Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/10/2024, 07:10
Static task
static1
General
-
Target
-
Size
330KB
-
MD5
8c26c5bb599b606cc549ceef0d9d2da3
-
SHA1
86a373936df7e753f7284efc63bf8970e9a56870
-
SHA256
acc791703bc6e6ec9dcad7ef28ea5bcd1cf70f0a17412b28078daa66df5989d8
-
SHA512
f05012ab52e2e88f0342d0a9fc52be210cdb4895035c4854592f350e24ddbcf48a710c25285c73a0462d51fe937540d491f5ce376e226558398cc1eb7bab2873
-
SSDEEP
6144:ypBFADu1hgO8uoHKm9bDSN23GqcgCC/5t:sM6TgO1oHbHSN2334O
Malware Config
Signatures
-
Renames multiple (7752) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02743G.GIF [email protected] File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi [email protected] File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_ButtonGraphic.png [email protected] File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.commons.logging_1.1.1.v201101211721.jar [email protected] File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\#Recover-Files.txt [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199307.WMF [email protected] File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Star_Empty.png [email protected] File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_snow.png [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00299_.WMF [email protected] File opened for modification C:\Program Files\7-Zip\Lang\uk.txt [email protected] File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\#Recover-Files.txt [email protected] File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.properties [email protected] File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic_5.5.0.165303.jar [email protected] File opened for modification C:\Program Files\VideoLAN\VLC\locale\sw\LC_MESSAGES\vlc.mo [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIDEBARBB.DPV [email protected] File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\#Recover-Files.txt [email protected] File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\#Recover-Files.txt [email protected] File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\#Recover-Files.txt [email protected] File created C:\Program Files\Java\jre7\lib\jfr\#Recover-Files.txt [email protected] File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\picturePuzzle.js [email protected] File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\weather.css [email protected] File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_zh_CN.jar [email protected] File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\#Recover-Files.txt [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OWSHLP10.CHM [email protected] File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-2.png [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15134_.GIF [email protected] File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.jrockit.mc.rcp.product_root_5.5.0.165303 [email protected] File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\#Recover-Files.txt [email protected] File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\CGMIMP32.FNT [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287642.JPG [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0290548.WMF [email protected] File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\cpu.css [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105328.WMF [email protected] File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\#Recover-Files.txt [email protected] File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\#Recover-Files.txt [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_hyperlink.gif [email protected] File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\#Recover-Files.txt [email protected] File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Zurich [email protected] File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\default_thumb.jpg [email protected] File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18214_.WMF [email protected] File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\drag.png [email protected] File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-output2_zh_CN.jar [email protected] File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\as90.xsl [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152878.WMF [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Country.gif [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\QuizShow.potx [email protected] File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\THMBNAIL.PNG [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\+NewSQLServerConnection.odc [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\BUTTON.GIF [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\TAB_ON.GIF [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsHomePage.html [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR47B.GIF [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGLOGO.DPV [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FS3BOX.POC [email protected] File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-impl.xml [email protected] File created C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\#Recover-Files.txt [email protected] File created C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\#Recover-Files.txt [email protected] File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\MS.GIF [email protected] File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\ECHO.ELM [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF [email protected] File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\eclipse.inf [email protected] File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Roses.jpg [email protected] File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\PAPYRUS.ELM [email protected] -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2876 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 632 [email protected] 632 [email protected] 632 [email protected] 632 [email protected] 632 [email protected] 632 [email protected] 632 [email protected] 632 [email protected] 632 [email protected] 632 [email protected] 632 [email protected] 632 [email protected] 632 [email protected] 632 [email protected] 632 [email protected] 632 [email protected] 632 [email protected] 632 [email protected] 632 [email protected] 632 [email protected] 632 [email protected] 632 [email protected] 632 [email protected] 632 [email protected] 632 [email protected] -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeBackupPrivilege 2744 vssvc.exe Token: SeRestorePrivilege 2744 vssvc.exe Token: SeAuditPrivilege 2744 vssvc.exe Token: SeIncreaseQuotaPrivilege 2748 WMIC.exe Token: SeSecurityPrivilege 2748 WMIC.exe Token: SeTakeOwnershipPrivilege 2748 WMIC.exe Token: SeLoadDriverPrivilege 2748 WMIC.exe Token: SeSystemProfilePrivilege 2748 WMIC.exe Token: SeSystemtimePrivilege 2748 WMIC.exe Token: SeProfSingleProcessPrivilege 2748 WMIC.exe Token: SeIncBasePriorityPrivilege 2748 WMIC.exe Token: SeCreatePagefilePrivilege 2748 WMIC.exe Token: SeBackupPrivilege 2748 WMIC.exe Token: SeRestorePrivilege 2748 WMIC.exe Token: SeShutdownPrivilege 2748 WMIC.exe Token: SeDebugPrivilege 2748 WMIC.exe Token: SeSystemEnvironmentPrivilege 2748 WMIC.exe Token: SeRemoteShutdownPrivilege 2748 WMIC.exe Token: SeUndockPrivilege 2748 WMIC.exe Token: SeManageVolumePrivilege 2748 WMIC.exe Token: 33 2748 WMIC.exe Token: 34 2748 WMIC.exe Token: 35 2748 WMIC.exe Token: SeIncreaseQuotaPrivilege 2748 WMIC.exe Token: SeSecurityPrivilege 2748 WMIC.exe Token: SeTakeOwnershipPrivilege 2748 WMIC.exe Token: SeLoadDriverPrivilege 2748 WMIC.exe Token: SeSystemProfilePrivilege 2748 WMIC.exe Token: SeSystemtimePrivilege 2748 WMIC.exe Token: SeProfSingleProcessPrivilege 2748 WMIC.exe Token: SeIncBasePriorityPrivilege 2748 WMIC.exe Token: SeCreatePagefilePrivilege 2748 WMIC.exe Token: SeBackupPrivilege 2748 WMIC.exe Token: SeRestorePrivilege 2748 WMIC.exe Token: SeShutdownPrivilege 2748 WMIC.exe Token: SeDebugPrivilege 2748 WMIC.exe Token: SeSystemEnvironmentPrivilege 2748 WMIC.exe Token: SeRemoteShutdownPrivilege 2748 WMIC.exe Token: SeUndockPrivilege 2748 WMIC.exe Token: SeManageVolumePrivilege 2748 WMIC.exe Token: 33 2748 WMIC.exe Token: 34 2748 WMIC.exe Token: 35 2748 WMIC.exe Token: SeIncreaseQuotaPrivilege 2976 WMIC.exe Token: SeSecurityPrivilege 2976 WMIC.exe Token: SeTakeOwnershipPrivilege 2976 WMIC.exe Token: SeLoadDriverPrivilege 2976 WMIC.exe Token: SeSystemProfilePrivilege 2976 WMIC.exe Token: SeSystemtimePrivilege 2976 WMIC.exe Token: SeProfSingleProcessPrivilege 2976 WMIC.exe Token: SeIncBasePriorityPrivilege 2976 WMIC.exe Token: SeCreatePagefilePrivilege 2976 WMIC.exe Token: SeBackupPrivilege 2976 WMIC.exe Token: SeRestorePrivilege 2976 WMIC.exe Token: SeShutdownPrivilege 2976 WMIC.exe Token: SeDebugPrivilege 2976 WMIC.exe Token: SeSystemEnvironmentPrivilege 2976 WMIC.exe Token: SeRemoteShutdownPrivilege 2976 WMIC.exe Token: SeUndockPrivilege 2976 WMIC.exe Token: SeManageVolumePrivilege 2976 WMIC.exe Token: 33 2976 WMIC.exe Token: 34 2976 WMIC.exe Token: 35 2976 WMIC.exe Token: SeIncreaseQuotaPrivilege 2976 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 632 wrote to memory of 1148 632 [email protected] 30 PID 632 wrote to memory of 1148 632 [email protected] 30 PID 632 wrote to memory of 1148 632 [email protected] 30 PID 1148 wrote to memory of 2876 1148 cmd.exe 33 PID 1148 wrote to memory of 2876 1148 cmd.exe 33 PID 1148 wrote to memory of 2876 1148 cmd.exe 33 PID 632 wrote to memory of 2868 632 [email protected] 36 PID 632 wrote to memory of 2868 632 [email protected] 36 PID 632 wrote to memory of 2868 632 [email protected] 36 PID 2868 wrote to memory of 2748 2868 cmd.exe 38 PID 2868 wrote to memory of 2748 2868 cmd.exe 38 PID 2868 wrote to memory of 2748 2868 cmd.exe 38 PID 632 wrote to memory of 2776 632 [email protected] 39 PID 632 wrote to memory of 2776 632 [email protected] 39 PID 632 wrote to memory of 2776 632 [email protected] 39 PID 2776 wrote to memory of 2976 2776 cmd.exe 41 PID 2776 wrote to memory of 2976 2776 cmd.exe 41 PID 2776 wrote to memory of 2976 2776 cmd.exe 41 PID 632 wrote to memory of 2780 632 [email protected] 42 PID 632 wrote to memory of 2780 632 [email protected] 42 PID 632 wrote to memory of 2780 632 [email protected] 42 PID 2780 wrote to memory of 2672 2780 cmd.exe 44 PID 2780 wrote to memory of 2672 2780 cmd.exe 44 PID 2780 wrote to memory of 2672 2780 cmd.exe 44 PID 632 wrote to memory of 2648 632 [email protected] 45 PID 632 wrote to memory of 2648 632 [email protected] 45 PID 632 wrote to memory of 2648 632 [email protected] 45 PID 2648 wrote to memory of 2736 2648 cmd.exe 47 PID 2648 wrote to memory of 2736 2648 cmd.exe 47 PID 2648 wrote to memory of 2736 2648 cmd.exe 47 PID 632 wrote to memory of 2504 632 [email protected] 48 PID 632 wrote to memory of 2504 632 [email protected] 48 PID 632 wrote to memory of 2504 632 [email protected] 48 PID 2504 wrote to memory of 444 2504 cmd.exe 50 PID 2504 wrote to memory of 444 2504 cmd.exe 50 PID 2504 wrote to memory of 444 2504 cmd.exe 50 PID 632 wrote to memory of 2960 632 [email protected] 51 PID 632 wrote to memory of 2960 632 [email protected] 51 PID 632 wrote to memory of 2960 632 [email protected] 51 PID 2960 wrote to memory of 2948 2960 cmd.exe 53 PID 2960 wrote to memory of 2948 2960 cmd.exe 53 PID 2960 wrote to memory of 2948 2960 cmd.exe 53 PID 632 wrote to memory of 556 632 [email protected] 54 PID 632 wrote to memory of 556 632 [email protected] 54 PID 632 wrote to memory of 556 632 [email protected] 54 PID 556 wrote to memory of 1524 556 cmd.exe 56 PID 556 wrote to memory of 1524 556 cmd.exe 56 PID 556 wrote to memory of 1524 556 cmd.exe 56 PID 632 wrote to memory of 2912 632 [email protected] 57 PID 632 wrote to memory of 2912 632 [email protected] 57 PID 632 wrote to memory of 2912 632 [email protected] 57 PID 2912 wrote to memory of 2956 2912 cmd.exe 59 PID 2912 wrote to memory of 2956 2912 cmd.exe 59 PID 2912 wrote to memory of 2956 2912 cmd.exe 59 PID 632 wrote to memory of 1388 632 [email protected] 60 PID 632 wrote to memory of 1388 632 [email protected] 60 PID 632 wrote to memory of 1388 632 [email protected] 60 PID 1388 wrote to memory of 492 1388 cmd.exe 62 PID 1388 wrote to memory of 492 1388 cmd.exe 62 PID 1388 wrote to memory of 492 1388 cmd.exe 62 PID 632 wrote to memory of 840 632 [email protected] 63 PID 632 wrote to memory of 840 632 [email protected] 63 PID 632 wrote to memory of 840 632 [email protected] 63 PID 840 wrote to memory of 2192 840 cmd.exe 65 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update ALPHV" /TR "C:\Users\Admin\AppData\Local\Temp\[email protected]" /F2⤵
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\system32\schtasks.exeSCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update ALPHV" /TR "C:\Users\Admin\AppData\Local\Temp\[email protected]" /F3⤵
- Scheduled Task/Job: Scheduled Task
PID:2876
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F72CF7EA-7493-464E-A55E-292401F395F1}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F72CF7EA-7493-464E-A55E-292401F395F1}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2748
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{75AE86CA-2C1B-4D7A-B54D-F43855F421BF}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{75AE86CA-2C1B-4D7A-B54D-F43855F421BF}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2976
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{70094075-C182-43EE-AF7E-F06AA62E2781}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{70094075-C182-43EE-AF7E-F06AA62E2781}'" delete3⤵PID:2672
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{014CA708-D618-4612-8FF8-A40ECF2E52CE}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{014CA708-D618-4612-8FF8-A40ECF2E52CE}'" delete3⤵PID:2736
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{394A95EA-FCC2-4073-9C54-E7132D1A5092}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{394A95EA-FCC2-4073-9C54-E7132D1A5092}'" delete3⤵PID:444
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C1EF26D8-A501-4076-8099-6F710831F3A6}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C1EF26D8-A501-4076-8099-6F710831F3A6}'" delete3⤵PID:2948
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{97B62EEC-501B-46A2-9F30-E967C0DE95C5}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{97B62EEC-501B-46A2-9F30-E967C0DE95C5}'" delete3⤵PID:1524
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2EF9212A-CA4A-44D3-B3BA-7A9AD6A2910D}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2EF9212A-CA4A-44D3-B3BA-7A9AD6A2910D}'" delete3⤵PID:2956
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A64174B0-53C9-47FB-9288-730A7A89F1E1}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A64174B0-53C9-47FB-9288-730A7A89F1E1}'" delete3⤵PID:492
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F80E821A-6036-405C-86EB-EF8A1DD5628B}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F80E821A-6036-405C-86EB-EF8A1DD5628B}'" delete3⤵PID:2192
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{313FDAFD-F61D-4A84-8E65-E2D2BEC9AE2E}'" delete2⤵PID:2216
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{313FDAFD-F61D-4A84-8E65-E2D2BEC9AE2E}'" delete3⤵PID:2112
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3351451D-D090-4AEB-AE0E-6EF304C18F57}'" delete2⤵PID:580
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3351451D-D090-4AEB-AE0E-6EF304C18F57}'" delete3⤵PID:1940
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CA9C5ADD-72EA-4FB2-91B7-F1C8AE54F079}'" delete2⤵PID:1632
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CA9C5ADD-72EA-4FB2-91B7-F1C8AE54F079}'" delete3⤵PID:2160
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6E0405F2-9109-4C09-9359-EE87C9749EBE}'" delete2⤵PID:568
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6E0405F2-9109-4C09-9359-EE87C9749EBE}'" delete3⤵PID:808
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{79BA3819-6CD6-4872-A528-1AC6DD36A8D0}'" delete2⤵PID:3008
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{79BA3819-6CD6-4872-A528-1AC6DD36A8D0}'" delete3⤵PID:2596
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E6A0EDC4-069D-4D73-A6E3-B85C6ED7C9D2}'" delete2⤵PID:1320
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E6A0EDC4-069D-4D73-A6E3-B85C6ED7C9D2}'" delete3⤵PID:1876
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2673DA65-64CD-43C1-97AB-B43865D42B72}'" delete2⤵PID:1380
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2673DA65-64CD-43C1-97AB-B43865D42B72}'" delete3⤵PID:2024
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{47F11F4B-3E20-4E68-8AEB-A33E1FDC4F6A}'" delete2⤵PID:820
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{47F11F4B-3E20-4E68-8AEB-A33E1FDC4F6A}'" delete3⤵PID:908
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Update ALPHV" /F2⤵PID:1080
-
C:\Windows\system32\schtasks.exeSCHTASKS.exe /Delete /TN "Windows Update ALPHV" /F3⤵PID:1224
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2744
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
449B
MD5e2a59a33e6c827a3317aa009e702e816
SHA1003fa7c8adb28bcb99468f7e0b738308858b6af4
SHA256ad3342ff420c93b547ac3ecd7cfb352bba70a57b67ff5985f2442507decf9f57
SHA512f4c50931db6d051ac62217dca3e5d5ac080b02fda58bd9cb93a81553f6b8cf8369845e87e64e1d378d1fb5749ceadfde9c2b1eb142b512c7200dda5fe56dab99