513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
08-09-2024 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe
Size

511KB
MD5

772cf40cf86d569715fc1feb47072d1b
SHA1

f51c62c00d157d449e3739f1a104237d9e764c8a
SHA256

513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4
SHA512

25a882ec342917e3d5fe200a7927c4afa2dbcb989108e66e0ed502efa9ce6d42c73f965eb60fa316d49f344f09a7cbe63a10f68c649544801f75cac0ef9e4422
SSDEEP

3072:TPUE8IW6NmG0jQm78rmaZoDyyUmaP/E61VoMU9FLBD9PKigvPXNYzA9QKjhD:TPUE8It0GkXRBUma0oVmJDhKkuQqD

Score

6^/10

discovery

Malware Config

Signatures

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\desktop.ini	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe

Drops file in Program Files directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DisableSplit.vbe	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe
File opened for modification	C:\Program Files\EditLimit.aiff	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe
File opened for modification	C:\Program Files\NewGroup.MTS	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe
File opened for modification	C:\Program Files\PingComplete.xla	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe
File opened for modification	C:\Program Files\ConfirmWatch.dotx	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe
File opened for modification	C:\Program Files\ConvertToSearch.asx	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe
File opened for modification	C:\Program Files\DenyRemove.mov	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe
File opened for modification	C:\Program Files\CheckpointClear.tif	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe
File opened for modification	C:\Program Files\ConnectGroup.rtf	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe
File opened for modification	C:\Program Files\EditSet.xml	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe
File opened for modification	C:\Program Files\ConnectWrite.otf	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe
File opened for modification	C:\Program Files\desktop.ini	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe
File opened for modification	C:\Program Files\GrantUninstall.asx	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe
File opened for modification	C:\Program Files\GroupExpand.vsd	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe
File opened for modification	C:\Program Files\JoinLimit.wps	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe
File created	C:\Program Files\readme.txt	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe
File opened for modification	C:\Program Files\AssertSend.vssm	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe
File opened for modification	C:\Program Files\EnableWait.vsdx	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe
File opened for modification	C:\Program Files\NewUpdate.MTS	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe
File opened for modification	C:\Program Files\MountCopy.vdw	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe
File opened for modification	C:\Program Files\ConfirmApprove.MTS	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe
File opened for modification	C:\Program Files\InitializeLock.vsdx	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe
File opened for modification	C:\Program Files\InstallExpand.bmp	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe
File opened for modification	C:\Program Files\PublishOut.7z	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe
File opened for modification	C:\Program Files\RenameWait.iso	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe
File opened for modification	C:\Program Files\CheckpointSelect.mp2v	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe
File opened for modification	C:\Program Files\CompareShow.pot	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe
File opened for modification	C:\Program Files\RegisterEnter.MTS	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2472	2112	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2112	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	2492	vssvc.exe
Token: SeRestorePrivilege	2492	vssvc.exe
Token: SeAuditPrivilege	2492	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2752	WMIC.exe
Token: SeSecurityPrivilege	2752	WMIC.exe
Token: SeTakeOwnershipPrivilege	2752	WMIC.exe
Token: SeLoadDriverPrivilege	2752	WMIC.exe
Token: SeSystemProfilePrivilege	2752	WMIC.exe
Token: SeSystemtimePrivilege	2752	WMIC.exe
Token: SeProfSingleProcessPrivilege	2752	WMIC.exe
Token: SeIncBasePriorityPrivilege	2752	WMIC.exe
Token: SeCreatePagefilePrivilege	2752	WMIC.exe
Token: SeBackupPrivilege	2752	WMIC.exe
Token: SeRestorePrivilege	2752	WMIC.exe
Token: SeShutdownPrivilege	2752	WMIC.exe
Token: SeDebugPrivilege	2752	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2752	WMIC.exe
Token: SeRemoteShutdownPrivilege	2752	WMIC.exe
Token: SeUndockPrivilege	2752	WMIC.exe
Token: SeManageVolumePrivilege	2752	WMIC.exe
Token: 33	2752	WMIC.exe
Token: 34	2752	WMIC.exe
Token: 35	2752	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2752	WMIC.exe
Token: SeSecurityPrivilege	2752	WMIC.exe
Token: SeTakeOwnershipPrivilege	2752	WMIC.exe
Token: SeLoadDriverPrivilege	2752	WMIC.exe
Token: SeSystemProfilePrivilege	2752	WMIC.exe
Token: SeSystemtimePrivilege	2752	WMIC.exe
Token: SeProfSingleProcessPrivilege	2752	WMIC.exe
Token: SeIncBasePriorityPrivilege	2752	WMIC.exe
Token: SeCreatePagefilePrivilege	2752	WMIC.exe
Token: SeBackupPrivilege	2752	WMIC.exe
Token: SeRestorePrivilege	2752	WMIC.exe
Token: SeShutdownPrivilege	2752	WMIC.exe
Token: SeDebugPrivilege	2752	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2752	WMIC.exe
Token: SeRemoteShutdownPrivilege	2752	WMIC.exe
Token: SeUndockPrivilege	2752	WMIC.exe
Token: SeManageVolumePrivilege	2752	WMIC.exe
Token: 33	2752	WMIC.exe
Token: 34	2752	WMIC.exe
Token: 35	2752	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1964	WMIC.exe
Token: SeSecurityPrivilege	1964	WMIC.exe
Token: SeTakeOwnershipPrivilege	1964	WMIC.exe
Token: SeLoadDriverPrivilege	1964	WMIC.exe
Token: SeSystemProfilePrivilege	1964	WMIC.exe
Token: SeSystemtimePrivilege	1964	WMIC.exe
Token: SeProfSingleProcessPrivilege	1964	WMIC.exe
Token: SeIncBasePriorityPrivilege	1964	WMIC.exe
Token: SeCreatePagefilePrivilege	1964	WMIC.exe
Token: SeBackupPrivilege	1964	WMIC.exe
Token: SeRestorePrivilege	1964	WMIC.exe
Token: SeShutdownPrivilege	1964	WMIC.exe
Token: SeDebugPrivilege	1964	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1964	WMIC.exe
Token: SeRemoteShutdownPrivilege	1964	WMIC.exe
Token: SeUndockPrivilege	1964	WMIC.exe
Token: SeManageVolumePrivilege	1964	WMIC.exe
Token: 33	1964	WMIC.exe
Token: 34	1964	WMIC.exe
Token: 35	1964	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1964	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2908	2112	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe	33
PID 2112 wrote to memory of 2908	2112	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe	33
PID 2112 wrote to memory of 2908	2112	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe	33
PID 2112 wrote to memory of 2908	2112	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe	33
PID 2908 wrote to memory of 2752	2908	cmd.exe	35
PID 2908 wrote to memory of 2752	2908	cmd.exe	35
PID 2908 wrote to memory of 2752	2908	cmd.exe	35
PID 2112 wrote to memory of 2724	2112	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe	36
PID 2112 wrote to memory of 2724	2112	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe	36
PID 2112 wrote to memory of 2724	2112	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe	36
PID 2112 wrote to memory of 2724	2112	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe	36
PID 2724 wrote to memory of 1964	2724	cmd.exe	38
PID 2724 wrote to memory of 1964	2724	cmd.exe	38
PID 2724 wrote to memory of 1964	2724	cmd.exe	38
PID 2112 wrote to memory of 2636	2112	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe	39
PID 2112 wrote to memory of 2636	2112	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe	39
PID 2112 wrote to memory of 2636	2112	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe	39
PID 2112 wrote to memory of 2636	2112	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe	39
PID 2636 wrote to memory of 2964	2636	cmd.exe	41
PID 2636 wrote to memory of 2964	2636	cmd.exe	41
PID 2636 wrote to memory of 2964	2636	cmd.exe	41
PID 2112 wrote to memory of 2764	2112	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe	42
PID 2112 wrote to memory of 2764	2112	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe	42
PID 2112 wrote to memory of 2764	2112	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe	42
PID 2112 wrote to memory of 2764	2112	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe	42
PID 2764 wrote to memory of 2656	2764	cmd.exe	44
PID 2764 wrote to memory of 2656	2764	cmd.exe	44
PID 2764 wrote to memory of 2656	2764	cmd.exe	44
PID 2112 wrote to memory of 2632	2112	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe	45
PID 2112 wrote to memory of 2632	2112	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe	45
PID 2112 wrote to memory of 2632	2112	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe	45
PID 2112 wrote to memory of 2632	2112	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe	45
PID 2632 wrote to memory of 2452	2632	cmd.exe	47
PID 2632 wrote to memory of 2452	2632	cmd.exe	47
PID 2632 wrote to memory of 2452	2632	cmd.exe	47
PID 2112 wrote to memory of 2360	2112	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe	48
PID 2112 wrote to memory of 2360	2112	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe	48
PID 2112 wrote to memory of 2360	2112	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe	48
PID 2112 wrote to memory of 2360	2112	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe	48
PID 2360 wrote to memory of 2204	2360	cmd.exe	50
PID 2360 wrote to memory of 2204	2360	cmd.exe	50
PID 2360 wrote to memory of 2204	2360	cmd.exe	50
PID 2112 wrote to memory of 2800	2112	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe	51
PID 2112 wrote to memory of 2800	2112	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe	51
PID 2112 wrote to memory of 2800	2112	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe	51
PID 2112 wrote to memory of 2800	2112	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe	51
PID 2800 wrote to memory of 1680	2800	cmd.exe	53
PID 2800 wrote to memory of 1680	2800	cmd.exe	53
PID 2800 wrote to memory of 1680	2800	cmd.exe	53
PID 2112 wrote to memory of 988	2112	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe	54
PID 2112 wrote to memory of 988	2112	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe	54
PID 2112 wrote to memory of 988	2112	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe	54
PID 2112 wrote to memory of 988	2112	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe	54
PID 988 wrote to memory of 2820	988	cmd.exe	56
PID 988 wrote to memory of 2820	988	cmd.exe	56
PID 988 wrote to memory of 2820	988	cmd.exe	56
PID 2112 wrote to memory of 1376	2112	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe	57
PID 2112 wrote to memory of 1376	2112	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe	57
PID 2112 wrote to memory of 1376	2112	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe	57
PID 2112 wrote to memory of 1376	2112	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe	57
PID 1376 wrote to memory of 2668	1376	cmd.exe	59
PID 1376 wrote to memory of 2668	1376	cmd.exe	59
PID 1376 wrote to memory of 2668	1376	cmd.exe	59
PID 2112 wrote to memory of 1168	2112	513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe	60

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe
"C:\Users\Admin\AppData\Local\Temp\513c18df31e04137e97b90bdc36da10bf2cb1036f0911ab14ab46fc630149ca4.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E069A50B-4677-4EFC-BBA4-0B146896D635}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E069A50B-4677-4EFC-BBA4-0B146896D635}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2752
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D2AAF6AE-BF4D-45CD-A04C-0BEFD44E7053}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D2AAF6AE-BF4D-45CD-A04C-0BEFD44E7053}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1964
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C1326537-1510-4283-A8A8-5E899D2D7407}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C1326537-1510-4283-A8A8-5E899D2D7407}'" delete
    3⤵
    PID:2964
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EA740D83-F31E-4066-9A9F-562BB0076E47}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EA740D83-F31E-4066-9A9F-562BB0076E47}'" delete
    3⤵
    PID:2656
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{043869AD-442E-4953-A9F1-63B2631D10C7}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{043869AD-442E-4953-A9F1-63B2631D10C7}'" delete
    3⤵
    PID:2452
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{77F6EAD6-2B79-4571-848B-E297C18B14D5}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{77F6EAD6-2B79-4571-848B-E297C18B14D5}'" delete
    3⤵
    PID:2204
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C9DEE5C4-A860-475A-8AF4-2E735A8E8E6A}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C9DEE5C4-A860-475A-8AF4-2E735A8E8E6A}'" delete
    3⤵
    PID:1680
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6285DFB1-A11D-43CD-8F8A-49E273581552}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:988
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6285DFB1-A11D-43CD-8F8A-49E273581552}'" delete
    3⤵
    PID:2820
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{76BA5318-71CC-44D0-9EB2-F1ADD3236F72}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1376
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{76BA5318-71CC-44D0-9EB2-F1ADD3236F72}'" delete
    3⤵
    PID:2668
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6A13D77C-3B8B-4D66-8EC9-78ECAE56EFC3}'" delete
  2⤵
  PID:1168
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6A13D77C-3B8B-4D66-8EC9-78ECAE56EFC3}'" delete
    3⤵
    PID:1744
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9FD587E5-6373-4ADB-A8B2-6478FE129FEB}'" delete
  2⤵
  PID:1076
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9FD587E5-6373-4ADB-A8B2-6478FE129FEB}'" delete
    3⤵
    PID:1388
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{908CFA86-110D-45AF-A880-8CC044D5BBF7}'" delete
  2⤵
  PID:2960
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{908CFA86-110D-45AF-A880-8CC044D5BBF7}'" delete
    3⤵
    PID:2932
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5707A7FF-F8CB-4410-A576-785888774343}'" delete
  2⤵
  PID:2428
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5707A7FF-F8CB-4410-A576-785888774343}'" delete
    3⤵
    PID:2260
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0B5E8C62-CCDF-452A-8F61-CD88FC678D52}'" delete
  2⤵
  PID:2144
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0B5E8C62-CCDF-452A-8F61-CD88FC678D52}'" delete
    3⤵
    PID:2096
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6AAB0200-AA60-4E20-A6B0-C7BE2397087C}'" delete
  2⤵
  PID:628
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6AAB0200-AA60-4E20-A6B0-C7BE2397087C}'" delete
    3⤵
    PID:1608
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E8CBA30E-CE08-4BCF-A683-18F009D44C60}'" delete
  2⤵
  PID:688
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E8CBA30E-CE08-4BCF-A683-18F009D44C60}'" delete
    3⤵
    PID:1124
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4BFC85ED-F021-42A1-BF3B-A27F2748F299}'" delete
  2⤵
  PID:1240
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4BFC85ED-F021-42A1-BF3B-A27F2748F299}'" delete
    3⤵
    PID:2976
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{68C97A87-5C3B-400A-A9A5-1A79E908C25E}'" delete
  2⤵
  PID:2544
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{68C97A87-5C3B-400A-A9A5-1A79E908C25E}'" delete
    3⤵
    PID:3056
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 1728
  2⤵
  - Program crash
  PID:2472

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads