meow | 9f6a6b42048b12c0252a242af4fbe3a0627095d947b66029ba5f12a9c0a71050

General

Target

f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
Size

225KB
MD5

a03ccf5c66c1cc04263d94931b0764d8
SHA1

9ad5475555dd14f2109998eabcfe412d28ff6449
SHA256

f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40
SHA512

4fc507e9628c9640a3e87ed8aa5a39bfd07faefee1246cf3821b1a6314224cc7e24cbcd0a10a57fd990e114ceeada6ec2b069620ea604b8cdd0afac25d5b12e1
SSDEEP

3072:HrQCEI+T7gupEypsbBQeUHhBmmJAlUvuEY5KF5IXjs+Xbo:8CEI+THErQeKmmyl95dwGbo

Score

10^/10

meow ransomware spyware stealer

Malware Config

Signatures

Meow
A ransomware that wipes unsecured databases first seen in Mid 2020.
ransomware meow
Renames multiple (7971) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 46 IoCs

Processes:

f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe

description	ioc	process
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\L49KXGWZ\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\68A65AU5\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RMA6LG7C\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\G0RZ308A\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Public\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe

Drops file in Program Files directory 64 IoCs

Processes:

f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18241_.WMF	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKDEC.CFG	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Yerevan	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-actions.xml	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Opulent.thmx	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\EXPTOOWS.XLA	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143748.GIF	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18253_.WMF	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolIconImages.jpg	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.nl_ja_4.4.0.v20140623020002.jar	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-threaddump.xml	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files\InitializeFormat.TTS	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14768_.GIF	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\readme.txt	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Guadalcanal	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Mahe	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\readme.txt	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VC\readme.txt	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382967.JPG	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02441_.WMF	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.identity_3.4.0.v20140827-1444.jar	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Mexico_City	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-api.jar	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.swf	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File created	C:\Program Files\Common Files\readme.txt	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\fr-FR\readme.txt	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00008_.WMF	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\readme.txt	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_ja_4.4.0.v20140623020002.jar	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-templates_zh_CN.jar	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382961.JPG	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\EVRGREEN.ELM	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00437_.WMF	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00217_.WMF	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02443_.WMF	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\STRBRST.POC	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File created	C:\Program Files\VideoLAN\VLC\locale\el\readme.txt	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\YEAR.XSL	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\readme.txt	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Lagos	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01160_.WMF	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03241_.WMF	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File created	C:\Program Files\VideoLAN\VLC\lua\sd\readme.txt	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\PREVIEW.GIF	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\Proof.XML	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Novosibirsk	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate.css	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files\LockRestart.wmf	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00161_.GIF	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\readme.txt	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.PPT	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGREPFRM.XML	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\Sybase.xsl	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_zh_4.4.0.v20140623020002.jar	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Santo_Domingo	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Vincennes	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187851.WMF	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0227419.JPG	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02120_.WMF	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe

pid	process
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

vssvc.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	2760	vssvc.exe
Token: SeRestorePrivilege	2760	vssvc.exe
Token: SeAuditPrivilege	2760	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2132	WMIC.exe
Token: SeSecurityPrivilege	2132	WMIC.exe
Token: SeTakeOwnershipPrivilege	2132	WMIC.exe
Token: SeLoadDriverPrivilege	2132	WMIC.exe
Token: SeSystemProfilePrivilege	2132	WMIC.exe
Token: SeSystemtimePrivilege	2132	WMIC.exe
Token: SeProfSingleProcessPrivilege	2132	WMIC.exe
Token: SeIncBasePriorityPrivilege	2132	WMIC.exe
Token: SeCreatePagefilePrivilege	2132	WMIC.exe
Token: SeBackupPrivilege	2132	WMIC.exe
Token: SeRestorePrivilege	2132	WMIC.exe
Token: SeShutdownPrivilege	2132	WMIC.exe
Token: SeDebugPrivilege	2132	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2132	WMIC.exe
Token: SeRemoteShutdownPrivilege	2132	WMIC.exe
Token: SeUndockPrivilege	2132	WMIC.exe
Token: SeManageVolumePrivilege	2132	WMIC.exe
Token: 33	2132	WMIC.exe
Token: 34	2132	WMIC.exe
Token: 35	2132	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2132	WMIC.exe
Token: SeSecurityPrivilege	2132	WMIC.exe
Token: SeTakeOwnershipPrivilege	2132	WMIC.exe
Token: SeLoadDriverPrivilege	2132	WMIC.exe
Token: SeSystemProfilePrivilege	2132	WMIC.exe
Token: SeSystemtimePrivilege	2132	WMIC.exe
Token: SeProfSingleProcessPrivilege	2132	WMIC.exe
Token: SeIncBasePriorityPrivilege	2132	WMIC.exe
Token: SeCreatePagefilePrivilege	2132	WMIC.exe
Token: SeBackupPrivilege	2132	WMIC.exe
Token: SeRestorePrivilege	2132	WMIC.exe
Token: SeShutdownPrivilege	2132	WMIC.exe
Token: SeDebugPrivilege	2132	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2132	WMIC.exe
Token: SeRemoteShutdownPrivilege	2132	WMIC.exe
Token: SeUndockPrivilege	2132	WMIC.exe
Token: SeManageVolumePrivilege	2132	WMIC.exe
Token: 33	2132	WMIC.exe
Token: 34	2132	WMIC.exe
Token: 35	2132	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2964	WMIC.exe
Token: SeSecurityPrivilege	2964	WMIC.exe
Token: SeTakeOwnershipPrivilege	2964	WMIC.exe
Token: SeLoadDriverPrivilege	2964	WMIC.exe
Token: SeSystemProfilePrivilege	2964	WMIC.exe
Token: SeSystemtimePrivilege	2964	WMIC.exe
Token: SeProfSingleProcessPrivilege	2964	WMIC.exe
Token: SeIncBasePriorityPrivilege	2964	WMIC.exe
Token: SeCreatePagefilePrivilege	2964	WMIC.exe
Token: SeBackupPrivilege	2964	WMIC.exe
Token: SeRestorePrivilege	2964	WMIC.exe
Token: SeShutdownPrivilege	2964	WMIC.exe
Token: SeDebugPrivilege	2964	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2964	WMIC.exe
Token: SeRemoteShutdownPrivilege	2964	WMIC.exe
Token: SeUndockPrivilege	2964	WMIC.exe
Token: SeManageVolumePrivilege	2964	WMIC.exe
Token: 33	2964	WMIC.exe
Token: 34	2964	WMIC.exe
Token: 35	2964	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2964	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2696 wrote to memory of 2620	2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe	cmd.exe
PID 2696 wrote to memory of 2620	2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe	cmd.exe
PID 2696 wrote to memory of 2620	2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe	cmd.exe
PID 2696 wrote to memory of 2620	2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe	cmd.exe
PID 2620 wrote to memory of 2132	2620	cmd.exe	WMIC.exe
PID 2620 wrote to memory of 2132	2620	cmd.exe	WMIC.exe
PID 2620 wrote to memory of 2132	2620	cmd.exe	WMIC.exe
PID 2696 wrote to memory of 2824	2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe	cmd.exe
PID 2696 wrote to memory of 2824	2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe	cmd.exe
PID 2696 wrote to memory of 2824	2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe	cmd.exe
PID 2696 wrote to memory of 2824	2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe	cmd.exe
PID 2824 wrote to memory of 2964	2824	cmd.exe	WMIC.exe
PID 2824 wrote to memory of 2964	2824	cmd.exe	WMIC.exe
PID 2824 wrote to memory of 2964	2824	cmd.exe	WMIC.exe
PID 2696 wrote to memory of 2896	2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe	cmd.exe
PID 2696 wrote to memory of 2896	2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe	cmd.exe
PID 2696 wrote to memory of 2896	2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe	cmd.exe
PID 2696 wrote to memory of 2896	2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe	cmd.exe
PID 2896 wrote to memory of 2608	2896	cmd.exe	WMIC.exe
PID 2896 wrote to memory of 2608	2896	cmd.exe	WMIC.exe
PID 2896 wrote to memory of 2608	2896	cmd.exe	WMIC.exe
PID 2696 wrote to memory of 2732	2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe	cmd.exe
PID 2696 wrote to memory of 2732	2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe	cmd.exe
PID 2696 wrote to memory of 2732	2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe	cmd.exe
PID 2696 wrote to memory of 2732	2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe	cmd.exe
PID 2732 wrote to memory of 2384	2732	cmd.exe	WMIC.exe
PID 2732 wrote to memory of 2384	2732	cmd.exe	WMIC.exe
PID 2732 wrote to memory of 2384	2732	cmd.exe	WMIC.exe
PID 2696 wrote to memory of 2596	2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe	cmd.exe
PID 2696 wrote to memory of 2596	2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe	cmd.exe
PID 2696 wrote to memory of 2596	2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe	cmd.exe
PID 2696 wrote to memory of 2596	2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe	cmd.exe
PID 2596 wrote to memory of 2672	2596	cmd.exe	WMIC.exe
PID 2596 wrote to memory of 2672	2596	cmd.exe	WMIC.exe
PID 2596 wrote to memory of 2672	2596	cmd.exe	WMIC.exe
PID 2696 wrote to memory of 752	2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe	cmd.exe
PID 2696 wrote to memory of 752	2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe	cmd.exe
PID 2696 wrote to memory of 752	2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe	cmd.exe
PID 2696 wrote to memory of 752	2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe	cmd.exe
PID 752 wrote to memory of 1040	752	cmd.exe	WMIC.exe
PID 752 wrote to memory of 1040	752	cmd.exe	WMIC.exe
PID 752 wrote to memory of 1040	752	cmd.exe	WMIC.exe
PID 2696 wrote to memory of 3032	2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe	cmd.exe
PID 2696 wrote to memory of 3032	2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe	cmd.exe
PID 2696 wrote to memory of 3032	2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe	cmd.exe
PID 2696 wrote to memory of 3032	2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe	cmd.exe
PID 3032 wrote to memory of 1716	3032	cmd.exe	WMIC.exe
PID 3032 wrote to memory of 1716	3032	cmd.exe	WMIC.exe
PID 3032 wrote to memory of 1716	3032	cmd.exe	WMIC.exe
PID 2696 wrote to memory of 1760	2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe	cmd.exe
PID 2696 wrote to memory of 1760	2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe	cmd.exe
PID 2696 wrote to memory of 1760	2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe	cmd.exe
PID 2696 wrote to memory of 1760	2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe	cmd.exe
PID 1760 wrote to memory of 2936	1760	cmd.exe	WMIC.exe
PID 1760 wrote to memory of 2936	1760	cmd.exe	WMIC.exe
PID 1760 wrote to memory of 2936	1760	cmd.exe	WMIC.exe
PID 2696 wrote to memory of 664	2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe	cmd.exe
PID 2696 wrote to memory of 664	2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe	cmd.exe
PID 2696 wrote to memory of 664	2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe	cmd.exe
PID 2696 wrote to memory of 664	2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe	cmd.exe
PID 664 wrote to memory of 2680	664	cmd.exe	WMIC.exe
PID 664 wrote to memory of 2680	664	cmd.exe	WMIC.exe
PID 664 wrote to memory of 2680	664	cmd.exe	WMIC.exe
PID 2696 wrote to memory of 2968	2696	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe	cmd.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
"C:\Users\Admin\AppData\Local\Temp\f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2696

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{33A5C0CF-F963-45FE-BF52-55CB6EBF83AD}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{33A5C0CF-F963-45FE-BF52-55CB6EBF83AD}'" delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{200EFFD4-86A4-4A91-A913-F1A179A2AFAC}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:2824

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{200EFFD4-86A4-4A91-A913-F1A179A2AFAC}'" delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2964

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F21073C2-A46B-4471-9B58-021F163BF4C2}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:2896

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F21073C2-A46B-4471-9B58-021F163BF4C2}'" delete
3⤵
PID:2608

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{07AB1FA9-7964-4A7D-8A15-5556CA2F6AD8}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{07AB1FA9-7964-4A7D-8A15-5556CA2F6AD8}'" delete
3⤵
PID:2384

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{46C8D91D-66C0-4CC9-8223-C9F29C8287E7}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:2596

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{46C8D91D-66C0-4CC9-8223-C9F29C8287E7}'" delete
3⤵
PID:2672

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6E938F89-1E93-4FCD-A3D8-CDB54248314B}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6E938F89-1E93-4FCD-A3D8-CDB54248314B}'" delete
3⤵
PID:1040

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BABD2831-A1D4-4974-8110-95B6824D94A8}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BABD2831-A1D4-4974-8110-95B6824D94A8}'" delete
3⤵
PID:1716

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AC90AB4A-A708-46E5-A855-46ECFED078E1}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AC90AB4A-A708-46E5-A855-46ECFED078E1}'" delete
3⤵
PID:2936

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7F236582-2D26-41CF-8672-A0AC8BDAD4D0}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:664

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7F236582-2D26-41CF-8672-A0AC8BDAD4D0}'" delete
3⤵
PID:2680

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8BA8B59E-9FDA-4664-9897-B87D63881E7D}'" delete
2⤵
PID:2968

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8BA8B59E-9FDA-4664-9897-B87D63881E7D}'" delete
3⤵
PID:1236

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FB15B31F-0200-4004-9882-88155AA0F2C0}'" delete
2⤵
PID:1700

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FB15B31F-0200-4004-9882-88155AA0F2C0}'" delete
3⤵
PID:856

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{10DBE12B-8D49-415E-9D5C-290F3AD19E05}'" delete
2⤵
PID:1036

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{10DBE12B-8D49-415E-9D5C-290F3AD19E05}'" delete
3⤵
PID:108

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9741A549-EE5C-4816-BCD3-A27784C8C7CD}'" delete
2⤵
PID:1712

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9741A549-EE5C-4816-BCD3-A27784C8C7CD}'" delete
3⤵
PID:1896

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6C847E62-F38A-464E-8B63-003138A7289A}'" delete
2⤵
PID:2344

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6C847E62-F38A-464E-8B63-003138A7289A}'" delete
3⤵
PID:3000

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{515D35EB-8BE8-4F32-845C-457B623379D4}'" delete
2⤵
PID:2468

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{515D35EB-8BE8-4F32-845C-457B623379D4}'" delete
3⤵
PID:2300

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E5CE5420-A92D-472A-AD5F-4E863B37E261}'" delete
2⤵
PID:2232

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E5CE5420-A92D-472A-AD5F-4E863B37E261}'" delete
3⤵
PID:1648

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5F049092-6BFE-4E9D-A36B-9987FFB87518}'" delete
2⤵
PID:1540

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5F049092-6BFE-4E9D-A36B-9987FFB87518}'" delete
3⤵
PID:2064

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9C8A5FA1-6AC8-4BCE-83DD-080FBF357DE6}'" delete
2⤵
PID:1144

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9C8A5FA1-6AC8-4BCE-83DD-080FBF357DE6}'" delete
3⤵
PID:1528

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2760

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\readme.txt
Filesize
16KB

MD5
bf84cfb4d4d3c3dadfe34cd39acc323a

SHA1
9b8bc323d8d8f2dee8ab028e28d2621c1fc565b9

SHA256
d7296a4a7d313d58f655a7358fe14c1b7c9964236d741847f2db9cbd78d87263

SHA512
31c264b351f7d0930e8ea79b7239c9d0dcd6c51faf7afc3086f361fff04c966b1c428501542e8db8743c921751586d0016b2d6ac005a9a6673e81394e3326311

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads