Analysis
-
max time kernel
231s -
max time network
232s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
21-11-2022 05:47
Static task
static1
Behavioral task
behavioral1
Sample
bc67b94181dd4d613f3648c25c584aad5226cc1ec1999bd03d550c7f242eb7cb.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
bc67b94181dd4d613f3648c25c584aad5226cc1ec1999bd03d550c7f242eb7cb.exe
Resource
win10v2004-20221111-en
General
-
Target
bc67b94181dd4d613f3648c25c584aad5226cc1ec1999bd03d550c7f242eb7cb.exe
-
Size
189KB
-
MD5
f1ebb4dbdfc6ec7a53bcefabdc7fb6de
-
SHA1
b76bc50249e7420ac0f4f64e83d1a58da2068eaa
-
SHA256
bc67b94181dd4d613f3648c25c584aad5226cc1ec1999bd03d550c7f242eb7cb
-
SHA512
8608689d716fe8ed44348b4382cf4aed67de6dd4a9da2d92a8fcbd731ccf1a7f42e60ce35376ccef81b67414f2f8ea8bbcd3b2054d78f344ad92d1f4f29ca788
-
SSDEEP
3072:t3blGV9hulKmhbfvjv69vF6nHynNPFW7Lifa81Hh7Gl8emNiq8q/f+2L:t3bq9UlKgPuEyNFWSb1Hg6l8q/ffL
Malware Config
Extracted
C:\WE CAN RECOVER YOUR DATA.txt
buran
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Executes dropped EXE 1 IoCs
pid Process 1116 nrnkgirn.exe -
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\DisconnectClose.tiff nrnkgirn.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation bc67b94181dd4d613f3648c25c584aad5226cc1ec1999bd03d550c7f242eb7cb.exe Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation nrnkgirn.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-2971393436-602173351-1645505021-1000\desktop.ini nrnkgirn.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: nrnkgirn.exe File opened (read-only) \??\Z: nrnkgirn.exe File opened (read-only) \??\A: nrnkgirn.exe File opened (read-only) \??\Q: nrnkgirn.exe File opened (read-only) \??\S: nrnkgirn.exe File opened (read-only) \??\W: nrnkgirn.exe File opened (read-only) \??\Y: nrnkgirn.exe File opened (read-only) \??\I: nrnkgirn.exe File opened (read-only) \??\K: nrnkgirn.exe File opened (read-only) \??\M: nrnkgirn.exe File opened (read-only) \??\O: nrnkgirn.exe File opened (read-only) \??\R: nrnkgirn.exe File opened (read-only) \??\T: nrnkgirn.exe File opened (read-only) \??\X: nrnkgirn.exe File opened (read-only) \??\B: nrnkgirn.exe File opened (read-only) \??\F: nrnkgirn.exe File opened (read-only) \??\H: nrnkgirn.exe File opened (read-only) \??\L: nrnkgirn.exe File opened (read-only) \??\N: nrnkgirn.exe File opened (read-only) \??\V: nrnkgirn.exe File opened (read-only) \??\E: nrnkgirn.exe File opened (read-only) \??\G: nrnkgirn.exe File opened (read-only) \??\J: nrnkgirn.exe File opened (read-only) \??\P: nrnkgirn.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-ppd.xrm-ms nrnkgirn.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\WE CAN RECOVER YOUR DATA.txt nrnkgirn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-20.png nrnkgirn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\whatsnewsrc\script\bulletin_board_construction.js nrnkgirn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sqlpdw.xsl.[F2F22DBB].sonickwall nrnkgirn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Ear.png nrnkgirn.exe File opened for modification C:\Program Files\7-Zip\Lang\gu.txt nrnkgirn.exe File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WE CAN RECOVER YOUR DATA.txt nrnkgirn.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\pl-pl\ui-strings.js nrnkgirn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-warning.png.[F2F22DBB].sonickwall nrnkgirn.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\new_icons_retina.png nrnkgirn.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Grace-ul-oob.xrm-ms nrnkgirn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Call_Connecting_Loud.m4a nrnkgirn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-80_altform-unplated_contrast-white.png nrnkgirn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\MedTile.scale-200.png nrnkgirn.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Integral.thmx nrnkgirn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_2019.716.2313.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x nrnkgirn.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ul-phn.xrm-ms nrnkgirn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubStoreLogo.scale-200_contrast-black.png nrnkgirn.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filterselected-dark-disabled_32.svg.[F2F22DBB].sonickwall nrnkgirn.exe File opened for modification C:\Program Files\7-Zip\Lang\fy.txt.[F2F22DBB].sonickwall nrnkgirn.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\tr-tr\WE CAN RECOVER YOUR DATA.txt nrnkgirn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.altform-unplated_targetsize-256.png nrnkgirn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Retail\Retail_Get_Started_icon.png nrnkgirn.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\AirSpace.Etw.man.[F2F22DBB].sonickwall nrnkgirn.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\WE CAN RECOVER YOUR DATA.txt nrnkgirn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleUtilRT.winmd nrnkgirn.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\en-gb\WE CAN RECOVER YOUR DATA.txt nrnkgirn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-30_altform-unplated.png nrnkgirn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\ThirdPartyNotices\ThirdPartyNotices.html nrnkgirn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-Toolkit\Images\DefaultProfileImage.png nrnkgirn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected].[F2F22DBB].sonickwall nrnkgirn.exe File created C:\Program Files\VideoLAN\VLC\plugins\text_renderer\WE CAN RECOVER YOUR DATA.txt nrnkgirn.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\WE CAN RECOVER YOUR DATA.txt nrnkgirn.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ul-oob.xrm-ms.[F2F22DBB].sonickwall nrnkgirn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-48_contrast-black.png nrnkgirn.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.felix.gogo.command_0.10.0.v201209301215.jar nrnkgirn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\PeopleMedTile.scale-125.png nrnkgirn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\EnsoUI\dashboard_slomo_OFF.png nrnkgirn.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ca-es\ui-strings.js.[F2F22DBB].sonickwall nrnkgirn.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml nrnkgirn.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\WE CAN RECOVER YOUR DATA.txt nrnkgirn.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-256.png nrnkgirn.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MUAUTH.CAB nrnkgirn.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-20_altform-unplated.png nrnkgirn.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\PREVIEW.GIF.[F2F22DBB].sonickwall nrnkgirn.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\SmallTile.scale-125.png nrnkgirn.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\altDekstopCopyPasteHelper.js nrnkgirn.exe File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\PhotosApp\Assets\WE CAN RECOVER YOUR DATA.txt nrnkgirn.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\cmm\CIEXYZ.pf.[F2F22DBB].sonickwall nrnkgirn.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-fr\ui-strings.js nrnkgirn.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\resources.pri nrnkgirn.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\lpcstrings.json nrnkgirn.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-core.xml.[F2F22DBB].sonickwall nrnkgirn.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-spi-quicksearch.xml.[F2F22DBB].sonickwall nrnkgirn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\AppxSignature.p7x nrnkgirn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\FacebookDialog.xbf nrnkgirn.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\WE CAN RECOVER YOUR DATA.txt nrnkgirn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square150x150Logo.scale-100.png nrnkgirn.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jetty.servlet_8.1.14.v20131031.jar.[F2F22DBB].sonickwall nrnkgirn.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\ui-strings.js nrnkgirn.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\fontconfig.bfc.[F2F22DBB].sonickwall nrnkgirn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\AppxSignature.p7x nrnkgirn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\AppxManifest.xml nrnkgirn.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4540 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe 1116 nrnkgirn.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1116 nrnkgirn.exe Token: SeBackupPrivilege 2360 vssvc.exe Token: SeRestorePrivilege 2360 vssvc.exe Token: SeAuditPrivilege 2360 vssvc.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2024 wrote to memory of 1116 2024 bc67b94181dd4d613f3648c25c584aad5226cc1ec1999bd03d550c7f242eb7cb.exe 84 PID 2024 wrote to memory of 1116 2024 bc67b94181dd4d613f3648c25c584aad5226cc1ec1999bd03d550c7f242eb7cb.exe 84 PID 2024 wrote to memory of 1116 2024 bc67b94181dd4d613f3648c25c584aad5226cc1ec1999bd03d550c7f242eb7cb.exe 84 PID 1116 wrote to memory of 4640 1116 nrnkgirn.exe 93 PID 1116 wrote to memory of 4640 1116 nrnkgirn.exe 93 PID 1116 wrote to memory of 4640 1116 nrnkgirn.exe 93 PID 4640 wrote to memory of 3808 4640 cmd.exe 95 PID 4640 wrote to memory of 3808 4640 cmd.exe 95 PID 4640 wrote to memory of 3808 4640 cmd.exe 95 PID 1116 wrote to memory of 4728 1116 nrnkgirn.exe 104 PID 1116 wrote to memory of 4728 1116 nrnkgirn.exe 104 PID 1116 wrote to memory of 4728 1116 nrnkgirn.exe 104 PID 4728 wrote to memory of 4540 4728 cmd.exe 106 PID 4728 wrote to memory of 4540 4728 cmd.exe 106 PID 4728 wrote to memory of 4540 4728 cmd.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc67b94181dd4d613f3648c25c584aad5226cc1ec1999bd03d550c7f242eb7cb.exe"C:\Users\Admin\AppData\Local\Temp\bc67b94181dd4d613f3648c25c584aad5226cc1ec1999bd03d550c7f242eb7cb.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\ProgramData\Installed Updates.{D450A8A1-9568-45C7-9C0E-B4F9FB4537BD}\nrnkgirn.exe"C:\ProgramData\Installed Updates.{D450A8A1-9568-45C7-9C0E-B4F9FB4537BD}\nrnkgirn.exe"2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C CSCRIPT.EXE //E:JScript "C:\Users\Admin\AppData\Local\Temp\PRNALLRP.SYS"3⤵
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\SysWOW64\cscript.exeCSCRIPT.EXE //E:JScript "C:\Users\Admin\AppData\Local\Temp\PRNALLRP.SYS"4⤵PID:3808
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c for /l %i in (1,1,1000) do (ping -n 2 localhost & del "C:\ProgramData\Installed Updates.{D450A8A1-9568-45C7-9C0E-B4F9FB4537BD}\nrnkgirn.exe" & if not exist "C:\ProgramData\Installed Updates.{D450A8A1-9568-45C7-9C0E-B4F9FB4537BD}\nrnkgirn.exe" exit)3⤵
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Windows\SysWOW64\PING.EXEping -n 2 localhost4⤵
- Runs ping.exe
PID:4540
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2360
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
189KB
MD5f1ebb4dbdfc6ec7a53bcefabdc7fb6de
SHA1b76bc50249e7420ac0f4f64e83d1a58da2068eaa
SHA256bc67b94181dd4d613f3648c25c584aad5226cc1ec1999bd03d550c7f242eb7cb
SHA5128608689d716fe8ed44348b4382cf4aed67de6dd4a9da2d92a8fcbd731ccf1a7f42e60ce35376ccef81b67414f2f8ea8bbcd3b2054d78f344ad92d1f4f29ca788
-
Filesize
189KB
MD5f1ebb4dbdfc6ec7a53bcefabdc7fb6de
SHA1b76bc50249e7420ac0f4f64e83d1a58da2068eaa
SHA256bc67b94181dd4d613f3648c25c584aad5226cc1ec1999bd03d550c7f242eb7cb
SHA5128608689d716fe8ed44348b4382cf4aed67de6dd4a9da2d92a8fcbd731ccf1a7f42e60ce35376ccef81b67414f2f8ea8bbcd3b2054d78f344ad92d1f4f29ca788
-
Filesize
175B
MD598a1a4dbdf75466df301906093847417
SHA13e8c7656887496694512e118795f4d28894d8f6e
SHA2567f8367fc0177355741b1def74b2f1d81d99571f674a014896478815c9fb4d3bd
SHA512d61cd7cbc63e28189a800efa46f82c5f4a1e513dc945b65e57d4a79308c04ab86945dd48249190456caa582891377e4e75ba678d4b28c28d4d0656d87d31519b