Overview

overview

10

Static

static

7

SysLogsService.exe

windows7_x64

10

SysLogsService.exe

windows10_x64

10

Resubmissions

26-09-2022 15:09

220926-sjlzjscchm 9

05-12-2021 07:55

211205-jscmsscbeq 10

Analysis

  • max time kernel
    79s
  • max time network
    57s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    05-12-2021 07:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SysLogsService.exe

  • Size

    7.7MB

  • MD5

    0b97fa8b682939e55df2bcfe3d17dba5

  • SHA1

    9d0101a59a1f705d55ab5acb0577ea9a967a6bab

  • SHA256

    ef7fefcb41d79c824c429819fbe73e6d0186c0586bc5f031debf553cd43edce4

  • SHA512

    1d4e414a9abd9b4f317f4ea37fc2a76ee8d3057b5079f654c142ef0b938433d0c52f8620526375eed4b9ac0adceda26484ebad9e63b7c4df5aef272d07620e68

Score
10/10
dmalockerevasionransomwarespywarestealersuricatathemidatrojan

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\CRYPTiNFO.TXT

Ransom Note
################################################################################# ############## You became victim of the .T1000 Ransomware-Virus C&C ############# ################################################################################# The harddisks of your computer have been encrypted with an military grade encryption algorithm TermCryptS7+RSA4096. There is no way to restore your data without a special key. To get RSA private key you have to contact us via the link below, located in the TOR private network ######################################################## ##HWID YOUR SYSTEM >> {56DD9D47-7BE5-8B82-389B91405260980C} > Required when paying ######################################################################### ##Download the Tor Browser at >>> https://www.torproject.org <<< ##If you need help. please google for "access onion page". ## Uisit one of the following pages with the Tor Browser: ##http://kwk62hefhey3zh4ki332d7uluww5oilm4c6t5tnhb4g5hrf7a2szvlqd.onion/index.php >>> For payment ##Amount to pay Bitcoin Exchangers for exchanging for cryptocurrency: >>> https://www.bestchange.net <<< If you want to decrypt your files, you have to get RSA private key. ## Chat support: > http://kwk62hefhey3zh4ki332d7uluww5oilm4c6t5tnhb4g5hrf7a2szvlqd.onion/chat ## Jabber: > [email protected] FULL ONLINE< ##After the successful payment and decrypting your files, we will give you FULL instructions HOW to IMPROVE your security system. ## If you have any problems with TOR browser, TELEGRAM us: >> @t1000rn << >>>>Do not pay data recovery companies to get the key, they will email me! <<<< We ready to answer all your questions! ## ## HOW to understand that we are NOT scammers? You can ask SUPPORT for the TEST-decryption for ONE file! ##################### ############### LIST OF ENCRYPTED FILES ####################################### ############################################################################### -------------------------------------------------------------------------------- C:\vcredist2010_x64.log.html 88496 C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log 169694 C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log 197550 C:\Users\Default\NTUSER.DAT.LOG 1024 C:\Users\Admin\deployment.properties 1646 C:\Users\Admin\ntuser.dat.LOG1 0 C:\Users\Admin\ntuser.dat.LOG2 0 C:\Users\Admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf 0 C:\Users\Admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms 0 C:\Users\Admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms 0 C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log 171966 C:\Users\Default\NTUSER.DAT.LOG1 189440 C:\Users\Default\NTUSER.DAT.LOG2 0 C:\Users\Default\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf 65536 C:\Users\Default\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms 524288 C:\Users\Default\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms 524288 C:\Recovery\590dd5e2-2d4f-11ec-8202-e2f59334bf81\boot.sdi 3170304 C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log 193102 C:\vcredist2019_x64_001_vcRuntimeMinimum_x64.log 120814 C:\vcredist2019_x64_002_vcRuntimeAdditional_x64.log 131692 C:\Users\Admin\Contacts\Admin.contact 68374 C:\Users\Public\Libraries\RecordedTV.library-ms 876 C:\Users\Admin\Desktop\CompleteCompare.mpg 369180 C:\Users\Admin\Desktop\CompressBlock.zip 843840 C:\Users\Admin\Desktop\ConnectPublish.xls 975690 C:\Users\Admin\Desktop\ConnectRestart.DVR 632880 C:\Users\Admin\Desktop\CopySkip.xsl 421920 C:\Users\Admin\Desktop\DisconnectConfirm.mht 764730 C:\Users\Admin\Desktop\DisconnectSwitch.mpeg3 791100 C:\Users\Admin\Desktop\ExitConfirm.wpl 474660 C:\Users\Admin\Desktop\ExportOpen.ppsx 501030 C:\Users\Admin\Desktop\ExportResume.wps 448290 C:\Users\Admin\Desktop\FindReset.DVR 922950 C:\Users\Admin\Desktop\FormatSuspend.aiff 685620 C:\Users\Admin\Desktop\NewEnable.otf 606510 C:\Users\Admin\Desktop\NewExit.mpe 342810 C:\Users\Admin\Desktop\ReceiveDismount.emz 1344542 C:\Users\Admin\Downloads\BlockSplit.vst 753160 C:\Users\Admin\Desktop\RegisterConnect.png 580140 C:\Users\Admin\Downloads\ClearUpdate.xsl 626312 C:\Users\Admin\Desktop\RestartRemove.M2V 659250 C:\Users\Admin\Downloads\CloseUninstall.wma 388472 C:\Users\Admin\Desktop\RevokeReset.mp4 395550 C:\Users\Admin\Downloads\CompleteUnprotect.mov 467752 C:\Users\Admin\Desktop\SearchUnprotect.html 870210 C:\Users\Admin\Downloads\CompressUnpublish.mp4 309192 C:\Users\Admin\Desktop\ShowClear.pps 553770 C:\Users\Admin\Downloads\CopyUpdate.tmp 848296 C:\Users\Admin\Downloads\DenyStep.wax 325048 C:\Users\Admin\Desktop\SubmitAssert.gif 817470 C:\Users\Admin\Downloads\ExitAssert.rm 864152 C:\Users\Admin\Desktop\SuspendSplit.ppsx 711990 C:\Users\Admin\Downloads\ExpandEnter.zip 451896 C:\Users\Admin\Downloads\ExportCompare.crw 547032 C:\Users\Admin\Desktop\TestMerge.mp4 738360 C:\Users\Admin\Downloads\ExportConvertFrom.rle 832440 C:\Users\Admin\Downloads\ExportDebug.pptm 769016 C:\Users\Admin\Downloads\GrantClear.aifc 594600 C:\Users\Admin\Desktop\WaitUnprotect.dxf 896580 C:\Users\Admin\Downloads\GrantUninstall.xltx 784872 C:\Users\Admin\Downloads\ImportRequest.cr2 531176 C:\Users\Admin\Downloads\InstallMeasure.easmx 673880 C:\Users\Admin\Downloads\MountRestore.au 642168 C:\Users\Admin\Downloads\MoveClose.dxf 658024 C:\Users\Admin\Downloads\OpenPush.pcx 483608 C:\Users\Admin\Downloads\OutUpdate.M2V 578744 C:\Users\Admin\Pictures\ApproveInstall.tiff 159744 C:\Users\Admin\Pictures\CheckpointWrite.wmf 129024 C:\Users\Admin\Pictures\CopyImport.raw 258048 C:\Users\Admin\Pictures\DebugInstall.jpeg 221184 C:\Users\Admin\Pictures\DenyMerge.eps 245760 C:\Users\Admin\Pictures\DenyUnlock.jpeg 264192 C:\Users\Admin\Pictures\DismountCopy.crw 98304 C:\Users\Admin\Pictures\FindRevoke.tiff 184320 C:\Users\Admin\Pictures\ImportJoin.pcx 276480 C:\Users\Admin\Pictures\MeasureAdd.pcx 147456 C:\Users\Admin\Pictures\PingSwitch.dxf 135168 C:\Users\Admin\Documents\Are.docx 11525 C:\Users\Admin\Documents\ClearUpdate.vstx 788929 C:\Users\Admin\Documents\CompressUndo.csv 314040 C:\Users\Admin\Documents\ConvertToClose.odt 283402 C:\Users\Admin\Documents\DenySelect.dotm 574463 C:\Users\Admin\Documents\DenySuspend.ppt 298721 C:\Users\Admin\Documents\DenyUnregister.xls 651058 C:\Users\Admin\Documents\EnableCompress.odp 804248 C:\Users\Admin\Documents\EnableExpand.vst 513187 C:\Users\Admin\Documents\EnterWait.dot 528506 C:\Users\Admin\Documents\ExitInitialize.odp 742972 C:\Users\Admin\Documents\Files.docx 11551 C:\Users\Admin\Documents\FindShow.pptx 451911 C:\Users\Admin\Documents\JoinDisable.csv 727653 C:\Users\Admin\Documents\MeasureRename.odp 390635 C:\Users\Admin\Documents\MergeDeny.mhtml 605101 C:\Users\Admin\Documents\MergeLock.mpp 758291 C:\Users\Admin\Documents\MountAssert.pdf 819567 C:\Users\Admin\Documents\MountSubmit.ppsm 712334 C:\Users\Admin\Music\ApproveCompare.dib 239616 C:\Users\Admin\Documents\NewDisable.vsdx 329359 C:\Users\Admin\Pictures\PublishSend.svg 122880 C:\Users\Admin\Pictures\ReceivePush.dwg 233472 C:\Users\Admin\Documents\Opened.docx 11538 C:\Users\Admin\Searches\Everywhere.search-ms 248 C:\Users\Admin\Searches\Indexed Locations.search-ms 248 C:\Users\Admin\Documents\PingDismount.vdw 773610 C:\Users\Admin\Music\ApproveRepair.mpg 276480 C:\Users\Admin\Pictures\RenameRegister.dwg 165888 C:\Users\Admin\Downloads\PopMove.mht 562888 C:\Users\Admin\Pictures\RepairWrite.gif 215040 C:\Users\Admin\Pictures\ResolveClose.tiff 208896 C:\Users\Admin\Pictures\ResolveDisconnect.raw 196608 C:\Users\Admin\Downloads\PopUnprotect.rtf 800728 C:\Users\Admin\Pictures\RevokeTest.emf 387072 C:\Users\Admin\Pictures\SaveStep.gif 104448 C:\Users\Admin\Downloads\PublishStop.xsl 895864 C:\Users\Admin\Pictures\ShowLock.png 153600 C:\Users\Admin\Pictures\SuspendPush.eps 251904 C:\Users\Admin\Pictures\UnblockRegister.crw 190464 C:\Users\Admin\Pictures\UninstallClear.tiff 116736 C:\Users\Admin\Downloads\PushLimit.aifc 1221184 C:\Users\Admin\Documents\PublishCompress.mhtml 359997 C:\Users\Admin\Downloads\PushUninstall.pcx 499464 C:\Users\Admin\Downloads\RestartInvoke.js 420184 C:\Users\Admin\Documents\ReadBlock.pps 681696 C:\Users\Admin\Music\AssertExit.7z 331776 C:\Users\Admin\Pictures\UpdateRepair.dwg 239616 C:\Users\Admin\Music\BackupCompare.vstx 368640 C:\Users\Admin\Pictures\WatchUnregister.png 282624 C:\Users\Admin\Downloads\RestartSet.mp4 404328 C:\Users\Admin\Music\ClearEnter.xhtml 322560 C:\Users\Admin\Downloads\RestoreConnect.tif 689736 C:\Users\Admin\Music\CompleteGrant.wvx 423936 C:\Users\Admin\Music\ConfirmConvertTo.jpeg 221184 C:\Users\Admin\Downloads\SearchSubmit.xlsb 356760 C:\Users\Admin\Music\ConvertToRequest.pptx 313344 C:\Users\Admin\Music\CopyDeny.nfo 147456 C:\Users\Admin\Downloads\SuspendExit.mpa 610456 C:\Users\Admin\Music\ExportDismount.zip 230400 C:\Users\Admin\Downloads\SuspendFind.midi 436040 C:\Users\Admin\Music\ExportRestore.mid 387072 C:\Users\Admin\Downloads\SuspendOpen.ppsm 705592 C:\Users\Admin\Music\ImportSplit.htm 580608 C:\Users\Admin\Music\ImportUninstall.001 175104 C:\Users\Admin\Music\InvokePublish.php 202752 C:\Users\Admin\Music\MoveCompress.shtml 304128 C:\Users\Admin\Downloads\SyncResolve.7z 515320 C:\Users\Admin\Documents\Recently.docx 11533 C:\Users\Admin\Documents\RemoveSelect.html 497868 C:\Users\Admin\Downloads\UnregisterSubmit.mpg 816584 C:\Users\Admin\Documents\RenameBlock.vst 697015 C:\Users\Admin\Downloads\UpdateSet.temp 880008 C:\Users\Admin\Documents\RequestSelect.mhtml 467230 C:\Users\Admin\Downloads\WriteUnprotect.vstm 340904 C:\Users\Admin\Documents\ResetRedo.html 589782 C:\Users\Admin\Music\ProtectExit.midi 184320 C:\Users\Admin\Music\PublishStart.xps 211968 C:\Users\Admin\Music\PushClose.eprtx 396288 C:\Users\Admin\Music\ReadJoin.pptx 405504 C:\Users\Admin\Documents\RestoreRepair.vdw 1118078 C:\Users\Admin\Documents\SaveSkip.docm 543825 C:\Users\Admin\Documents\SearchWait.mht 482549 C:\Users\Admin\Documents\ShowLock.rtf 666377 C:\Users\Admin\Documents\ShowUnlock.potx 635739 C:\Users\Admin\Documents\SkipTrace.xls 344678 C:\Users\Admin\Documents\SuspendUndo.vstm 375316 C:\Users\Admin\Music\ReceiveStop.wpl 193536 C:\Users\Admin\Music\ResetUnprotect.png 294912 C:\Users\Admin\Music\SaveCopy.php 340992 C:\Users\Admin\Music\SplitStart.m4v 258048 C:\Users\Admin\Music\SubmitMeasure.wmx 267264 C:\Users\Admin\Music\SuspendAssert.xht 248832 C:\Users\Admin\Music\TraceWait.xlsm 165888 C:\Users\Admin\Documents\These.docx 11462 C:\Users\Admin\Documents\UndoAdd.rtf 620420 C:\Users\Admin\Documents\UseClear.vsx 421273 C:\Users\Admin\Documents\UseTrace.vdx 436592 C:\Recovery\590dd5e2-2d4f-11ec-8202-e2f59334bf81\Winre.wim 169213970 C:\Users\Admin\Favorites\Links for United States\GobiernoUSA.gov.url 134 C:\Users\Admin\Favorites\Links for United States\USA.gov.url 134 C:\Users\Admin\Favorites\Microsoft Websites\IE Add-on site.url 133 C:\Users\Admin\Favorites\Microsoft Websites\IE site on Microsoft.com.url 133 C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv 9699328 C:\Users\Admin\Favorites\Microsoft Websites\Microsoft At Home.url 133 C:\Users\Admin\Favorites\Links\Suggested Sites.url 302 C:\Users\Admin\Favorites\Links\Web Slice Gallery.url 226 C:\Users\Admin\Favorites\Microsoft Websites\Microsoft At Work.url 133 C:\Users\Admin\Favorites\Microsoft Websites\Microsoft Store.url 134 C:\Users\Admin\Favorites\Windows Live\Get Windows Live.url 133 C:\Users\Admin\Favorites\Windows Live\Windows Live Gallery.url 133 C:\Users\Admin\Favorites\Windows Live\Windows Live Mail.url 133 C:\Users\Admin\Favorites\Windows Live\Windows Live Spaces.url 133 C:\Users\Admin\Favorites\MSN Websites\MSN Autos.url 133 C:\Users\Admin\Favorites\MSN Websites\MSN Entertainment.url 133 C:\Users\Admin\Favorites\MSN Websites\MSN Money.url 133 C:\Users\Admin\Favorites\MSN Websites\MSN Sports.url 133 C:\Users\Admin\Favorites\MSN Websites\MSN.url 133 C:\Users\Admin\Favorites\MSN Websites\MSNBC News.url 133 C:\Users\Public\Videos\Sample Videos\Wildlife.wmv 26246026
URLs

https://www.bestchange.net

http://kwk62hefhey3zh4ki332d7uluww5oilm4c6t5tnhb4g5hrf7a2szvlqd.onion/chat

Signatures

  • DMA Locker

    Ransomware family with some advanced features, like encryption of unmapped network shares.

    ransomwaredmalocker
  • suricata: ET MALWARE BigLock Ransomware CnC Activity (ext)

    suricata: ET MALWARE BigLock Ransomware CnC Activity (ext)

    suricata
  • suricata: ET MALWARE BigLock Ransomware CnC Activity (gen)

    suricata: ET MALWARE BigLock Ransomware CnC Activity (gen)

    suricata
  • suricata: ET MALWARE BigLock Ransomware CnC Activity (info)

    suricata: ET MALWARE BigLock Ransomware CnC Activity (info)

    suricata
  • suricata: ET MALWARE BigLock Ransomware CnC Activity (name)

    suricata: ET MALWARE BigLock Ransomware CnC Activity (name)

    suricata
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes System State backups 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 20 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 1 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 42 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 13 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\SysLogsService.exe
    "C:\Users\Admin\AppData\Local\Temp\SysLogsService.exe"
    1⤵
    • Modifies extensions of user files
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Enumerates connected drives
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:776
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB
      2⤵
      • Interacts with shadow copies
      PID:1528
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded
      2⤵
      • Interacts with shadow copies
      PID:1072
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:1832
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:1708
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:936
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:2032
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:696
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:1096
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:852
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:1624
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:1940
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:440
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:1260
    • C:\Windows\system32\bcdedit.exe
      bcdedit.exe /set {default} recoveryenabled No
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:1400
    • C:\Windows\system32\bcdedit.exe
      bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:1372
    • C:\Windows\system32\wbadmin.exe
      wbadmin DELETE SYSTEMSTATEBACKUP
      2⤵
      • Deletes System State backups
      • Drops file in Windows directory
      PID:1348
    • C:\Windows\System32\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1800
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1828
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\CRYPTiNFO.TXT
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:1120

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/776-56-0x000007FEFB7B1000-0x000007FEFB7B3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/776-55-0x000000013F660000-0x000000013FE18000-memory.dmp

    Filesize

    7.7MB

    Download