Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
24-11-2021 10:38
Static task
static1
Behavioral task
behavioral1
Sample
f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
Resource
win10-en-20211014
General
-
Target
f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
-
Size
194KB
-
MD5
31c250609693ca7450a1d79840c51057
-
SHA1
eca2dea03f2c5eac7bbf54e1d212f0fc61d936f8
-
SHA256
f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9
-
SHA512
eac254d9a4950666747fad7534c815bafcdc75b6862bb442c9a4d9b4c00aedc2e9317514b7e76f5453c4f0ca55327c88e8cec743a46ccac78fcbfa3e32700424
Malware Config
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.ws
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exedescription ioc process File renamed C:\Users\Admin\Pictures\ConnectDeny.tif => C:\Users\Admin\Pictures\ConnectDeny.tif.PYZWR f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File renamed C:\Users\Admin\Pictures\InitializeTest.crw => C:\Users\Admin\Pictures\InitializeTest.crw.PYZWR f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File renamed C:\Users\Admin\Pictures\RegisterUnblock.png => C:\Users\Admin\Pictures\RegisterUnblock.png.PYZWR f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File renamed C:\Users\Admin\Pictures\ResolveSync.png => C:\Users\Admin\Pictures\ResolveSync.png.PYZWR f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File renamed C:\Users\Admin\Pictures\UninstallPublish.crw => C:\Users\Admin\Pictures\UninstallPublish.crw.PYZWR f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe -
Drops startup file 1 IoCs
Processes:
f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\adobe_sign_tag.png f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugins\readme.txt f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ca-es\readme.txt f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-ul-oob.xrm-ms f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_int.gif f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\dark\readme.txt f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\root\ui-strings.js f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ul-oob.xrm-ms f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Grace-ppd.xrm-ms f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_reject_18.svg f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_close2x.png f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\de-de\readme.txt f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\logo_retina.png f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File created C:\Program Files\Common Files\microsoft shared\ink\nb-NO\readme.txt f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\ext\sunjce_provider.jar f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GARABD.TTF f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\illustrations_retina.png f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ul-oob.xrm-ms f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-pl.xrm-ms f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_int_2x.gif f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\readme.txt f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\AccessBridgeCalls.c f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_backarrow_default.svg f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files\VideoLAN\VLC\Documentation.url f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme.nl_zh_4.4.0.v20140623020002.jar f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring.xml f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\japanese_over.png f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\stopwords.ENU f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\readme.txt f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-views.xml f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fr-ma\ui-strings.js f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\fi_get.svg f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\setNetworkServerCP f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-tw\readme.txt f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\pl-pl\readme.txt f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\fi-fi\ui-strings.js f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-common_zh_CN.jar f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_sendforsignature_18.svg f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\editpdf.svg f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-ppd.xrm-ms f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\de-DE\readme.txt f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_zh_4.4.0.v20140623020002.jar f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-print.xml f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\da_get.svg f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\vi_get.svg f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Grace-ppd.xrm-ms f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-ul-oob.xrm-ms f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\nl-nl\readme.txt f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-il\readme.txt f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-pl.xrm-ms f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\sendforcomments.svg f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sl-si\readme.txt f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Grace-ul-oob.xrm-ms f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\info.gif f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository.nl_ja_4.4.0.v20140623020002.jar f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\en-il\readme.txt f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\resources.pak f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files\7-Zip\Lang\he.txt f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\readme.txt f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1196 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exepid process 2704 f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe 2704 f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
vssvc.exeWMIC.exedescription pid process Token: SeBackupPrivilege 428 vssvc.exe Token: SeRestorePrivilege 428 vssvc.exe Token: SeAuditPrivilege 428 vssvc.exe Token: SeIncreaseQuotaPrivilege 3992 WMIC.exe Token: SeSecurityPrivilege 3992 WMIC.exe Token: SeTakeOwnershipPrivilege 3992 WMIC.exe Token: SeLoadDriverPrivilege 3992 WMIC.exe Token: SeSystemProfilePrivilege 3992 WMIC.exe Token: SeSystemtimePrivilege 3992 WMIC.exe Token: SeProfSingleProcessPrivilege 3992 WMIC.exe Token: SeIncBasePriorityPrivilege 3992 WMIC.exe Token: SeCreatePagefilePrivilege 3992 WMIC.exe Token: SeBackupPrivilege 3992 WMIC.exe Token: SeRestorePrivilege 3992 WMIC.exe Token: SeShutdownPrivilege 3992 WMIC.exe Token: SeDebugPrivilege 3992 WMIC.exe Token: SeSystemEnvironmentPrivilege 3992 WMIC.exe Token: SeRemoteShutdownPrivilege 3992 WMIC.exe Token: SeUndockPrivilege 3992 WMIC.exe Token: SeManageVolumePrivilege 3992 WMIC.exe Token: 33 3992 WMIC.exe Token: 34 3992 WMIC.exe Token: 35 3992 WMIC.exe Token: 36 3992 WMIC.exe Token: SeIncreaseQuotaPrivilege 3992 WMIC.exe Token: SeSecurityPrivilege 3992 WMIC.exe Token: SeTakeOwnershipPrivilege 3992 WMIC.exe Token: SeLoadDriverPrivilege 3992 WMIC.exe Token: SeSystemProfilePrivilege 3992 WMIC.exe Token: SeSystemtimePrivilege 3992 WMIC.exe Token: SeProfSingleProcessPrivilege 3992 WMIC.exe Token: SeIncBasePriorityPrivilege 3992 WMIC.exe Token: SeCreatePagefilePrivilege 3992 WMIC.exe Token: SeBackupPrivilege 3992 WMIC.exe Token: SeRestorePrivilege 3992 WMIC.exe Token: SeShutdownPrivilege 3992 WMIC.exe Token: SeDebugPrivilege 3992 WMIC.exe Token: SeSystemEnvironmentPrivilege 3992 WMIC.exe Token: SeRemoteShutdownPrivilege 3992 WMIC.exe Token: SeUndockPrivilege 3992 WMIC.exe Token: SeManageVolumePrivilege 3992 WMIC.exe Token: 33 3992 WMIC.exe Token: 34 3992 WMIC.exe Token: 35 3992 WMIC.exe Token: 36 3992 WMIC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.execmd.exedescription pid process target process PID 2704 wrote to memory of 2176 2704 f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe cmd.exe PID 2704 wrote to memory of 2176 2704 f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe cmd.exe PID 2176 wrote to memory of 3992 2176 cmd.exe WMIC.exe PID 2176 wrote to memory of 3992 2176 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe"C:\Users\Admin\AppData\Local\Temp\f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{19CDF45A-AB26-4CD3-A80A-DC59EDB6A247}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{19CDF45A-AB26-4CD3-A80A-DC59EDB6A247}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\readme.txt1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Desktop\readme.txtMD5
99d61a6ea8c6d6df2b07c1885461260f
SHA10d655a6c42b758ed05f88c65a11d3d66d9a46314
SHA25664ce05600e8afb96aedb3c792be8f059300952b347a178f07117aec55ccb28f9
SHA512f3806833419b68c4b1c5762817096da322a6d1f7af264f2b968240d6ee69fc61c5c2e82443ce593ac2077eb8d4253581b0d0268b3df6572801b5e08bfb494150
-
memory/2176-115-0x0000000000000000-mapping.dmp
-
memory/3992-116-0x0000000000000000-mapping.dmp