conti | a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
31-05-2024 07:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
Size

829KB
MD5

0b0d76744384d534ebfb2f8d13a682a8
SHA1

0461b92274ba9bc94c2da70221de42a49f341c59
SHA256

a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23
SHA512

5d0c1fbf16571391615b3d42874c85e0a44342af17f75a6bf748fe1d9ec470d894f7a55d0f4bc3f3f18d184686300718f9bf8fc302f1431531308ac2b7ae44a7
SSDEEP

24576:M3HugtHvQzVOvrDkuMX4RmUJUlpk0cK1+l0XBk0OI9NE:qHugtHoWDkuE4RmUJa5cpOXi0VNE

Score

10^/10

conti ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files (x86)\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion/MAYeHZzawPjL51jqGnH1euFenWdJSCSx4LjdiNz46bQ2ZPugz83x52n5vqW0O76L YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- MAYeHZzawPjL51jqGnH1euFenWdJSCSx4LjdiNz46bQ2ZPugz83x52n5vqW0O76L ---END ID---

URLs

http://contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion/MAYeHZzawPjL51jqGnH1euFenWdJSCSx4LjdiNz46bQ2ZPugz83x52n5vqW0O76L

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti
Renames multiple (7981) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 46 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files\desktop.ini	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\1PJQWC5P\desktop.ini	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Users\Public\desktop.ini	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\SZUP0XFR\desktop.ini	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\YR1SPOMQ\desktop.ini	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\YK6DYF6H\desktop.ini	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground.wmv	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.ini	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00397_.WMF	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\QP.DPV	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.config	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macHandle.png	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04134_.WMF	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\readme.txt	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\readme.txt	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01548_.WMF	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_SelectionSubpicture.png	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Denver	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_Premium.gif	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-queries.xml	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File created	C:\Program Files\Microsoft Games\More Games\it-IT\readme.txt	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04191_.WMF	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00261_.WMF	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187893.WMF	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Trek.xml	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME23.CSS	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files\DVD Maker\bod_r.TTF	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\THMBNAIL.PNG	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\LAYERS.ELM	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR44B.GIF	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Aqtobe	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Easter	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02423_.WMF	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\drvDX8.x3d	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\GreenBubbles.jpg	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178523.JPG	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File created	C:\Program Files\Java\jre7\lib\fonts\readme.txt	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-javahelp.jar	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FLAP.WMF	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099179.WMF	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00042_.WMF	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\STRBRST.POC	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\ECHO.ELM	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Blue_Gradient.jpg	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105348.WMF	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00246_.WMF	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files\FormatWait.rtf	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTBOX.JPG	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\readme.txt	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\art\readme.txt	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01291_.WMF	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01063_.WMF	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15275_.GIF	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\leftnav.gif	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay.css	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator.nl_zh_4.4.0.v20140623020002.jar	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\vlc.mo	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Faroe	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\readme.txt	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\readme.txt	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.bidi_0.10.0.v20130327-1442.jar	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\mobile.css	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CONCRETE\PREVIEW.GIF	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\MST7	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Montreal	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\readme.txt	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana\readme.txt	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090781.WMF	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DnD.Document\shell\printto	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.dnd\ = "DnD.Document"	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DnD.Document\ = "DnD Document"	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DnD.Document\DefaultIcon	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DnD.Document\shell\open\command	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DnD.Document\shell\open	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DnD.Document	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DnD.Document\shell\print	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.dnd	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.dnd\ShellNew	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DnD.Document\shell	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DnD.Document\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\A562E6~1.EXE \"%1\""	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DnD.Document\shell\print\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\A562E6~1.EXE /p \"%1\""	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.dnd\ShellNew\NullFile	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DnD.Document\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\A562E6~1.EXE,1"	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DnD.Document\shell\print\command	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DnD.Document\shell\printto\command	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DnD.Document\shell\printto\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\A562E6~1.EXE /pt \"%1\" \"%2\" \"%3\" \"%4\""	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1260	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	2568	vssvc.exe
Token: SeRestorePrivilege	2568	vssvc.exe
Token: SeAuditPrivilege	2568	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2564	WMIC.exe
Token: SeSecurityPrivilege	2564	WMIC.exe
Token: SeTakeOwnershipPrivilege	2564	WMIC.exe
Token: SeLoadDriverPrivilege	2564	WMIC.exe
Token: SeSystemProfilePrivilege	2564	WMIC.exe
Token: SeSystemtimePrivilege	2564	WMIC.exe
Token: SeProfSingleProcessPrivilege	2564	WMIC.exe
Token: SeIncBasePriorityPrivilege	2564	WMIC.exe
Token: SeCreatePagefilePrivilege	2564	WMIC.exe
Token: SeBackupPrivilege	2564	WMIC.exe
Token: SeRestorePrivilege	2564	WMIC.exe
Token: SeShutdownPrivilege	2564	WMIC.exe
Token: SeDebugPrivilege	2564	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2564	WMIC.exe
Token: SeRemoteShutdownPrivilege	2564	WMIC.exe
Token: SeUndockPrivilege	2564	WMIC.exe
Token: SeManageVolumePrivilege	2564	WMIC.exe
Token: 33	2564	WMIC.exe
Token: 34	2564	WMIC.exe
Token: 35	2564	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2564	WMIC.exe
Token: SeSecurityPrivilege	2564	WMIC.exe
Token: SeTakeOwnershipPrivilege	2564	WMIC.exe
Token: SeLoadDriverPrivilege	2564	WMIC.exe
Token: SeSystemProfilePrivilege	2564	WMIC.exe
Token: SeSystemtimePrivilege	2564	WMIC.exe
Token: SeProfSingleProcessPrivilege	2564	WMIC.exe
Token: SeIncBasePriorityPrivilege	2564	WMIC.exe
Token: SeCreatePagefilePrivilege	2564	WMIC.exe
Token: SeBackupPrivilege	2564	WMIC.exe
Token: SeRestorePrivilege	2564	WMIC.exe
Token: SeShutdownPrivilege	2564	WMIC.exe
Token: SeDebugPrivilege	2564	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2564	WMIC.exe
Token: SeRemoteShutdownPrivilege	2564	WMIC.exe
Token: SeUndockPrivilege	2564	WMIC.exe
Token: SeManageVolumePrivilege	2564	WMIC.exe
Token: 33	2564	WMIC.exe
Token: 34	2564	WMIC.exe
Token: 35	2564	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2488	WMIC.exe
Token: SeSecurityPrivilege	2488	WMIC.exe
Token: SeTakeOwnershipPrivilege	2488	WMIC.exe
Token: SeLoadDriverPrivilege	2488	WMIC.exe
Token: SeSystemProfilePrivilege	2488	WMIC.exe
Token: SeSystemtimePrivilege	2488	WMIC.exe
Token: SeProfSingleProcessPrivilege	2488	WMIC.exe
Token: SeIncBasePriorityPrivilege	2488	WMIC.exe
Token: SeCreatePagefilePrivilege	2488	WMIC.exe
Token: SeBackupPrivilege	2488	WMIC.exe
Token: SeRestorePrivilege	2488	WMIC.exe
Token: SeShutdownPrivilege	2488	WMIC.exe
Token: SeDebugPrivilege	2488	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2488	WMIC.exe
Token: SeRemoteShutdownPrivilege	2488	WMIC.exe
Token: SeUndockPrivilege	2488	WMIC.exe
Token: SeManageVolumePrivilege	2488	WMIC.exe
Token: 33	2488	WMIC.exe
Token: 34	2488	WMIC.exe
Token: 35	2488	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2488	WMIC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1260	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
1260	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 2528	1260	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe	31
PID 1260 wrote to memory of 2528	1260	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe	31
PID 1260 wrote to memory of 2528	1260	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe	31
PID 1260 wrote to memory of 2528	1260	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe	31
PID 2528 wrote to memory of 2564	2528	cmd.exe	33
PID 2528 wrote to memory of 2564	2528	cmd.exe	33
PID 2528 wrote to memory of 2564	2528	cmd.exe	33
PID 1260 wrote to memory of 2804	1260	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe	34
PID 1260 wrote to memory of 2804	1260	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe	34
PID 1260 wrote to memory of 2804	1260	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe	34
PID 1260 wrote to memory of 2804	1260	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe	34
PID 2804 wrote to memory of 2488	2804	cmd.exe	36
PID 2804 wrote to memory of 2488	2804	cmd.exe	36
PID 2804 wrote to memory of 2488	2804	cmd.exe	36
PID 1260 wrote to memory of 352	1260	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe	37
PID 1260 wrote to memory of 352	1260	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe	37
PID 1260 wrote to memory of 352	1260	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe	37
PID 1260 wrote to memory of 352	1260	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe	37
PID 352 wrote to memory of 1664	352	cmd.exe	39
PID 352 wrote to memory of 1664	352	cmd.exe	39
PID 352 wrote to memory of 1664	352	cmd.exe	39
PID 1260 wrote to memory of 2828	1260	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe	40
PID 1260 wrote to memory of 2828	1260	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe	40
PID 1260 wrote to memory of 2828	1260	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe	40
PID 1260 wrote to memory of 2828	1260	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe	40
PID 2828 wrote to memory of 1948	2828	cmd.exe	42
PID 2828 wrote to memory of 1948	2828	cmd.exe	42
PID 2828 wrote to memory of 1948	2828	cmd.exe	42
PID 1260 wrote to memory of 764	1260	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe	43
PID 1260 wrote to memory of 764	1260	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe	43
PID 1260 wrote to memory of 764	1260	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe	43
PID 1260 wrote to memory of 764	1260	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe	43
PID 764 wrote to memory of 1940	764	cmd.exe	45
PID 764 wrote to memory of 1940	764	cmd.exe	45
PID 764 wrote to memory of 1940	764	cmd.exe	45
PID 1260 wrote to memory of 1756	1260	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe	46
PID 1260 wrote to memory of 1756	1260	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe	46
PID 1260 wrote to memory of 1756	1260	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe	46
PID 1260 wrote to memory of 1756	1260	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe	46
PID 1756 wrote to memory of 1068	1756	cmd.exe	48
PID 1756 wrote to memory of 1068	1756	cmd.exe	48
PID 1756 wrote to memory of 1068	1756	cmd.exe	48
PID 1260 wrote to memory of 2468	1260	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe	49
PID 1260 wrote to memory of 2468	1260	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe	49
PID 1260 wrote to memory of 2468	1260	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe	49
PID 1260 wrote to memory of 2468	1260	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe	49
PID 2468 wrote to memory of 1744	2468	cmd.exe	51
PID 2468 wrote to memory of 1744	2468	cmd.exe	51
PID 2468 wrote to memory of 1744	2468	cmd.exe	51
PID 1260 wrote to memory of 1572	1260	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe	52
PID 1260 wrote to memory of 1572	1260	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe	52
PID 1260 wrote to memory of 1572	1260	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe	52
PID 1260 wrote to memory of 1572	1260	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe	52
PID 1572 wrote to memory of 1620	1572	cmd.exe	54
PID 1572 wrote to memory of 1620	1572	cmd.exe	54
PID 1572 wrote to memory of 1620	1572	cmd.exe	54
PID 1260 wrote to memory of 2348	1260	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe	55
PID 1260 wrote to memory of 2348	1260	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe	55
PID 1260 wrote to memory of 2348	1260	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe	55
PID 1260 wrote to memory of 2348	1260	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe	55
PID 2348 wrote to memory of 2288	2348	cmd.exe	57
PID 2348 wrote to memory of 2288	2348	cmd.exe	57
PID 2348 wrote to memory of 2288	2348	cmd.exe	57
PID 1260 wrote to memory of 2572	1260	a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe	58

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe
"C:\Users\Admin\AppData\Local\Temp\a562e681906cbb239de7c405a9a32a850e4c0fa1fde875ba2eb2b71babba9f23.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1EB36893-6247-4676-A4E6-65109583EE79}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1EB36893-6247-4676-A4E6-65109583EE79}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2564
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{480A1D8D-9C53-4755-B770-37B63D78E4EA}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{480A1D8D-9C53-4755-B770-37B63D78E4EA}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2488
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3886C577-84B0-4A7E-AECA-0A6206796E38}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:352
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3886C577-84B0-4A7E-AECA-0A6206796E38}'" delete
    3⤵
    PID:1664
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CAD67C69-A0A4-4DF8-8DAD-1927CD8F5784}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CAD67C69-A0A4-4DF8-8DAD-1927CD8F5784}'" delete
    3⤵
    PID:1948
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{661B06ED-2433-4E13-BBE8-9658F03882A7}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{661B06ED-2433-4E13-BBE8-9658F03882A7}'" delete
    3⤵
    PID:1940
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B0B2EEE5-345D-40E0-B2CF-114B187C4F4C}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B0B2EEE5-345D-40E0-B2CF-114B187C4F4C}'" delete
    3⤵
    PID:1068
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{94167452-BB81-493A-ADBD-CDC5D3F7D29C}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{94167452-BB81-493A-ADBD-CDC5D3F7D29C}'" delete
    3⤵
    PID:1744
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7F6D4E93-6752-4D9B-ADFA-E5E62EBDC1B4}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7F6D4E93-6752-4D9B-ADFA-E5E62EBDC1B4}'" delete
    3⤵
    PID:1620
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1F556D70-BEE5-4ADC-8BFB-A19E6A1FA2F6}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1F556D70-BEE5-4ADC-8BFB-A19E6A1FA2F6}'" delete
    3⤵
    PID:2288
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D792C7C2-194C-4CB0-9485-982F81F8E9EB}'" delete
  2⤵
  PID:2572
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D792C7C2-194C-4CB0-9485-982F81F8E9EB}'" delete
    3⤵
    PID:2096
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7A3E4DA9-F0C7-4FC9-BD60-49CDBC3C6B1E}'" delete
  2⤵
  PID:2040
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7A3E4DA9-F0C7-4FC9-BD60-49CDBC3C6B1E}'" delete
    3⤵
    PID:1988
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5A6AB4E9-0191-40A5-BCAE-D11F24F881AE}'" delete
  2⤵
  PID:668
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5A6AB4E9-0191-40A5-BCAE-D11F24F881AE}'" delete
    3⤵
    PID:776
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FAB154F6-FF53-4F40-8F0B-E8F39DB0727F}'" delete
  2⤵
  PID:1496
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FAB154F6-FF53-4F40-8F0B-E8F39DB0727F}'" delete
    3⤵
    PID:660
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A436AF2F-9DCC-4F44-B0DA-E4A15F6F540D}'" delete
  2⤵
  PID:1812
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A436AF2F-9DCC-4F44-B0DA-E4A15F6F540D}'" delete
    3⤵
    PID:1252
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B8867B64-F7EC-4F10-9C45-0EA6B0E00D9A}'" delete
  2⤵
  PID:3060
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B8867B64-F7EC-4F10-9C45-0EA6B0E00D9A}'" delete
    3⤵
    PID:1088
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7472A78A-6C26-41F6-8120-FCBD08E71522}'" delete
  2⤵
  PID:1732
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7472A78A-6C26-41F6-8120-FCBD08E71522}'" delete
    3⤵
    PID:316
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1AE80326-28F5-43A1-B346-C4CB448BC8E6}'" delete
  2⤵
  PID:1348
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1AE80326-28F5-43A1-B346-C4CB448BC8E6}'" delete
    3⤵
    PID:2080

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\readme.txt

Filesize
1KB

MD5
04a372cdd23f8bc91474d53be5d5b0bf

SHA1
1eb3b106975d8a53f16715bd930cdec461b8dfde

SHA256
ab27c0b6f29f6a547fd3b50eeeed06fb505a561635ca33a110d1a529ee64800b

SHA512
1dc9de3fb04a3ea1051451a56514eef45655cd4dfba56bdde524a81394f442d67ab6493b08400bd931ac51a61d19f7c8882b83ff762fd472de74b51576ac75a7

Download Submit
memory/1260-9-0x00000000001B0000-0x00000000001B3000-memory.dmp

Filesize
12KB

Download
memory/1260-1-0x0000000000660000-0x000000000069F000-memory.dmp

Filesize
252KB

Download
memory/1260-6-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1260-5-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1260-10-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1260-3-0x0000000000401000-0x000000000044E000-memory.dmp

Filesize
308KB

Download
memory/1260-8-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1260-0-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1260-2-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1260-11-0x0000000001D60000-0x0000000001D8E000-memory.dmp

Filesize
184KB

Download
memory/1260-13-0x0000000001E60000-0x0000000001E90000-memory.dmp

Filesize
192KB

Download
memory/1260-17-0x0000000002190000-0x00000000021BF000-memory.dmp

Filesize
188KB

Download
memory/1260-21-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1260-7-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1260-717-0x0000000000660000-0x000000000069F000-memory.dmp

Filesize
252KB

Download
memory/1260-5479-0x0000000000401000-0x000000000044E000-memory.dmp

Filesize
308KB

Download