrote to memory of 548	2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe	46
PID 548 wrote to memory of 892	548	cmd.exe	48
PID 548 wrote to memory of 892	548	cmd.exe	48
PID 548 wrote to memory of 892	548	cmd.exe	48
PID 2068 wrote to memory of 1644	2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe	49
PID 2068 wrote to memory of 1644	2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe	49
PID 2068 wrote to memory of 1644	2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe	49
PID 2068 wrote to memory of 1644	2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe	49
PID 1644 wrote to memory of 2008	1644	cmd.exe	51
PID 1644 wrote to memory of 2008	1644	cmd.exe	51
PID 1644 wrote to memory of 2008	1644	cmd.exe	51
PID 2068 wrote to memory of 776	2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe	52
PID 2068 wrote to memory of 776	2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe	52
PID 2068 wrote to memory of 776	2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe	52
PID 2068 wrote to memory of 776	2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe	52
PID 776 wrote to memory of 1720	776	cmd.exe	54
PID 776 wrote to memory of 1720	776	cmd.exe	54
PID 776 wrote to memory of 1720	776	cmd.exe	54
PID 2068 wrote to memory of 1192	2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe	55
PID 2068 wrote to memory of 1192	2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe	55
PID 2068 wrote to memory of 1192	2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe	55
PID 2068 wrote to memory of 1192	2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe	55
PID 1192 wrote to memory of 1076	1192	cmd.exe	57
PID 1192 wrote to memory of 1076	1192	cmd.exe	57
PID 1192 wrote to memory of 1076	1192	cmd.exe	57
PID 2068 wrote to memory of 2992	2068	2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe	58

C:\Users\Admin\AppData\Local\Temp\2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-07_3c7db7d387c900cc26000af2feba7e9a_conti.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E65325A1-B7B7-48FA-884F-CFA212BDB978}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E65325A1-B7B7-48FA-884F-CFA212BDB978}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2124
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C84EE877-5F48-4364-B97D-C95D9A78FC42}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C84EE877-5F48-4364-B97D-C95D9A78FC42}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2820
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{696E7880-9336-4BD1-8FE5-CE3812A01D9A}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{696E7880-9336-4BD1-8FE5-CE3812A01D9A}'" delete
    3⤵
    PID:2832
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B29369F6-1A76-4D6C-8468-1112A4A7144B}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B29369F6-1A76-4D6C-8468-1112A4A7144B}'" delete
    3⤵
    PID:2704
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F38D5385-7790-4546-B54A-462C8D302DE1}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F38D5385-7790-4546-B54A-462C8D302DE1}'" delete
    3⤵
    PID:2528
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{48FCE597-3DF4-4830-86A1-DFDF28FA95F6}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:548
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{48FCE597-3DF4-4830-86A1-DFDF28FA95F6}'" delete
    3⤵
    PID:892
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EE156971-7A43-40AE-8728-C837626C98AF}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EE156971-7A43-40AE-8728-C837626C98AF}'" delete
    3⤵
    PID:2008
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FC6B8069-C083-4B1E-8270-0A7A19C7EF45}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:776
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FC6B8069-C083-4B1E-8270-0A7A19C7EF45}'" delete
    3⤵
    PID:1720
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{DA52D676-6DBA-4263-AB84-4C6F161DB140}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1192
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{DA52D676-6DBA-4263-AB84-4C6F161DB140}'" delete
    3⤵
    PID:1076
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6EA46DB1-DB04-4516-9084-6F80B5A78DDE}'" delete
  2⤵
  PID:2992
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6EA46DB1-DB04-4516-9084-6F80B5A78DDE}'" delete
    3⤵
    PID:1908
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{74D04A56-E2FA-4580-885D-9DD72402EDCA}'" delete
  2⤵
  PID:2040
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{74D04A56-E2FA-4580-885D-9DD72402EDCA}'" delete
    3⤵
    PID:3004
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{20A56F80-1895-41DB-A5AF-7C27AAEBF117}'" delete
  2⤵
  PID:3040
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{20A56F80-1895-41DB-A5AF-7C27AAEBF117}'" delete
    3⤵
    PID:1020
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F952C30E-CC2E-48A2-AD6E-0ED9BD546C87}'" delete
  2⤵
  PID:1016
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F952C30E-CC2E-48A2-AD6E-0ED9BD546C87}'" delete
    3⤵
    PID:2632
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{61A0A08C-0A73-4CB4-A288-308DE7A45B97}'" delete
  2⤵
  PID:2700
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{61A0A08C-0A73-4CB4-A288-308DE7A45B97}'" delete
    3⤵
    PID:1464
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5CD49222-CE51-45F1-B986-E89641B076DB}'" delete
  2⤵
  PID:3032
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5CD49222-CE51-45F1-B986-E89641B076DB}'" delete
    3⤵
    PID:1380
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4F44CAA3-390E-4909-8266-9413DFCA4D0F}'" delete
  2⤵
  PID:2160
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4F44CAA3-390E-4909-8266-9413DFCA4D0F}'" delete
    3⤵
    PID:1552
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E3AD3FCC-4BEA-4145-B94B-576C5C36CB5A}'" delete
  2⤵
  PID:2448
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E3AD3FCC-4BEA-4145-B94B-576C5C36CB5A}'" delete
    3⤵
    PID:2844
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{81C7D94F-0024-4D75-BA29-2CF29325250A}'" delete
  2⤵
  PID:1604
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{81C7D94F-0024-4D75-BA29-2CF29325250A}'" delete
    3⤵
    PID:1728

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\readme.txt

Filesize
1KB

MD5
02aca66083f85518ca1ac4bb688e7b4f

SHA1
8b6dab3ceb858ce768bc4d584597605dae5963cc

SHA256
60b63e95a062a9ac3694683db5f6b72f60856073f66a402558152ed5b34d2dd8

SHA512
304e6827421e72c614e69006eafa7b8863446980351d4875fb733b6388aee8787b08b87afee194988dbadf0a2d620ac3db3836f70b9e1eb271c23fa0f354de39

Download Submit
memory/2068-228-0x0000000000A30000-0x0000000000A68000-memory.dmp

Filesize
224KB

Download
memory/2068-4236-0x0000000000A30000-0x0000000000A68000-memory.dmp

Filesize
224KB

Download
memory/2068-6472-0x0000000000A30000-0x0000000000A68000-memory.dmp

Filesize
224KB

Download
memory/2068-10867-0x0000000000A30000-0x0000000000A68000-memory.dmp

Filesize
224KB

Download
memory/2068-14208-0x0000000000A30000-0x0000000000A68000-memory.dmp

Filesize
224KB

Download
memory/2068-17597-0x0000000000A30000-0x0000000000A68000-memory.dmp

Filesize
224KB

Download