conti | 418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
29-05-2024 11:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
Size

373KB
MD5

cd0795c8b2bb7a19e10f06f8d23face4
SHA1

3e73188e446dcdc5796fc904e8bb6768a787a9e0
SHA256

418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd
SHA512

4ebd157f5ceb4cf98c6e417ab38c547c4684c3063cc8cd3b6af47d6f5d2615257ac944a4bddc312dffeac6ee4ee4d55090f9cc5f973976e29ddf14775c3d30a7
SSDEEP

6144:4u3961zes6RBIkXi5ts0lnt4Zz4ByevEPzgpDxceGxImYMSbf/mEmbwX5elm7Dm:DJrB3SRt4ZzEiPzaFceG2DDX0F

Score

10^/10

conti ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files (x86)\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion/jehZ00C9PrzdBeD0vmBk8EYUAmCctYHBJazVJraQGUMWmkWoaDUcndRgCHzKGsz5 YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- jehZ00C9PrzdBeD0vmBk8EYUAmCctYHBJazVJraQGUMWmkWoaDUcndRgCHzKGsz5 ---END ID---

URLs

http://contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion/jehZ00C9PrzdBeD0vmBk8EYUAmCctYHBJazVJraQGUMWmkWoaDUcndRgCHzKGsz5

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti
Renames multiple (7981) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 46 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ASWW3GU0\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\B5JWTXJ4\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\QE6QYUAB\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\L54IQZD2\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Public\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Perth	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-dialogs_ja.jar	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD00146_.WMF	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\view.html	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\readme.txt	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT_COL.HXC	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sw\readme.txt	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\QuestionIcon.jpg	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0294991.WMF	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WSIDBR98.POC	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0211981.WMF	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OL.SAM	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGPICCAP.DPV	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs.ja_5.5.0.165303.jar	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Hermosillo	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.properties	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105846.WMF	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00559_.WMF	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.webapp.nl_zh_4.4.0.v20140623020002.jar	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Fancy.dotx	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCDRESNS.ICO	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\readme.txt	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\UCT	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\readme.txt	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-windows_zh_CN.jar	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01063_.WMF	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH.HXS	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\readme.txt	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\readme.txt	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\MLA.XSL	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.workbench_3.106.1.v20140827-1737.jar	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-services_zh_CN.jar	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\indxicon.gif	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382931.JPG	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00704_.WMF	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Baku	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-oql_zh_CN.jar	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\Wks9Pxy.cnv	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCDRESNL.ICO	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-services.xml	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR44F.GIF	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\readme.txt	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0172067.WMF	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\readme.txt	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_mid.gif	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01461_.WMF	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_SelectionSubpicture.png	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs_zh_CN.jar	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ko_KR.jar	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\CANYON.INF	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\background.gif	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-api-visual.xml_hidden	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiling_ja.jar	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUNGLE.GIF	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CNFRES.CFG	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_SelectionSubpicture.png	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14691_.GIF	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2288	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	2764	vssvc.exe
Token: SeRestorePrivilege	2764	vssvc.exe
Token: SeAuditPrivilege	2764	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2740	WMIC.exe
Token: SeSecurityPrivilege	2740	WMIC.exe
Token: SeTakeOwnershipPrivilege	2740	WMIC.exe
Token: SeLoadDriverPrivilege	2740	WMIC.exe
Token: SeSystemProfilePrivilege	2740	WMIC.exe
Token: SeSystemtimePrivilege	2740	WMIC.exe
Token: SeProfSingleProcessPrivilege	2740	WMIC.exe
Token: SeIncBasePriorityPrivilege	2740	WMIC.exe
Token: SeCreatePagefilePrivilege	2740	WMIC.exe
Token: SeBackupPrivilege	2740	WMIC.exe
Token: SeRestorePrivilege	2740	WMIC.exe
Token: SeShutdownPrivilege	2740	WMIC.exe
Token: SeDebugPrivilege	2740	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2740	WMIC.exe
Token: SeRemoteShutdownPrivilege	2740	WMIC.exe
Token: SeUndockPrivilege	2740	WMIC.exe
Token: SeManageVolumePrivilege	2740	WMIC.exe
Token: 33	2740	WMIC.exe
Token: 34	2740	WMIC.exe
Token: 35	2740	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2740	WMIC.exe
Token: SeSecurityPrivilege	2740	WMIC.exe
Token: SeTakeOwnershipPrivilege	2740	WMIC.exe
Token: SeLoadDriverPrivilege	2740	WMIC.exe
Token: SeSystemProfilePrivilege	2740	WMIC.exe
Token: SeSystemtimePrivilege	2740	WMIC.exe
Token: SeProfSingleProcessPrivilege	2740	WMIC.exe
Token: SeIncBasePriorityPrivilege	2740	WMIC.exe
Token: SeCreatePagefilePrivilege	2740	WMIC.exe
Token: SeBackupPrivilege	2740	WMIC.exe
Token: SeRestorePrivilege	2740	WMIC.exe
Token: SeShutdownPrivilege	2740	WMIC.exe
Token: SeDebugPrivilege	2740	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2740	WMIC.exe
Token: SeRemoteShutdownPrivilege	2740	WMIC.exe
Token: SeUndockPrivilege	2740	WMIC.exe
Token: SeManageVolumePrivilege	2740	WMIC.exe
Token: 33	2740	WMIC.exe
Token: 34	2740	WMIC.exe
Token: 35	2740	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2788	WMIC.exe
Token: SeSecurityPrivilege	2788	WMIC.exe
Token: SeTakeOwnershipPrivilege	2788	WMIC.exe
Token: SeLoadDriverPrivilege	2788	WMIC.exe
Token: SeSystemProfilePrivilege	2788	WMIC.exe
Token: SeSystemtimePrivilege	2788	WMIC.exe
Token: SeProfSingleProcessPrivilege	2788	WMIC.exe
Token: SeIncBasePriorityPrivilege	2788	WMIC.exe
Token: SeCreatePagefilePrivilege	2788	WMIC.exe
Token: SeBackupPrivilege	2788	WMIC.exe
Token: SeRestorePrivilege	2788	WMIC.exe
Token: SeShutdownPrivilege	2788	WMIC.exe
Token: SeDebugPrivilege	2788	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2788	WMIC.exe
Token: SeRemoteShutdownPrivilege	2788	WMIC.exe
Token: SeUndockPrivilege	2788	WMIC.exe
Token: SeManageVolumePrivilege	2788	WMIC.exe
Token: 33	2788	WMIC.exe
Token: 34	2788	WMIC.exe
Token: 35	2788	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2788	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 2816	2288	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe	31
PID 2288 wrote to memory of 2816	2288	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe	31
PID 2288 wrote to memory of 2816	2288	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe	31
PID 2288 wrote to memory of 2816	2288	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe	31
PID 2816 wrote to memory of 2740	2816	cmd.exe	33
PID 2816 wrote to memory of 2740	2816	cmd.exe	33
PID 2816 wrote to memory of 2740	2816	cmd.exe	33
PID 2288 wrote to memory of 2584	2288	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe	34
PID 2288 wrote to memory of 2584	2288	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe	34
PID 2288 wrote to memory of 2584	2288	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe	34
PID 2288 wrote to memory of 2584	2288	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe	34
PID 2584 wrote to memory of 2788	2584	cmd.exe	36
PID 2584 wrote to memory of 2788	2584	cmd.exe	36
PID 2584 wrote to memory of 2788	2584	cmd.exe	36
PID 2288 wrote to memory of 2588	2288	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe	37
PID 2288 wrote to memory of 2588	2288	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe	37
PID 2288 wrote to memory of 2588	2288	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe	37
PID 2288 wrote to memory of 2588	2288	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe	37
PID 2588 wrote to memory of 2704	2588	cmd.exe	39
PID 2588 wrote to memory of 2704	2588	cmd.exe	39
PID 2588 wrote to memory of 2704	2588	cmd.exe	39
PID 2288 wrote to memory of 2368	2288	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe	40
PID 2288 wrote to memory of 2368	2288	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe	40
PID 2288 wrote to memory of 2368	2288	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe	40
PID 2288 wrote to memory of 2368	2288	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe	40
PID 2368 wrote to memory of 1884	2368	cmd.exe	42
PID 2368 wrote to memory of 1884	2368	cmd.exe	42
PID 2368 wrote to memory of 1884	2368	cmd.exe	42
PID 2288 wrote to memory of 2792	2288	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe	43
PID 2288 wrote to memory of 2792	2288	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe	43
PID 2288 wrote to memory of 2792	2288	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe	43
PID 2288 wrote to memory of 2792	2288	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe	43
PID 2792 wrote to memory of 2860	2792	cmd.exe	45
PID 2792 wrote to memory of 2860	2792	cmd.exe	45
PID 2792 wrote to memory of 2860	2792	cmd.exe	45
PID 2288 wrote to memory of 2636	2288	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe	46
PID 2288 wrote to memory of 2636	2288	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe	46
PID 2288 wrote to memory of 2636	2288	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe	46
PID 2288 wrote to memory of 2636	2288	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe	46
PID 2636 wrote to memory of 3016	2636	cmd.exe	48
PID 2636 wrote to memory of 3016	2636	cmd.exe	48
PID 2636 wrote to memory of 3016	2636	cmd.exe	48
PID 2288 wrote to memory of 284	2288	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe	49
PID 2288 wrote to memory of 284	2288	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe	49
PID 2288 wrote to memory of 284	2288	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe	49
PID 2288 wrote to memory of 284	2288	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe	49
PID 284 wrote to memory of 2008	284	cmd.exe	51
PID 284 wrote to memory of 2008	284	cmd.exe	51
PID 284 wrote to memory of 2008	284	cmd.exe	51
PID 2288 wrote to memory of 2500	2288	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe	52
PID 2288 wrote to memory of 2500	2288	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe	52
PID 2288 wrote to memory of 2500	2288	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe	52
PID 2288 wrote to memory of 2500	2288	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe	52
PID 2500 wrote to memory of 2004	2500	cmd.exe	54
PID 2500 wrote to memory of 2004	2500	cmd.exe	54
PID 2500 wrote to memory of 2004	2500	cmd.exe	54
PID 2288 wrote to memory of 1412	2288	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe	55
PID 2288 wrote to memory of 1412	2288	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe	55
PID 2288 wrote to memory of 1412	2288	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe	55
PID 2288 wrote to memory of 1412	2288	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe	55
PID 1412 wrote to memory of 2172	1412	cmd.exe	57
PID 1412 wrote to memory of 2172	1412	cmd.exe	57
PID 1412 wrote to memory of 2172	1412	cmd.exe	57
PID 2288 wrote to memory of 2776	2288	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe	58

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
"C:\Users\Admin\AppData\Local\Temp\418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7127F030-330D-414A-BDB2-256033236929}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7127F030-330D-414A-BDB2-256033236929}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2740
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1B707CDF-0415-4CE3-B83E-59319AFC24A4}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1B707CDF-0415-4CE3-B83E-59319AFC24A4}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2788
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2F3F6F90-C063-4789-8DDC-7000950B4FAA}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2F3F6F90-C063-4789-8DDC-7000950B4FAA}'" delete
    3⤵
    PID:2704
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4B42CA55-BD64-4BF0-9B30-BBA14F760C1D}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4B42CA55-BD64-4BF0-9B30-BBA14F760C1D}'" delete
    3⤵
    PID:1884
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6879DD84-89FC-4F89-8AF4-05A4C5A992D7}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6879DD84-89FC-4F89-8AF4-05A4C5A992D7}'" delete
    3⤵
    PID:2860
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6F358BFC-14B8-4ACD-9805-E69EDAC61E04}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6F358BFC-14B8-4ACD-9805-E69EDAC61E04}'" delete
    3⤵
    PID:3016
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{17DE42A7-59E9-4543-AAB8-AB4290A50925}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:284
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{17DE42A7-59E9-4543-AAB8-AB4290A50925}'" delete
    3⤵
    PID:2008
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{423E1407-704C-403F-9E61-92D0C7B71A8C}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{423E1407-704C-403F-9E61-92D0C7B71A8C}'" delete
    3⤵
    PID:2004
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B5EB0F9F-9E89-4C4F-BBF8-15DF433ED657}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1412
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B5EB0F9F-9E89-4C4F-BBF8-15DF433ED657}'" delete
    3⤵
    PID:2172
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E130FDAD-2904-4BDF-ABB5-CB319127B849}'" delete
  2⤵
  PID:2776
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E130FDAD-2904-4BDF-ABB5-CB319127B849}'" delete
    3⤵
    PID:316
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EC5F74E7-BFC5-43A3-B9C9-DB36DAB4474E}'" delete
  2⤵
  PID:1692
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EC5F74E7-BFC5-43A3-B9C9-DB36DAB4474E}'" delete
    3⤵
    PID:1564
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CDCB3820-F2D8-44A7-AD4C-9C43FA312B61}'" delete
  2⤵
  PID:1752
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CDCB3820-F2D8-44A7-AD4C-9C43FA312B61}'" delete
    3⤵
    PID:2284
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4E20C271-2BEA-44FB-91D6-A656DF8E5C80}'" delete
  2⤵
  PID:2140
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4E20C271-2BEA-44FB-91D6-A656DF8E5C80}'" delete
    3⤵
    PID:2772
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{576A9981-69EA-4BE3-8CE3-DD8BBE6726C7}'" delete
  2⤵
  PID:1204
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{576A9981-69EA-4BE3-8CE3-DD8BBE6726C7}'" delete
    3⤵
    PID:680
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0A99FA62-98C3-4CA8-9274-63EB4EE8A3F5}'" delete
  2⤵
  PID:1028
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0A99FA62-98C3-4CA8-9274-63EB4EE8A3F5}'" delete
    3⤵
    PID:584
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{14F95ED9-A010-421E-BFB7-B0AF02DF0FB3}'" delete
  2⤵
  PID:560
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{14F95ED9-A010-421E-BFB7-B0AF02DF0FB3}'" delete
    3⤵
    PID:840
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CA0BE1BE-8444-47B6-8CAC-4257D92434C7}'" delete
  2⤵
  PID:2508
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CA0BE1BE-8444-47B6-8CAC-4257D92434C7}'" delete
    3⤵
    PID:376
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E0A22A3F-FEAD-42DA-BAFD-43C026250296}'" delete
  2⤵
  PID:356
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E0A22A3F-FEAD-42DA-BAFD-43C026250296}'" delete
    3⤵
    PID:2960

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\readme.txt

Filesize
1KB

MD5
d37ef45fe5c6586a80321288d58a5781

SHA1
9dfec63a05fff0bbd0b4098359ba955fe60cb760

SHA256
b88d37ddce9f4fcf798faaa27741331bec4cea80cdf0f287504e4238dae55259

SHA512
a709f8dd5d570e922901b9f7206e57f7631f85bebb4ad4861c7efb16cfe6ed911ee516b89d2f3a8a07524d63c364220171fe54910df2887537f3b3de73d5fe76

Download Submit
memory/2288-6-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2288-5-0x0000000000401000-0x0000000000423000-memory.dmp

Filesize
136KB

Download
memory/2288-3394-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2288-0-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2288-10789-0x0000000000280000-0x00000000002BC000-memory.dmp

Filesize
240KB

Download
memory/2288-7-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2288-1-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2288-10791-0x0000000000401000-0x0000000000423000-memory.dmp

Filesize
136KB

Download
memory/2288-3-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2288-4-0x0000000000280000-0x00000000002BC000-memory.dmp

Filesize
240KB

Download
memory/2288-2-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2288-15864-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2288-17697-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2288-17700-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2288-17701-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2288-17702-0x0000000000280000-0x00000000002BC000-memory.dmp

Filesize
240KB

Download
memory/2288-17703-0x0000000000401000-0x0000000000423000-memory.dmp

Filesize
136KB

Download