Analysis
-
max time kernel
124s -
max time network
148s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
19-10-2021 19:56
Static task
static1
Behavioral task
behavioral1
Sample
sqlsrvr.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
sqlsrvr.exe
Resource
win10-en-20211014
General
-
Target
sqlsrvr.exe
-
Size
1.8MB
-
MD5
e1338c42da2d2363afbbd0eeabad1ca9
-
SHA1
fe5d669b732c9227bb25787083906f49b732c335
-
SHA256
61c47effdf6b6eafd20e74a8a6b52da09e082fefef31c6ae4a2046b6a756050e
-
SHA512
bcc887777c3bcb778000893c15357abcc9a78009a1cd8ae325de787a918d98ded1100fe9b21b79b16fe1d44d5d9fe0147292164ff36cf12a13e9e31b02ed372a
Malware Config
Extracted
C:\Read Me.TXT
helpdecryptmyfiles@yandex.com
Signatures
-
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 1456 svchost.exe -
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\Pictures\CheckpointBlock.crw.redeem svchost.exe File created C:\Users\Admin\Pictures\UndoEnter.raw.redeem svchost.exe File created C:\Users\Admin\Pictures\InitializeRequest.tif.redeem svchost.exe File created C:\Users\Admin\Pictures\SelectEdit.raw.redeem svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
sqlsrvr.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\International\Geo\Nation sqlsrvr.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 1456 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 5 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini svchost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini svchost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe -
Modifies WinLogon 2 TTPs 4 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Redeemer Ransomware - Your Data Is Encrypted" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "8888888b. 888 \n888 Y88b 888 \n888 888 888 \n888 d88P .d88b. .d88888 .d88b. .d88b. 88888b.d88b. .d88b. 888d888 \n8888888P\" d8P Y8b d88\" 888 d8P Y8b d8P Y8b 888 \"888 \"88b d8P Y8b 888P\" \n888 T88b 88888888 888 888 88888888 88888888 888 888 888 88888888 888 \n888 T88b Y8b. Y88b 888 Y8b. Y8b. 888 888 888 Y8b. 888 \n888 T88b \"Y8888 \"Y88888 \"Y8888 \"Y8888 888 888 888 \"Y8888 888 \n\nMade by Cerebrate - Dread Forums TOR\n[http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/]\n\n\n\n[Q1] What happened, I cannot open my files and they have an odd extension?\n[A1] Your files have been encrypted by Redeemer, a new ransomware operation.\n\n[Q2] Is there any way to recover my files?\n[A2] Yes, you can recover your files. This will however cost you money in XMR (Monero).\n\n[Q3] Is there any any way to recover my files without paying?\n[A3] Without paying it is impossible your files.\nRedeemer uses most secure algorithms and a sophisticated encryption scheme which guarantees security.\nWithout a proper key, you will never regain access to your files.\n\n[Q4] What is XMR (Monero)?\n[A4] It is a privacy oriented cryptocurrency.\nYou can learn more about Monero on getmonero.org.\nYou can view ways to purchase it on www.monero.how/how-to-buy-monero.\n\n[Q5] How will I decrypt my files?\n[A5] Follow the general instructions:\n-1. Buy 02 XMR.\n-2. Contact helpdecryptmyfiles@yandex.com and send the following key:\n\n-----BEGIN REDEEMER PUBLIC KEY-----\nNzVC7makqkwG9LP3D4IPTZSILwpVc5I8oDPB49BgWzamObWMQI\ndGgVXgMOc199uuc3SFJO7Egfu7LGIl5TB8eZpG/6Xa29XSDHGj\nUR/UoECaSVhz34NQ3xCKQ5N+FTA06rs8YGfmtutjLKhs6rwtA4\nG6taUOM+VbLbx0CH8Bz0203kotIB9LVJ+Ilty1G3x6kgUZlWKQ\njTJP9kF3dBNzAQUB2dedovqGo6KESBd3Y1IFFb1ismR5+rHooe\nFXwjyYhuJ9Mq0AZLnLwu8r5aSaR1Io0HiWBJd6DcvA3t8VXmcf\n/QsbjFr/h3MM77zNSswLuTOmD17HZjZR53UWbBMJkBzT3IPdUJ\nZ67A/Tzu7T2/wq4c9kDBOUgp/6iOLiAtnUVN5C1MVa24GN3z7F\nCjinB0Iq18FDt+XqOcSEFhFZcuG2kIWvfZy+eSbx8bD01f8Bpw\n8ipMm/c92WupSvi72JULiEYU++m3iNhEL45rwLLIoDfvRbMEyX\nY+t4LTwCromV6jigXpLl4QxYwMP8SOoAl5y7upELdVm2ej1igw\n0oZgsFIpjrUQxa6Iq22WGTByxFCWmkFVm0dJL8xvZovmD9BJ8G\nRf8mpzeheX6GTYSRBGK1/JyB3NVoZzvDy002bH4kC63qU6PBGo\nhvZjP4b15CKzc8hETEqYUBl5wnQbXJg+hwdA==\n-----END REDEEMER PUBLIC KEY-----\n\n-3. You will receive an XMR address where you will need to pay the requested amount of Monero.\n-4. After you pay and the payment is verified, you will receive a decryption tool and a key which will restore all your files and your computer back to normal." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Redeemer Ransomware - Your Data Is Encrypted" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "8888888b. 888 \n888 Y88b 888 \n888 888 888 \n888 d88P .d88b. .d88888 .d88b. .d88b. 88888b.d88b. .d88b. 888d888 \n8888888P\" d8P Y8b d88\" 888 d8P Y8b d8P Y8b 888 \"888 \"88b d8P Y8b 888P\" \n888 T88b 88888888 888 888 88888888 88888888 888 888 888 88888888 888 \n888 T88b Y8b. Y88b 888 Y8b. Y8b. 888 888 888 Y8b. 888 \n888 T88b \"Y8888 \"Y88888 \"Y8888 \"Y8888 888 888 888 \"Y8888 888 \n\nMade by Cerebrate - Dread Forums TOR\n[http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/]\n\n\n\n[Q1] What happened, I cannot open my files and they have an odd extension?\n[A1] Your files have been encrypted by Redeemer, a new ransomware operation.\n\n[Q2] Is there any way to recover my files?\n[A2] Yes, you can recover your files. This will however cost you money in XMR (Monero).\n\n[Q3] Is there any any way to recover my files without paying?\n[A3] Without paying it is impossible your files.\nRedeemer uses most secure algorithms and a sophisticated encryption scheme which guarantees security.\nWithout a proper key, you will never regain access to your files.\n\n[Q4] What is XMR (Monero)?\n[A4] It is a privacy oriented cryptocurrency.\nYou can learn more about Monero on getmonero.org.\nYou can view ways to purchase it on www.monero.how/how-to-buy-monero.\n\n[Q5] How will I decrypt my files?\n[A5] Follow the general instructions:\n-1. Buy 02 XMR.\n-2. Contact helpdecryptmyfiles@yandex.com and send the following key:\n\n-----BEGIN REDEEMER PUBLIC KEY-----\nNzVC7makqkwG9LP3D4IPTZSILwpVc5I8oDPB49BgWzamObWMQI\ndGgVXgMOc199uuc3SFJO7Egfu7LGIl5TB8eZpG/6Xa29XSDHGj\nUR/UoECaSVhz34NQ3xCKQ5N+FTA06rs8YGfmtutjLKhs6rwtA4\nG6taUOM+VbLbx0CH8Bz0203kotIB9LVJ+Ilty1G3x6kgUZlWKQ\njTJP9kF3dBNzAQUB2dedovqGo6KESBd3Y1IFFb1ismR5+rHooe\nFXwjyYhuJ9Mq0AZLnLwu8r5aSaR1Io0HiWBJd6DcvA3t8VXmcf\n/QsbjFr/h3MM77zNSswLuTOmD17HZjZR53UWbBMJkBzT3IPdUJ\nZ67A/Tzu7T2/wq4c9kDBOUgp/6iOLiAtnUVN5C1MVa24GN3z7F\nCjinB0Iq18FDt+XqOcSEFhFZcuG2kIWvfZy+eSbx8bD01f8Bpw\n8ipMm/c92WupSvi72JULiEYU++m3iNhEL45rwLLIoDfvRbMEyX\nY+t4LTwCromV6jigXpLl4QxYwMP8SOoAl5y7upELdVm2ej1igw\n0oZgsFIpjrUQxa6Iq22WGTByxFCWmkFVm0dJL8xvZovmD9BJ8G\nRf8mpzeheX6GTYSRBGK1/JyB3NVoZzvDy002bH4kC63qU6PBGo\nhvZjP4b15CKzc8hETEqYUBl5wnQbXJg+hwdA==\n-----END REDEEMER PUBLIC KEY-----\n\n-3. You will receive an XMR address where you will need to pay the requested amount of Monero.\n-4. After you pay and the payment is verified, you will receive a decryption tool and a key which will restore all your files and your computer back to normal." svchost.exe -
Drops file in Windows directory 3 IoCs
Processes:
sqlsrvr.exedescription ioc process File opened for modification C:\Windows\ProgramData__\ sqlsrvr.exe File created C:\Windows\ProgramData__\svchost.exe sqlsrvr.exe File opened for modification C:\Windows\ProgramData__\svchost.exe sqlsrvr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1092 vssadmin.exe -
Modifies registry class 8 IoCs
Processes:
sqlsrvr.execmd.execmd.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance sqlsrvr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\redeemer cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\redeemer\Shell cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\redeemer\Shell\Open cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\redeemer\Shell\Open\Command cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\redeemer\Shell\Open\Command\ = "\"C:\\Windows\\system32\\cmd.exe\" /c msg * Redeemer Ransowmare - this file cannot be opened until decrypted. Check ReadMe.TXT for more details how to decrypt your file." cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.redeem cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.redeem\ = "redeemer" cmd.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
vssvc.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exesvchost.exedescription pid process Token: SeBackupPrivilege 344 vssvc.exe Token: SeRestorePrivilege 344 vssvc.exe Token: SeAuditPrivilege 344 vssvc.exe Token: SeSecurityPrivilege 1764 wevtutil.exe Token: SeBackupPrivilege 1764 wevtutil.exe Token: SeSecurityPrivilege 1052 wevtutil.exe Token: SeBackupPrivilege 1052 wevtutil.exe Token: SeSecurityPrivilege 1164 wevtutil.exe Token: SeBackupPrivilege 1164 wevtutil.exe Token: SeSecurityPrivilege 2084 wevtutil.exe Token: SeBackupPrivilege 2084 wevtutil.exe Token: SeTakeOwnershipPrivilege 1456 svchost.exe Token: SeTakeOwnershipPrivilege 1456 svchost.exe Token: SeTakeOwnershipPrivilege 1456 svchost.exe Token: SeTakeOwnershipPrivilege 1456 svchost.exe Token: SeTakeOwnershipPrivilege 1456 svchost.exe Token: SeTakeOwnershipPrivilege 1456 svchost.exe Token: SeTakeOwnershipPrivilege 1456 svchost.exe Token: SeTakeOwnershipPrivilege 1456 svchost.exe Token: SeTakeOwnershipPrivilege 1456 svchost.exe Token: SeTakeOwnershipPrivilege 1456 svchost.exe Token: SeTakeOwnershipPrivilege 1456 svchost.exe Token: SeTakeOwnershipPrivilege 1456 svchost.exe Token: SeTakeOwnershipPrivilege 1456 svchost.exe Token: SeTakeOwnershipPrivilege 1456 svchost.exe Token: SeTakeOwnershipPrivilege 1456 svchost.exe Token: SeTakeOwnershipPrivilege 1456 svchost.exe Token: SeTakeOwnershipPrivilege 1456 svchost.exe Token: SeTakeOwnershipPrivilege 1456 svchost.exe Token: SeTakeOwnershipPrivilege 1456 svchost.exe Token: SeTakeOwnershipPrivilege 1456 svchost.exe Token: SeTakeOwnershipPrivilege 1456 svchost.exe Token: SeTakeOwnershipPrivilege 1456 svchost.exe Token: SeTakeOwnershipPrivilege 1456 svchost.exe Token: SeTakeOwnershipPrivilege 1456 svchost.exe Token: SeTakeOwnershipPrivilege 1456 svchost.exe Token: SeTakeOwnershipPrivilege 1456 svchost.exe Token: SeTakeOwnershipPrivilege 1456 svchost.exe Token: SeTakeOwnershipPrivilege 1456 svchost.exe Token: SeTakeOwnershipPrivilege 1456 svchost.exe Token: SeTakeOwnershipPrivilege 1456 svchost.exe Token: SeTakeOwnershipPrivilege 1456 svchost.exe Token: SeTakeOwnershipPrivilege 1456 svchost.exe Token: SeTakeOwnershipPrivilege 1456 svchost.exe Token: SeTakeOwnershipPrivilege 1456 svchost.exe Token: SeTakeOwnershipPrivilege 1456 svchost.exe Token: SeTakeOwnershipPrivilege 1456 svchost.exe Token: SeTakeOwnershipPrivilege 1456 svchost.exe Token: SeTakeOwnershipPrivilege 1456 svchost.exe Token: SeTakeOwnershipPrivilege 1456 svchost.exe Token: SeTakeOwnershipPrivilege 1456 svchost.exe Token: SeTakeOwnershipPrivilege 1456 svchost.exe Token: SeTakeOwnershipPrivilege 1456 svchost.exe Token: SeTakeOwnershipPrivilege 1456 svchost.exe Token: SeTakeOwnershipPrivilege 1456 svchost.exe Token: SeTakeOwnershipPrivilege 1456 svchost.exe Token: SeTakeOwnershipPrivilege 1456 svchost.exe Token: SeTakeOwnershipPrivilege 1456 svchost.exe Token: SeTakeOwnershipPrivilege 1456 svchost.exe Token: SeTakeOwnershipPrivilege 1456 svchost.exe Token: SeTakeOwnershipPrivilege 1456 svchost.exe Token: SeTakeOwnershipPrivilege 1456 svchost.exe Token: SeTakeOwnershipPrivilege 1456 svchost.exe Token: SeTakeOwnershipPrivilege 1456 svchost.exe -
Suspicious use of WriteProcessMemory 45 IoCs
Processes:
sqlsrvr.exesvchost.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2148 wrote to memory of 1456 2148 sqlsrvr.exe svchost.exe PID 2148 wrote to memory of 1456 2148 sqlsrvr.exe svchost.exe PID 2148 wrote to memory of 1456 2148 sqlsrvr.exe svchost.exe PID 1456 wrote to memory of 2224 1456 svchost.exe cmd.exe PID 1456 wrote to memory of 2224 1456 svchost.exe cmd.exe PID 1456 wrote to memory of 2224 1456 svchost.exe cmd.exe PID 2224 wrote to memory of 1092 2224 cmd.exe vssadmin.exe PID 2224 wrote to memory of 1092 2224 cmd.exe vssadmin.exe PID 2224 wrote to memory of 1092 2224 cmd.exe vssadmin.exe PID 1456 wrote to memory of 3524 1456 svchost.exe cmd.exe PID 1456 wrote to memory of 3524 1456 svchost.exe cmd.exe PID 1456 wrote to memory of 3524 1456 svchost.exe cmd.exe PID 3524 wrote to memory of 1764 3524 cmd.exe wevtutil.exe PID 3524 wrote to memory of 1764 3524 cmd.exe wevtutil.exe PID 3524 wrote to memory of 1764 3524 cmd.exe wevtutil.exe PID 1456 wrote to memory of 3252 1456 svchost.exe cmd.exe PID 1456 wrote to memory of 3252 1456 svchost.exe cmd.exe PID 1456 wrote to memory of 3252 1456 svchost.exe cmd.exe PID 3252 wrote to memory of 1052 3252 cmd.exe wevtutil.exe PID 3252 wrote to memory of 1052 3252 cmd.exe wevtutil.exe PID 3252 wrote to memory of 1052 3252 cmd.exe wevtutil.exe PID 1456 wrote to memory of 3600 1456 svchost.exe cmd.exe PID 1456 wrote to memory of 3600 1456 svchost.exe cmd.exe PID 1456 wrote to memory of 3600 1456 svchost.exe cmd.exe PID 3600 wrote to memory of 1164 3600 cmd.exe wevtutil.exe PID 3600 wrote to memory of 1164 3600 cmd.exe wevtutil.exe PID 3600 wrote to memory of 1164 3600 cmd.exe wevtutil.exe PID 1456 wrote to memory of 1068 1456 svchost.exe cmd.exe PID 1456 wrote to memory of 1068 1456 svchost.exe cmd.exe PID 1456 wrote to memory of 1068 1456 svchost.exe cmd.exe PID 1068 wrote to memory of 2084 1068 cmd.exe wevtutil.exe PID 1068 wrote to memory of 2084 1068 cmd.exe wevtutil.exe PID 1068 wrote to memory of 2084 1068 cmd.exe wevtutil.exe PID 1456 wrote to memory of 1168 1456 svchost.exe cmd.exe PID 1456 wrote to memory of 1168 1456 svchost.exe cmd.exe PID 1456 wrote to memory of 1168 1456 svchost.exe cmd.exe PID 1456 wrote to memory of 1524 1456 svchost.exe cmd.exe PID 1456 wrote to memory of 1524 1456 svchost.exe cmd.exe PID 1456 wrote to memory of 1524 1456 svchost.exe cmd.exe PID 1456 wrote to memory of 1464 1456 svchost.exe cmd.exe PID 1456 wrote to memory of 1464 1456 svchost.exe cmd.exe PID 1456 wrote to memory of 1464 1456 svchost.exe cmd.exe PID 1456 wrote to memory of 1476 1456 svchost.exe cmd.exe PID 1456 wrote to memory of 1476 1456 svchost.exe cmd.exe PID 1456 wrote to memory of 1476 1456 svchost.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sqlsrvr.exe"C:\Users\Admin\AppData\Local\Temp\sqlsrvr.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\ProgramData__\svchost.exe"C:\Windows\ProgramData__\svchost.exe" C:\Users\Admin\AppData\Local\Temp\sqlsrvr.exe2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Deletes itself
- Drops desktop.ini file(s)
- Modifies WinLogon
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /Quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /All /Quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil clear-log Application3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wevtutil.exewevtutil clear-log Application4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil clear-log Security3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wevtutil.exewevtutil clear-log Security4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil clear-log Setup3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wevtutil.exewevtutil clear-log Setup4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil clear-log System3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wevtutil.exewevtutil clear-log System4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wbadmin delete systemstatebackup -deleteoldest -quiet3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ftype redeemer="C:\Windows\system32\cmd.exe" /c msg * Redeemer Ransowmare - this file cannot be opened until decrypted. Check ReadMe.TXT for more details how to decrypt your file.3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c assoc .redeem=redeemer3⤵
- Modifies registry class
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\ProgramData__\svchost.exeMD5
e1338c42da2d2363afbbd0eeabad1ca9
SHA1fe5d669b732c9227bb25787083906f49b732c335
SHA25661c47effdf6b6eafd20e74a8a6b52da09e082fefef31c6ae4a2046b6a756050e
SHA512bcc887777c3bcb778000893c15357abcc9a78009a1cd8ae325de787a918d98ded1100fe9b21b79b16fe1d44d5d9fe0147292164ff36cf12a13e9e31b02ed372a
-
C:\Windows\ProgramData__\svchost.exeMD5
e1338c42da2d2363afbbd0eeabad1ca9
SHA1fe5d669b732c9227bb25787083906f49b732c335
SHA25661c47effdf6b6eafd20e74a8a6b52da09e082fefef31c6ae4a2046b6a756050e
SHA512bcc887777c3bcb778000893c15357abcc9a78009a1cd8ae325de787a918d98ded1100fe9b21b79b16fe1d44d5d9fe0147292164ff36cf12a13e9e31b02ed372a
-
memory/1052-123-0x0000000000000000-mapping.dmp
-
memory/1068-126-0x0000000000000000-mapping.dmp
-
memory/1092-119-0x0000000000000000-mapping.dmp
-
memory/1164-125-0x0000000000000000-mapping.dmp
-
memory/1168-128-0x0000000000000000-mapping.dmp
-
memory/1456-115-0x0000000000000000-mapping.dmp
-
memory/1464-130-0x0000000000000000-mapping.dmp
-
memory/1476-131-0x0000000000000000-mapping.dmp
-
memory/1524-129-0x0000000000000000-mapping.dmp
-
memory/1764-121-0x0000000000000000-mapping.dmp
-
memory/2084-127-0x0000000000000000-mapping.dmp
-
memory/2224-118-0x0000000000000000-mapping.dmp
-
memory/3252-122-0x0000000000000000-mapping.dmp
-
memory/3524-120-0x0000000000000000-mapping.dmp
-
memory/3600-124-0x0000000000000000-mapping.dmp