conti | f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
29-05-2024 15:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
Size

399KB
MD5

4966d675ef2895c479a6dda0a544a781
SHA1

87ade9cc258e7cb2edce7555bd1e8b649de94a9d
SHA256

f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac
SHA512

8c23dc3abe9e153e312f0ebef8cbb9ab1c61eb0b806b9442decd5655c7ba1428d5933a5158fe96158363a7de2e151ca0ffc2d4f4ff3307d3b2dc3d9caaa0fdf5
SSDEEP

12288:7mIlX4PsyobFXJMSRpGe2IelMslQqn7GTFD:7V401XJX7G5ItslVM

Score

10^/10

conti ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files (x86)\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI ransomware. If you try to use any additional recovery software - the files might be damaged or lost. To make sure that we REALLY CAN recover data - we offer you to decrypt samples. You can contact us for further instructions through: Our website TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.top YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded your data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us ASAP. ---BEGIN ID--- LBCiop0VqOZuBBpA5nE826srUH9zTB8NeLk9dWX69K4nuopOjult1Wz9EY5DwmXn ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.top

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti
Renames multiple (8026) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 46 IoCs

Processes:

f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\YK6DYF6H\desktop.ini	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Users\Public\desktop.ini	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\SZUP0XFR\desktop.ini	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\YR1SPOMQ\desktop.ini	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files\desktop.ini	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\1PJQWC5P\desktop.ini	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe

Drops file in Program Files directory 64 IoCs

Processes:

f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0188667.WMF	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18257_.WMF	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Bishkek	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-remote.xml	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_winxp.css	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\AUTHORS.txt	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\readme.txt	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\SessionMember.ico	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\readme.txt	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.databinding.nl_zh_4.4.0.v20140623020002.jar	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\PublisherMUI.XML	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CGMIMP32.HLP	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUB6INTL.REST.IDX_DLL	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENVELOPE.DPV	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-border.png	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\readme.txt	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00172_.GIF	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\SaveAsRTF.api	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\readme.txt	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Palau	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\readme.txt	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewAttachmentIconsMask.bmp	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152436.WMF	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\leftnav.gif	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00058_.WMF	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18209_.WMF	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground.wmv	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.views.nl_ja_4.4.0.v20140623020002.jar	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-api-visual.jar	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\readme.txt	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185798.WMF	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\readme.txt	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\CHEVRON.ICO	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvmstat.xml	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105294.WMF	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Horizon.xml	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Santarem	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\readme.txt	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File created	C:\Program Files\Mozilla Firefox\browser\readme.txt	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Austin.xml	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\ParentMenuButtonIcon.png	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.jobs_3.6.0.v20140424-0053.jar	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Porto_Velho	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_Earthy.gif	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins.nl_zh_4.4.0.v20140623020002.jar	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Ust-Nera	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.config	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\builtincontrolsschema.xsd	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\COUGH.WAV	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01152_.WMF	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15132_.GIF	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_LightSpirit.gif	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-options_zh_CN.jar	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02742U.BMP	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\readme.txt	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler_ja.jar	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\SATIN.INF	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files\Java\jre7\lib\jfr.jar	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099191.JPG	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe

pid	Process
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

vssvc.exeWMIC.exeWMIC.exe

description	pid	Process
Token: SeBackupPrivilege	2748	vssvc.exe
Token: SeRestorePrivilege	2748	vssvc.exe
Token: SeAuditPrivilege	2748	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2808	WMIC.exe
Token: SeSecurityPrivilege	2808	WMIC.exe
Token: SeTakeOwnershipPrivilege	2808	WMIC.exe
Token: SeLoadDriverPrivilege	2808	WMIC.exe
Token: SeSystemProfilePrivilege	2808	WMIC.exe
Token: SeSystemtimePrivilege	2808	WMIC.exe
Token: SeProfSingleProcessPrivilege	2808	WMIC.exe
Token: SeIncBasePriorityPrivilege	2808	WMIC.exe
Token: SeCreatePagefilePrivilege	2808	WMIC.exe
Token: SeBackupPrivilege	2808	WMIC.exe
Token: SeRestorePrivilege	2808	WMIC.exe
Token: SeShutdownPrivilege	2808	WMIC.exe
Token: SeDebugPrivilege	2808	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2808	WMIC.exe
Token: SeRemoteShutdownPrivilege	2808	WMIC.exe
Token: SeUndockPrivilege	2808	WMIC.exe
Token: SeManageVolumePrivilege	2808	WMIC.exe
Token: 33	2808	WMIC.exe
Token: 34	2808	WMIC.exe
Token: 35	2808	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2808	WMIC.exe
Token: SeSecurityPrivilege	2808	WMIC.exe
Token: SeTakeOwnershipPrivilege	2808	WMIC.exe
Token: SeLoadDriverPrivilege	2808	WMIC.exe
Token: SeSystemProfilePrivilege	2808	WMIC.exe
Token: SeSystemtimePrivilege	2808	WMIC.exe
Token: SeProfSingleProcessPrivilege	2808	WMIC.exe
Token: SeIncBasePriorityPrivilege	2808	WMIC.exe
Token: SeCreatePagefilePrivilege	2808	WMIC.exe
Token: SeBackupPrivilege	2808	WMIC.exe
Token: SeRestorePrivilege	2808	WMIC.exe
Token: SeShutdownPrivilege	2808	WMIC.exe
Token: SeDebugPrivilege	2808	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2808	WMIC.exe
Token: SeRemoteShutdownPrivilege	2808	WMIC.exe
Token: SeUndockPrivilege	2808	WMIC.exe
Token: SeManageVolumePrivilege	2808	WMIC.exe
Token: 33	2808	WMIC.exe
Token: 34	2808	WMIC.exe
Token: 35	2808	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2680	WMIC.exe
Token: SeSecurityPrivilege	2680	WMIC.exe
Token: SeTakeOwnershipPrivilege	2680	WMIC.exe
Token: SeLoadDriverPrivilege	2680	WMIC.exe
Token: SeSystemProfilePrivilege	2680	WMIC.exe
Token: SeSystemtimePrivilege	2680	WMIC.exe
Token: SeProfSingleProcessPrivilege	2680	WMIC.exe
Token: SeIncBasePriorityPrivilege	2680	WMIC.exe
Token: SeCreatePagefilePrivilege	2680	WMIC.exe
Token: SeBackupPrivilege	2680	WMIC.exe
Token: SeRestorePrivilege	2680	WMIC.exe
Token: SeShutdownPrivilege	2680	WMIC.exe
Token: SeDebugPrivilege	2680	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2680	WMIC.exe
Token: SeRemoteShutdownPrivilege	2680	WMIC.exe
Token: SeUndockPrivilege	2680	WMIC.exe
Token: SeManageVolumePrivilege	2680	WMIC.exe
Token: 33	2680	WMIC.exe
Token: 34	2680	WMIC.exe
Token: 35	2680	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2680	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 1284 wrote to memory of 2712	1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe	31
PID 1284 wrote to memory of 2712	1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe	31
PID 1284 wrote to memory of 2712	1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe	31
PID 1284 wrote to memory of 2712	1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe	31
PID 2712 wrote to memory of 2808	2712	cmd.exe	33
PID 2712 wrote to memory of 2808	2712	cmd.exe	33
PID 2712 wrote to memory of 2808	2712	cmd.exe	33
PID 1284 wrote to memory of 2532	1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe	34
PID 1284 wrote to memory of 2532	1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe	34
PID 1284 wrote to memory of 2532	1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe	34
PID 1284 wrote to memory of 2532	1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe	34
PID 2532 wrote to memory of 2680	2532	cmd.exe	36
PID 2532 wrote to memory of 2680	2532	cmd.exe	36
PID 2532 wrote to memory of 2680	2532	cmd.exe	36
PID 1284 wrote to memory of 2500	1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe	37
PID 1284 wrote to memory of 2500	1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe	37
PID 1284 wrote to memory of 2500	1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe	37
PID 1284 wrote to memory of 2500	1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe	37
PID 2500 wrote to memory of 2564	2500	cmd.exe	39
PID 2500 wrote to memory of 2564	2500	cmd.exe	39
PID 2500 wrote to memory of 2564	2500	cmd.exe	39
PID 1284 wrote to memory of 3040	1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe	40
PID 1284 wrote to memory of 3040	1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe	40
PID 1284 wrote to memory of 3040	1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe	40
PID 1284 wrote to memory of 3040	1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe	40
PID 3040 wrote to memory of 2444	3040	cmd.exe	42
PID 3040 wrote to memory of 2444	3040	cmd.exe	42
PID 3040 wrote to memory of 2444	3040	cmd.exe	42
PID 1284 wrote to memory of 1700	1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe	43
PID 1284 wrote to memory of 1700	1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe	43
PID 1284 wrote to memory of 1700	1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe	43
PID 1284 wrote to memory of 1700	1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe	43
PID 1700 wrote to memory of 2576	1700	cmd.exe	45
PID 1700 wrote to memory of 2576	1700	cmd.exe	45
PID 1700 wrote to memory of 2576	1700	cmd.exe	45
PID 1284 wrote to memory of 2828	1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe	46
PID 1284 wrote to memory of 2828	1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe	46
PID 1284 wrote to memory of 2828	1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe	46
PID 1284 wrote to memory of 2828	1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe	46
PID 2828 wrote to memory of 2840	2828	cmd.exe	48
PID 2828 wrote to memory of 2840	2828	cmd.exe	48
PID 2828 wrote to memory of 2840	2828	cmd.exe	48
PID 1284 wrote to memory of 1040	1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe	49
PID 1284 wrote to memory of 1040	1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe	49
PID 1284 wrote to memory of 1040	1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe	49
PID 1284 wrote to memory of 1040	1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe	49
PID 1040 wrote to memory of 1952	1040	cmd.exe	51
PID 1040 wrote to memory of 1952	1040	cmd.exe	51
PID 1040 wrote to memory of 1952	1040	cmd.exe	51
PID 1284 wrote to memory of 1616	1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe	52
PID 1284 wrote to memory of 1616	1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe	52
PID 1284 wrote to memory of 1616	1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe	52
PID 1284 wrote to memory of 1616	1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe	52
PID 1616 wrote to memory of 2036	1616	cmd.exe	54
PID 1616 wrote to memory of 2036	1616	cmd.exe	54
PID 1616 wrote to memory of 2036	1616	cmd.exe	54
PID 1284 wrote to memory of 2232	1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe	55
PID 1284 wrote to memory of 2232	1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe	55
PID 1284 wrote to memory of 2232	1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe	55
PID 1284 wrote to memory of 2232	1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe	55
PID 2232 wrote to memory of 2208	2232	cmd.exe	57
PID 2232 wrote to memory of 2208	2232	cmd.exe	57
PID 2232 wrote to memory of 2208	2232	cmd.exe	57
PID 1284 wrote to memory of 1000	1284	f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe	58

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe
"C:\Users\Admin\AppData\Local\Temp\f963e2374a49355515086011726c1f3df4dd88060bdadb0e2d37e1daae8215ac.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1EB36893-6247-4676-A4E6-65109583EE79}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1EB36893-6247-4676-A4E6-65109583EE79}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2808
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{480A1D8D-9C53-4755-B770-37B63D78E4EA}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{480A1D8D-9C53-4755-B770-37B63D78E4EA}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2680
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3886C577-84B0-4A7E-AECA-0A6206796E38}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3886C577-84B0-4A7E-AECA-0A6206796E38}'" delete
    3⤵
    PID:2564
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CAD67C69-A0A4-4DF8-8DAD-1927CD8F5784}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CAD67C69-A0A4-4DF8-8DAD-1927CD8F5784}'" delete
    3⤵
    PID:2444
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{661B06ED-2433-4E13-BBE8-9658F03882A7}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{661B06ED-2433-4E13-BBE8-9658F03882A7}'" delete
    3⤵
    PID:2576
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B0B2EEE5-345D-40E0-B2CF-114B187C4F4C}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B0B2EEE5-345D-40E0-B2CF-114B187C4F4C}'" delete
    3⤵
    PID:2840
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{94167452-BB81-493A-ADBD-CDC5D3F7D29C}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1040
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{94167452-BB81-493A-ADBD-CDC5D3F7D29C}'" delete
    3⤵
    PID:1952
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7F6D4E93-6752-4D9B-ADFA-E5E62EBDC1B4}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7F6D4E93-6752-4D9B-ADFA-E5E62EBDC1B4}'" delete
    3⤵
    PID:2036
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1F556D70-BEE5-4ADC-8BFB-A19E6A1FA2F6}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1F556D70-BEE5-4ADC-8BFB-A19E6A1FA2F6}'" delete
    3⤵
    PID:2208
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D792C7C2-194C-4CB0-9485-982F81F8E9EB}'" delete
  2⤵
  PID:1000
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D792C7C2-194C-4CB0-9485-982F81F8E9EB}'" delete
    3⤵
    PID:1156
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7A3E4DA9-F0C7-4FC9-BD60-49CDBC3C6B1E}'" delete
  2⤵
  PID:760
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7A3E4DA9-F0C7-4FC9-BD60-49CDBC3C6B1E}'" delete
    3⤵
    PID:1904
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5A6AB4E9-0191-40A5-BCAE-D11F24F881AE}'" delete
  2⤵
  PID:2608
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5A6AB4E9-0191-40A5-BCAE-D11F24F881AE}'" delete
    3⤵
    PID:112
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FAB154F6-FF53-4F40-8F0B-E8F39DB0727F}'" delete
  2⤵
  PID:1648
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FAB154F6-FF53-4F40-8F0B-E8F39DB0727F}'" delete
    3⤵
    PID:2912
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A436AF2F-9DCC-4F44-B0DA-E4A15F6F540D}'" delete
  2⤵
  PID:2544
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A436AF2F-9DCC-4F44-B0DA-E4A15F6F540D}'" delete
    3⤵
    PID:2084
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B8867B64-F7EC-4F10-9C45-0EA6B0E00D9A}'" delete
  2⤵
  PID:2960
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B8867B64-F7EC-4F10-9C45-0EA6B0E00D9A}'" delete
    3⤵
    PID:2488
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7472A78A-6C26-41F6-8120-FCBD08E71522}'" delete
  2⤵
  PID:1844
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7472A78A-6C26-41F6-8120-FCBD08E71522}'" delete
    3⤵
    PID:2432
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1AE80326-28F5-43A1-B346-C4CB448BC8E6}'" delete
  2⤵
  PID:996
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1AE80326-28F5-43A1-B346-C4CB448BC8E6}'" delete
    3⤵
    PID:408

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\readme.txt

Filesize
856B

MD5
d693e0fbc9bec1c2753b7aa7a6ef1b4f

SHA1
af902a3fd660548dcf725fce7a2aa6edaeb956a2

SHA256
d0c542fe6e09f423e149632946be5a4ed683a0d48aa7d04288996bef70114d15

SHA512
389fb895ac58e7fa4f6754f23a7d2c34556f95ff71ef5267998032f03278b655c2501b2bc82f9a1928c4e0366d3d1605ca8e3d254a0d136b228e0518238f331c

Download Submit
memory/1284-7-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1284-6-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1284-3588-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1284-3-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1284-10421-0x0000000000330000-0x000000000036D000-memory.dmp

Filesize
244KB

Download
memory/1284-5-0x0000000000401000-0x0000000000429000-memory.dmp

Filesize
160KB

Download
memory/1284-4-0x0000000000330000-0x000000000036D000-memory.dmp

Filesize
244KB

Download
memory/1284-10422-0x0000000000401000-0x0000000000429000-memory.dmp

Filesize
160KB

Download
memory/1284-0-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1284-1-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1284-2-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1284-17408-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1284-17787-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1284-17790-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1284-17791-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1284-17793-0x0000000000401000-0x0000000000429000-memory.dmp

Filesize
160KB

Download
memory/1284-17792-0x0000000000330000-0x000000000036D000-memory.dmp

Filesize
244KB

Download