Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
56s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03/10/2022, 01:37
Static task
static1
Behavioral task
behavioral1
Sample
0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe
Resource
win7-20220812-en
windows7-x64
14 signatures
150 seconds
Behavioral task
behavioral2
Sample
0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
16 signatures
150 seconds
General
-
Target
0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe
-
Size
388KB
-
MD5
678e01aacc99779c502e9473876548e0
-
SHA1
cd9e404b37a2029e88f904b98f966b7e1284ff70
-
SHA256
0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41
-
SHA512
9e37f00ca44f966e3b5c47cd0cdf09cbd960ef961baca64b7fce9a70882e54151c5ddb5d755aef3bf1e3a16a804d90cc4398362440b64ee034a7a1e470b151c4
-
SSDEEP
6144:fda8uOhcMWhqVln4xKDW9KobFEFLOSO6/NvsHJxc00d+DzRLITiNs:Va8ivhqVl+KC9LpEQSO62DzRLm
Score
10/10
Malware Config
Extracted
Path
C:\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\HELP_RESTORE_FILES.txt
Ransom Note
All your documents, photos, databases and other important files have been encrypted
with strongest encryption RSA-2048 key, generated for this computer.
Private decryption key is stored on a secret Internet server and nobody can
decrypt your files until you pay and obtain the private key.
If you see the main encryptor red window, examine it and follow the instructions.
Otherwise, it seems that you or your antivirus deleted the encryptor program.
Now you have the last chance to decrypt your files.
Open http://tkj3higtqlvohs7z.aw49f4j3n26.com or http://tkj3higtqlvohs7z.dfj3d8w3n27.com ,
https://tkj3higtqlvohs7z.s5.tor-gateways.de/ in your browser.
They are public gates to the secret server.
Copy and paste the following Bitcoin address in the input form on server. Avoid missprints.
15fVgKDf3MmS6FzNzRztWWzMcWPXatpVgP
Follow the instructions on the server.
If you have problems with gates, use direct connection:
1. Download Tor Browser from http://torproject.org
2. In the Tor Browser open the http://tkj3higtqlvohs7z.onion/
Note that this server is available via Tor Browser only.
Retry in 1 hour if site is not reachable.
Copy and paste the following Bitcoin address in the input form on server. Avoid missprints.
15fVgKDf3MmS6FzNzRztWWzMcWPXatpVgP
Follow the instructions on the server.
Wallets
15fVgKDf3MmS6FzNzRztWWzMcWPXatpVgP
URLs
http://tkj3higtqlvohs7z.aw49f4j3n26.com
http://tkj3higtqlvohs7z.dfj3d8w3n27.com
https://tkj3higtqlvohs7z.s5.tor-gateways.de/
http://tkj3higtqlvohs7z.onion/
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
pid Process 1724 fjuvlhw.exe 1720 fjuvlhw.exe -
Deletes itself 1 IoCs
pid Process 2036 cmd.exe -
Loads dropped DLL 1 IoCs
pid Process 1664 0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run fjuvlhw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\msdedf = "C:\\Users\\Admin\\AppData\\Roaming\\fjuvlhw.exe" fjuvlhw.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run fjuvlhw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdedf = "C:\\Users\\Admin\\AppData\\Roaming\\fjuvlhw.exe" fjuvlhw.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ipinfo.io -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1660 set thread context of 1664 1660 0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe 28 PID 1724 set thread context of 1720 1724 fjuvlhw.exe 31 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\System\msadc\it-IT\HELP_RESTORE_FILES.txt fjuvlhw.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-back-static.png fjuvlhw.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\CircleSubpicture.png fjuvlhw.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\de.pak fjuvlhw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\HELP_RESTORE_FILES.txt fjuvlhw.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.jpg fjuvlhw.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\HELP_RESTORE_FILES.txt fjuvlhw.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_RGB6_PAL.wmv fjuvlhw.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\vintage.png fjuvlhw.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG.wmv fjuvlhw.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_SelectionSubpicture.png fjuvlhw.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\whiteband.png fjuvlhw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\HELP_RESTORE_FILES.txt fjuvlhw.exe File opened for modification C:\Program Files\7-Zip\Lang\ja.txt fjuvlhw.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\HELP_RESTORE_FILES.txt fjuvlhw.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_SelectionSubpicture.png fjuvlhw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\HELP_RESTORE_FILES.txt fjuvlhw.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_ButtonGraphic.png fjuvlhw.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground.wmv fjuvlhw.exe File opened for modification C:\Program Files\7-Zip\Lang\mr.txt fjuvlhw.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Sand_Paper.jpg fjuvlhw.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\background.png fjuvlhw.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\HELP_RESTORE_FILES.txt fjuvlhw.exe File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt fjuvlhw.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\HELP_RESTORE_FILES.txt fjuvlhw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\HELP_RESTORE_FILES.txt fjuvlhw.exe File opened for modification C:\Program Files\Java\jre7\lib\images\cursors\HELP_RESTORE_FILES.txt fjuvlhw.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\HELP_RESTORE_FILES.txt fjuvlhw.exe File opened for modification C:\Program Files\7-Zip\Lang\hr.txt fjuvlhw.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIcon.png fjuvlhw.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\HELP_RESTORE_FILES.txt fjuvlhw.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt fjuvlhw.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\HELP_RESTORE_FILES.txt fjuvlhw.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\HELP_RESTORE_FILES.txt fjuvlhw.exe File opened for modification C:\Program Files\DVD Maker\Shared\DissolveNoise.png fjuvlhw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\HELP_RESTORE_FILES.txt fjuvlhw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\HELP_RESTORE_FILES.txt fjuvlhw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png fjuvlhw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\HELP_RESTORE_FILES.txt fjuvlhw.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\as_IN\HELP_RESTORE_FILES.txt fjuvlhw.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\scenesscroll.png fjuvlhw.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\1047x576black.png fjuvlhw.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_ButtonGraphic.png fjuvlhw.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\bn.pak fjuvlhw.exe File opened for modification C:\Program Files\Java\jre7\lib\cmm\HELP_RESTORE_FILES.txt fjuvlhw.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VC\HELP_RESTORE_FILES.txt fjuvlhw.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationUp_SelectionSubpicture.png fjuvlhw.exe File opened for modification C:\Program Files\Internet Explorer\en-US\HELP_RESTORE_FILES.txt fjuvlhw.exe File opened for modification C:\Program Files\Internet Explorer\it-IT\HELP_RESTORE_FILES.txt fjuvlhw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\HELP_RESTORE_FILES.txt fjuvlhw.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ach\HELP_RESTORE_FILES.txt fjuvlhw.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_ButtonGraphic.png fjuvlhw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme.nl_ja_4.4.0.v20140623020002.jar fjuvlhw.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\es-ES\HELP_RESTORE_FILES.txt fjuvlhw.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\af\HELP_RESTORE_FILES.txt fjuvlhw.exe File opened for modification C:\Program Files\7-Zip\Lang\eo.txt fjuvlhw.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground_PAL.wmv fjuvlhw.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_RGB_PAL.wmv fjuvlhw.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\mainscroll.png fjuvlhw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\flight_recorder.png fjuvlhw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\HELP_RESTORE_FILES.txt fjuvlhw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\HELP_RESTORE_FILES.txt fjuvlhw.exe File opened for modification C:\Program Files\Java\jre7\HELP_RESTORE_FILES.txt fjuvlhw.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Pretty_Peacock.jpg fjuvlhw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1096 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe 1720 fjuvlhw.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1664 0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe Token: SeDebugPrivilege 1720 fjuvlhw.exe Token: SeBackupPrivilege 1736 vssvc.exe Token: SeRestorePrivilege 1736 vssvc.exe Token: SeAuditPrivilege 1736 vssvc.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 1660 wrote to memory of 1664 1660 0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe 28 PID 1660 wrote to memory of 1664 1660 0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe 28 PID 1660 wrote to memory of 1664 1660 0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe 28 PID 1660 wrote to memory of 1664 1660 0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe 28 PID 1660 wrote to memory of 1664 1660 0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe 28 PID 1660 wrote to memory of 1664 1660 0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe 28 PID 1660 wrote to memory of 1664 1660 0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe 28 PID 1660 wrote to memory of 1664 1660 0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe 28 PID 1660 wrote to memory of 1664 1660 0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe 28 PID 1660 wrote to memory of 1664 1660 0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe 28 PID 1664 wrote to memory of 1724 1664 0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe 29 PID 1664 wrote to memory of 1724 1664 0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe 29 PID 1664 wrote to memory of 1724 1664 0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe 29 PID 1664 wrote to memory of 1724 1664 0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe 29 PID 1724 wrote to memory of 1720 1724 fjuvlhw.exe 31 PID 1724 wrote to memory of 1720 1724 fjuvlhw.exe 31 PID 1724 wrote to memory of 1720 1724 fjuvlhw.exe 31 PID 1724 wrote to memory of 1720 1724 fjuvlhw.exe 31 PID 1724 wrote to memory of 1720 1724 fjuvlhw.exe 31 PID 1724 wrote to memory of 1720 1724 fjuvlhw.exe 31 PID 1724 wrote to memory of 1720 1724 fjuvlhw.exe 31 PID 1724 wrote to memory of 1720 1724 fjuvlhw.exe 31 PID 1724 wrote to memory of 1720 1724 fjuvlhw.exe 31 PID 1724 wrote to memory of 1720 1724 fjuvlhw.exe 31 PID 1664 wrote to memory of 2036 1664 0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe 30 PID 1664 wrote to memory of 2036 1664 0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe 30 PID 1664 wrote to memory of 2036 1664 0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe 30 PID 1664 wrote to memory of 2036 1664 0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe 30 PID 1720 wrote to memory of 1096 1720 fjuvlhw.exe 33 PID 1720 wrote to memory of 1096 1720 fjuvlhw.exe 33 PID 1720 wrote to memory of 1096 1720 fjuvlhw.exe 33 PID 1720 wrote to memory of 1096 1720 fjuvlhw.exe 33 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System fjuvlhw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" fjuvlhw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe"C:\Users\Admin\AppData\Local\Temp\0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Users\Admin\AppData\Local\Temp\0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exeC:\Users\Admin\AppData\Local\Temp\0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Users\Admin\AppData\Roaming\fjuvlhw.exeC:\Users\Admin\AppData\Roaming\fjuvlhw.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Users\Admin\AppData\Roaming\fjuvlhw.exeC:\Users\Admin\AppData\Roaming\fjuvlhw.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1720 -
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet5⤵
- Interacts with shadow copies
PID:1096
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\0A1688~1.EXE >> NUL3⤵
- Deletes itself
PID:2036
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1736
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
388KB
MD5678e01aacc99779c502e9473876548e0
SHA1cd9e404b37a2029e88f904b98f966b7e1284ff70
SHA2560a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41
SHA5129e37f00ca44f966e3b5c47cd0cdf09cbd960ef961baca64b7fce9a70882e54151c5ddb5d755aef3bf1e3a16a804d90cc4398362440b64ee034a7a1e470b151c4
-
Filesize
388KB
MD5678e01aacc99779c502e9473876548e0
SHA1cd9e404b37a2029e88f904b98f966b7e1284ff70
SHA2560a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41
SHA5129e37f00ca44f966e3b5c47cd0cdf09cbd960ef961baca64b7fce9a70882e54151c5ddb5d755aef3bf1e3a16a804d90cc4398362440b64ee034a7a1e470b151c4
-
Filesize
388KB
MD5678e01aacc99779c502e9473876548e0
SHA1cd9e404b37a2029e88f904b98f966b7e1284ff70
SHA2560a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41
SHA5129e37f00ca44f966e3b5c47cd0cdf09cbd960ef961baca64b7fce9a70882e54151c5ddb5d755aef3bf1e3a16a804d90cc4398362440b64ee034a7a1e470b151c4
-
Filesize
388KB
MD5678e01aacc99779c502e9473876548e0
SHA1cd9e404b37a2029e88f904b98f966b7e1284ff70
SHA2560a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41
SHA5129e37f00ca44f966e3b5c47cd0cdf09cbd960ef961baca64b7fce9a70882e54151c5ddb5d755aef3bf1e3a16a804d90cc4398362440b64ee034a7a1e470b151c4