3968a850f5bc70d954bb5609d929f181a6f05a117fa3be4531cbd96cedfde5d6

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/12/2024, 22:23 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FC8E43EC21BE9047/lbg32.exe
Size

60KB
MD5

c5cc3c5cef6b382568a54f579b2965ff
SHA1

e85b5bf2fd1ea0d5d71841f2cc8d46fc2055c22b
SHA256

48e2033a286775c3419bea8702a717de0b2aaf1e737ef0e6b3bf31ef6ae00eb5
SHA512

74d93ba3dc7b3fdfafe30663162dad3fee0b278d12fea527eb535b4eb25979dcc365b49cb702ac9c2addbb0ee550310759e88c2657b61a2b0e4906d4099281eb
SSDEEP

1536:SAndsqiqdYMRgIaN04k27Gtdf/3U9s1iGbQTqL9:Fds3vIaN04kKGhjmq

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2868	lbg32.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	lbg32.exe
File opened (read-only)	\??\D:	lbg32.exe
File opened (read-only)	\??\T:	lbg32.exe
File opened (read-only)	\??\Y:	lbg32.exe
File opened (read-only)	\??\A:	lbg32.exe
File opened (read-only)	\??\S:	lbg32.exe
File opened (read-only)	\??\G:	lbg32.exe
File opened (read-only)	\??\L:	lbg32.exe
File opened (read-only)	\??\I:	lbg32.exe
File opened (read-only)	\??\B:	lbg32.exe
File opened (read-only)	\??\N:	lbg32.exe
File opened (read-only)	\??\F:	lbg32.exe
File opened (read-only)	\??\U:	lbg32.exe
File opened (read-only)	\??\K:	lbg32.exe
File opened (read-only)	\??\V:	lbg32.exe
File opened (read-only)	\??\X:	lbg32.exe
File opened (read-only)	\??\E:	lbg32.exe
File opened (read-only)	\??\O:	lbg32.exe
File opened (read-only)	\??\P:	lbg32.exe
File opened (read-only)	\??\H:	lbg32.exe
File opened (read-only)	\??\J:	lbg32.exe
File opened (read-only)	\??\Z:	lbg32.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\microsoft shared\Portal\Restore-My-Files.txt	lbg32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00693_.WMF.80951614e2dc	lbg32.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\Restore-My-Files.txt	lbg32.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\fr-FR\Restore-My-Files.txt	lbg32.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\Restore-My-Files.txt	lbg32.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\Restore-My-Files.txt	lbg32.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\Restore-My-Files.txt	lbg32.exe
File created	C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\Restore-My-Files.txt	lbg32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\Restore-My-Files.txt	lbg32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153273.WMF.440b4c383a70	lbg32.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\Restore-My-Files.txt	lbg32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216612.WMF.048c8b787e30	lbg32.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini.8554d2696f51	lbg32.exe
File created	C:\Program Files\Microsoft Games\Mahjong\es-ES\Restore-My-Files.txt	lbg32.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\Restore-My-Files.txt	lbg32.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\Restore-My-Files.txt	lbg32.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\it-IT\Mahjong.exe.mui.f49364b8bac0	lbg32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04326_.WMF.9f61fd353f6d	lbg32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD00173_.WMF.da9b42cac812	lbg32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00234_.WMF.7e275a1e6456	lbg32.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\Restore-My-Files.txt	lbg32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185806.WMF.4c7738e0d298	lbg32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198447.WMF.ca18d1a6d80e	lbg32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099158.WMF.08777cac96c4	lbg32.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Restore-My-Files.txt	lbg32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt.2da688415319	lbg32.exe
File created	C:\Program Files\Microsoft Games\Chess\de-DE\Restore-My-Files.txt	lbg32.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\Restore-My-Files.txt	lbg32.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\MSB1STAR.DLL.debd60d2c41a	lbg32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00038_.GIF.654f291719ef	lbg32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD19828_.WMF.69c9a3071def	lbg32.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\en-US\Restore-My-Files.txt	lbg32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\Restore-My-Files.txt	lbg32.exe
File created	C:\Program Files\Uninstall Information\Restore-My-Files.txt	lbg32.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\fr-FR\FreeCell.exe.mui.7da9d713615b	lbg32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\Restore-My-Files.txt	lbg32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00167_.GIF.f76c986b6d43	lbg32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01170_.WMF.6fabc70513ad	lbg32.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\Restore-My-Files.txt	lbg32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01191_.WMF.b28736e2d08a	lbg32.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\ja-JP\Restore-My-Files.txt	lbg32.exe
File created	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\Restore-My-Files.txt	lbg32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105294.WMF.63fe9ef301ab	lbg32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\Restore-My-Files.txt	lbg32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0186360.WMF.7f067a1f2557	lbg32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199483.WMF.9ee07d323c6a	lbg32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EXLIRMV.XML.142433b8be60	lbg32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.ICO.cab970e6d80e	lbg32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\Restore-My-Files.txt	lbg32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00084_.WMF.2185a7574d1f	lbg32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00636_.WMF.bdde607163b9	lbg32.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\Restore-My-Files.txt	lbg32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105384.WMF.a142e04d4795	lbg32.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\Restore-My-Files.txt	lbg32.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\Restore-My-Files.txt	lbg32.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\es-ES\FreeCell.exe.mui.146077b8b6e0	lbg32.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_TW\Restore-My-Files.txt	lbg32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152708.WMF.ab01a9c9cba1	lbg32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\Restore-My-Files.txt	lbg32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185800.WMF.b40bbce8ea80	lbg32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\IPEDITOR.DLL.b349f9615399	lbg32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OWSCLT.DLL.db7da5494b11	lbg32.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\Restore-My-Files.txt	lbg32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0144773.JPG.05a2a4a9ab71	lbg32.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lbg32.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2868	lbg32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2868	lbg32.exe
Token: SeBackupPrivilege	1816	vssvc.exe
Token: SeRestorePrivilege	1816	vssvc.exe
Token: SeAuditPrivilege	1816	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2740	WMIC.exe
Token: SeSecurityPrivilege	2740	WMIC.exe
Token: SeTakeOwnershipPrivilege	2740	WMIC.exe
Token: SeLoadDriverPrivilege	2740	WMIC.exe
Token: SeSystemProfilePrivilege	2740	WMIC.exe
Token: SeSystemtimePrivilege	2740	WMIC.exe
Token: SeProfSingleProcessPrivilege	2740	WMIC.exe
Token: SeIncBasePriorityPrivilege	2740	WMIC.exe
Token: SeCreatePagefilePrivilege	2740	WMIC.exe
Token: SeBackupPrivilege	2740	WMIC.exe
Token: SeRestorePrivilege	2740	WMIC.exe
Token: SeShutdownPrivilege	2740	WMIC.exe
Token: SeDebugPrivilege	2740	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2740	WMIC.exe
Token: SeRemoteShutdownPrivilege	2740	WMIC.exe
Token: SeUndockPrivilege	2740	WMIC.exe
Token: SeManageVolumePrivilege	2740	WMIC.exe
Token: 33	2740	WMIC.exe
Token: 34	2740	WMIC.exe
Token: 35	2740	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2740	WMIC.exe
Token: SeSecurityPrivilege	2740	WMIC.exe
Token: SeTakeOwnershipPrivilege	2740	WMIC.exe
Token: SeLoadDriverPrivilege	2740	WMIC.exe
Token: SeSystemProfilePrivilege	2740	WMIC.exe
Token: SeSystemtimePrivilege	2740	WMIC.exe
Token: SeProfSingleProcessPrivilege	2740	WMIC.exe
Token: SeIncBasePriorityPrivilege	2740	WMIC.exe
Token: SeCreatePagefilePrivilege	2740	WMIC.exe
Token: SeBackupPrivilege	2740	WMIC.exe
Token: SeRestorePrivilege	2740	WMIC.exe
Token: SeShutdownPrivilege	2740	WMIC.exe
Token: SeDebugPrivilege	2740	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2740	WMIC.exe
Token: SeRemoteShutdownPrivilege	2740	WMIC.exe
Token: SeUndockPrivilege	2740	WMIC.exe
Token: SeManageVolumePrivilege	2740	WMIC.exe
Token: 33	2740	WMIC.exe
Token: 34	2740	WMIC.exe
Token: 35	2740	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2588	WMIC.exe
Token: SeSecurityPrivilege	2588	WMIC.exe
Token: SeTakeOwnershipPrivilege	2588	WMIC.exe
Token: SeLoadDriverPrivilege	2588	WMIC.exe
Token: SeSystemProfilePrivilege	2588	WMIC.exe
Token: SeSystemtimePrivilege	2588	WMIC.exe
Token: SeProfSingleProcessPrivilege	2588	WMIC.exe
Token: SeIncBasePriorityPrivilege	2588	WMIC.exe
Token: SeCreatePagefilePrivilege	2588	WMIC.exe
Token: SeBackupPrivilege	2588	WMIC.exe
Token: SeRestorePrivilege	2588	WMIC.exe
Token: SeShutdownPrivilege	2588	WMIC.exe
Token: SeDebugPrivilege	2588	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2588	WMIC.exe
Token: SeRemoteShutdownPrivilege	2588	WMIC.exe
Token: SeUndockPrivilege	2588	WMIC.exe
Token: SeManageVolumePrivilege	2588	WMIC.exe
Token: 33	2588	WMIC.exe
Token: 34	2588	WMIC.exe
Token: 35	2588	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2628	2868	lbg32.exe	31
PID 2868 wrote to memory of 2628	2868	lbg32.exe	31
PID 2868 wrote to memory of 2628	2868	lbg32.exe	31
PID 2868 wrote to memory of 2628	2868	lbg32.exe	31
PID 2628 wrote to memory of 2740	2628	cmd.exe	33
PID 2628 wrote to memory of 2740	2628	cmd.exe	33
PID 2628 wrote to memory of 2740	2628	cmd.exe	33
PID 2868 wrote to memory of 2636	2868	lbg32.exe	34
PID 2868 wrote to memory of 2636	2868	lbg32.exe	34
PID 2868 wrote to memory of 2636	2868	lbg32.exe	34
PID 2868 wrote to memory of 2636	2868	lbg32.exe	34
PID 2636 wrote to memory of 2588	2636	cmd.exe	36
PID 2636 wrote to memory of 2588	2636	cmd.exe	36
PID 2636 wrote to memory of 2588	2636	cmd.exe	36
PID 2868 wrote to memory of 2768	2868	lbg32.exe	37
PID 2868 wrote to memory of 2768	2868	lbg32.exe	37
PID 2868 wrote to memory of 2768	2868	lbg32.exe	37
PID 2868 wrote to memory of 2768	2868	lbg32.exe	37
PID 2768 wrote to memory of 2784	2768	cmd.exe	39
PID 2768 wrote to memory of 2784	2768	cmd.exe	39
PID 2768 wrote to memory of 2784	2768	cmd.exe	39
PID 2868 wrote to memory of 2712	2868	lbg32.exe	40
PID 2868 wrote to memory of 2712	2868	lbg32.exe	40
PID 2868 wrote to memory of 2712	2868	lbg32.exe	40
PID 2868 wrote to memory of 2712	2868	lbg32.exe	40
PID 2712 wrote to memory of 2596	2712	cmd.exe	42
PID 2712 wrote to memory of 2596	2712	cmd.exe	42
PID 2712 wrote to memory of 2596	2712	cmd.exe	42
PID 2868 wrote to memory of 2500	2868	lbg32.exe	43
PID 2868 wrote to memory of 2500	2868	lbg32.exe	43
PID 2868 wrote to memory of 2500	2868	lbg32.exe	43
PID 2868 wrote to memory of 2500	2868	lbg32.exe	43
PID 2500 wrote to memory of 2560	2500	cmd.exe	45
PID 2500 wrote to memory of 2560	2500	cmd.exe	45
PID 2500 wrote to memory of 2560	2500	cmd.exe	45
PID 2868 wrote to memory of 2216	2868	lbg32.exe	46
PID 2868 wrote to memory of 2216	2868	lbg32.exe	46
PID 2868 wrote to memory of 2216	2868	lbg32.exe	46
PID 2868 wrote to memory of 2216	2868	lbg32.exe	46
PID 2216 wrote to memory of 2656	2216	cmd.exe	48
PID 2216 wrote to memory of 2656	2216	cmd.exe	48
PID 2216 wrote to memory of 2656	2216	cmd.exe	48
PID 2868 wrote to memory of 1780	2868	lbg32.exe	49
PID 2868 wrote to memory of 1780	2868	lbg32.exe	49
PID 2868 wrote to memory of 1780	2868	lbg32.exe	49
PID 2868 wrote to memory of 1780	2868	lbg32.exe	49
PID 1780 wrote to memory of 672	1780	cmd.exe	51
PID 1780 wrote to memory of 672	1780	cmd.exe	51
PID 1780 wrote to memory of 672	1780	cmd.exe	51
PID 2868 wrote to memory of 2244	2868	lbg32.exe	52
PID 2868 wrote to memory of 2244	2868	lbg32.exe	52
PID 2868 wrote to memory of 2244	2868	lbg32.exe	52
PID 2868 wrote to memory of 2244	2868	lbg32.exe	52
PID 2244 wrote to memory of 2232	2244	cmd.exe	54
PID 2244 wrote to memory of 2232	2244	cmd.exe	54
PID 2244 wrote to memory of 2232	2244	cmd.exe	54
PID 2868 wrote to memory of 1692	2868	lbg32.exe	55
PID 2868 wrote to memory of 1692	2868	lbg32.exe	55
PID 2868 wrote to memory of 1692	2868	lbg32.exe	55
PID 2868 wrote to memory of 1692	2868	lbg32.exe	55
PID 1692 wrote to memory of 1992	1692	cmd.exe	57
PID 1692 wrote to memory of 1992	1692	cmd.exe	57
PID 1692 wrote to memory of 1992	1692	cmd.exe	57
PID 2868 wrote to memory of 1184	2868	lbg32.exe	58

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\FC8E43EC21BE9047\lbg32.exe
"C:\Users\Admin\AppData\Local\Temp\FC8E43EC21BE9047\lbg32.exe"
1⤵
- Deletes itself
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{70867F06-7CE1-4635-B3B9-B5A80520A0FD}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{70867F06-7CE1-4635-B3B9-B5A80520A0FD}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2740
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D11604F1-7F18-47A6-A744-AAD058AB754A}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D11604F1-7F18-47A6-A744-AAD058AB754A}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2588
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D0529A45-DBF9-4DB3-ACB1-3619AD81B6AC}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D0529A45-DBF9-4DB3-ACB1-3619AD81B6AC}'" delete
    3⤵
    PID:2784
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{062248DE-39B6-423C-A67E-69CAD416E064}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{062248DE-39B6-423C-A67E-69CAD416E064}'" delete
    3⤵
    PID:2596
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CF77FEF8-EF61-428A-9041-8F75AEE58A5A}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CF77FEF8-EF61-428A-9041-8F75AEE58A5A}'" delete
    3⤵
    PID:2560
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{46E9FFC8-3268-4C46-AEFC-42F29D38E242}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{46E9FFC8-3268-4C46-AEFC-42F29D38E242}'" delete
    3⤵
    PID:2656
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{865DC7F6-3205-48B5-A10B-026BE0E5CCC3}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{865DC7F6-3205-48B5-A10B-026BE0E5CCC3}'" delete
    3⤵
    PID:672
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{031360AE-AE90-4D09-A5DD-18BD27B4DA8B}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{031360AE-AE90-4D09-A5DD-18BD27B4DA8B}'" delete
    3⤵
    PID:2232
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{34AFA9F9-D8FE-4285-8FEE-F6108327FB60}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{34AFA9F9-D8FE-4285-8FEE-F6108327FB60}'" delete
    3⤵
    PID:1992
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9B26E81A-246E-4812-AB1B-E09311497E4F}'" delete
  2⤵
  PID:1184
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9B26E81A-246E-4812-AB1B-E09311497E4F}'" delete
    3⤵
    PID:1060
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8A5EE2C2-74F2-4F85-B085-352DD22F3F19}'" delete
  2⤵
  PID:1928
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8A5EE2C2-74F2-4F85-B085-352DD22F3F19}'" delete
    3⤵
    PID:1940
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1E004930-4D06-41D2-8DA7-60B418047C45}'" delete
  2⤵
  PID:1848
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1E004930-4D06-41D2-8DA7-60B418047C45}'" delete
    3⤵
    PID:2572
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B1E0F523-CDCE-47AA-8040-220077B8638D}'" delete
  2⤵
  PID:1948
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B1E0F523-CDCE-47AA-8040-220077B8638D}'" delete
    3⤵
    PID:2072
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{ACCD57AE-C108-4B25-9C35-465EA0B0C589}'" delete
  2⤵
  PID:2316
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{ACCD57AE-C108-4B25-9C35-465EA0B0C589}'" delete
    3⤵
    PID:552
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E8689E06-A6C3-4B92-8ABD-7D142E9F6E63}'" delete
  2⤵
  PID:2148
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E8689E06-A6C3-4B92-8ABD-7D142E9F6E63}'" delete
    3⤵
    PID:912
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{691C44D9-4EB9-405D-88BA-127C26A77CF8}'" delete
  2⤵
  PID:704
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{691C44D9-4EB9-405D-88BA-127C26A77CF8}'" delete
    3⤵
    PID:1444
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0900A2AB-8F8F-4CFD-9EE8-2BED2485D25E}'" delete
  2⤵
  PID:388
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0900A2AB-8F8F-4CFD-9EE8-2BED2485D25E}'" delete
    3⤵
    PID:784
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{640F5951-2CA4-4B4A-8286-8786980B46DE}'" delete
  2⤵
  PID:272
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{640F5951-2CA4-4B4A-8286-8786980B46DE}'" delete
    3⤵
    PID:1556

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

F:\$RECYCLE.BIN\S-1-5-21-3290804112-2823094203-3137964600-1000\Restore-My-Files.txt

Filesize
6KB

MD5
74a77bd81fa83b32b595eafa20c978ec

SHA1
5ce7e2079a61d012d4839a84eb7bb329651a2ead

SHA256
49cc31e84e5f3cf75de5d5f58f62ac6c43d9dca726dfc750593129b730a56616

SHA512
71accd7c7e1060a696718a4f11a7e04c2f6c16b05dfe4fa12e80878d703a403b7d33861b1315436f881fba37e1a0c3ae2aefc09499f5e7b04b2c582ba0e635e4

Download Submit
memory/2868-0-0x0000000000070000-0x000000000013A000-memory.dmp

Filesize
808KB

Download
memory/2868-522-0x0000000000070000-0x000000000013A000-memory.dmp

Filesize
808KB

Download
memory/2868-523-0x0000000000070000-0x000000000013A000-memory.dmp

Filesize
808KB

Download
memory/2868-3776-0x0000000000070000-0x000000000013A000-memory.dmp

Filesize
808KB

Download