Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
128s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230621-en -
resource tags
arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system -
submitted
28/06/2023, 14:53
Static task
static1
Behavioral task
behavioral1
Sample
Crypter.exe
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
Crypter.exe
Resource
win10v2004-20230621-en
General
-
Target
Crypter.exe
-
Size
141KB
-
MD5
26156564a104eae0cc9b06306a63ed9a
-
SHA1
a81e06b82d233c813b8803ce1c608b83cbbba8e6
-
SHA256
f1bb5ce204bc9e9fd12c3cb8c376e36e9ab47528c7c1ca865b38b8bd02314fc9
-
SHA512
f5d502ded9705a7dc53243d9dfae2095f95fbbc288a737f2d4259caa8a6ecbc6b256d786fae042d12af4931b79033540ef0aee98fc6a5ed99539fc7a122b7c98
-
SSDEEP
3072:4qHmFIAcneRB2ukEtRJ2XgqNjjCvvkfV7mF:JmsexkEt2hWCm
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (10303) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Modifies extensions of user files 16 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\BackupInitialize.png.resq100 Crypter.exe File renamed C:\Users\Admin\Pictures\ConvertToStop.tif => C:\Users\Admin\Pictures\ConvertToStop.tif.resq100 Crypter.exe File opened for modification C:\Users\Admin\Pictures\ConvertToStop.tif.resq100 Crypter.exe File renamed C:\Users\Admin\Pictures\PushLock.png => C:\Users\Admin\Pictures\PushLock.png.resq100 Crypter.exe File renamed C:\Users\Admin\Pictures\MountSuspend.png => C:\Users\Admin\Pictures\MountSuspend.png.resq100 Crypter.exe File opened for modification C:\Users\Admin\Pictures\UnprotectMeasure.raw.resq100 Crypter.exe File opened for modification C:\Users\Admin\Pictures\WaitRedo.png.resq100 Crypter.exe File renamed C:\Users\Admin\Pictures\BackupInitialize.png => C:\Users\Admin\Pictures\BackupInitialize.png.resq100 Crypter.exe File renamed C:\Users\Admin\Pictures\ConfirmTest.tif => C:\Users\Admin\Pictures\ConfirmTest.tif.resq100 Crypter.exe File opened for modification C:\Users\Admin\Pictures\ConfirmTest.tif.resq100 Crypter.exe File opened for modification C:\Users\Admin\Pictures\MountSuspend.png.resq100 Crypter.exe File opened for modification C:\Users\Admin\Pictures\PushLock.png.resq100 Crypter.exe File renamed C:\Users\Admin\Pictures\StopPublish.png => C:\Users\Admin\Pictures\StopPublish.png.resq100 Crypter.exe File renamed C:\Users\Admin\Pictures\UnprotectMeasure.raw => C:\Users\Admin\Pictures\UnprotectMeasure.raw.resq100 Crypter.exe File renamed C:\Users\Admin\Pictures\WaitRedo.png => C:\Users\Admin\Pictures\WaitRedo.png.resq100 Crypter.exe File opened for modification C:\Users\Admin\Pictures\StopPublish.png.resq100 Crypter.exe -
Executes dropped EXE 1 IoCs
pid Process 924 L11.tmp -
Loads dropped DLL 1 IoCs
pid Process 288 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: Crypter.exe File opened (read-only) \??\M: Crypter.exe File opened (read-only) \??\P: Crypter.exe File opened (read-only) \??\T: Crypter.exe File opened (read-only) \??\V: Crypter.exe File opened (read-only) \??\W: Crypter.exe File opened (read-only) \??\A: Crypter.exe File opened (read-only) \??\E: Crypter.exe File opened (read-only) \??\L: Crypter.exe File opened (read-only) \??\O: Crypter.exe File opened (read-only) \??\Q: Crypter.exe File opened (read-only) \??\S: Crypter.exe File opened (read-only) \??\Y: Crypter.exe File opened (read-only) \??\F: Crypter.exe File opened (read-only) \??\G: Crypter.exe File opened (read-only) \??\Z: Crypter.exe File opened (read-only) \??\D: Crypter.exe File opened (read-only) \??\B: Crypter.exe File opened (read-only) \??\U: Crypter.exe File opened (read-only) \??\K: Crypter.exe File opened (read-only) \??\N: Crypter.exe File opened (read-only) \??\R: Crypter.exe File opened (read-only) \??\X: Crypter.exe File opened (read-only) \??\I: Crypter.exe File opened (read-only) \??\J: Crypter.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEIRM.XML.resq100 Crypter.exe File opened for modification C:\Program Files\Java\jre7\lib\content-types.properties Crypter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099196.GIF.resq100 Crypter.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml.resq100 Crypter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOUTL.OLB.resq100 Crypter.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Waitcursor.gif Crypter.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\activity16v.png.resq100 Crypter.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Port_Moresby Crypter.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Enderbury Crypter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\HEADER.GIF.resq100 Crypter.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring.xml Crypter.exe File opened for modification C:\Program Files (x86)\Windows Media Player\en-US\wmpnssci.dll.mui.resq100 Crypter.exe File opened for modification C:\Program Files\Common Files\System\es-ES\wab32res.dll.mui.resq100 Crypter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0102002.WMF Crypter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR23F.GIF Crypter.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\resq_Recovery.txt Crypter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0298653.WMF Crypter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR25F.GIF.resq100 Crypter.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Miquelon Crypter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\DiscussionToolIconImages.jpg Crypter.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\resq_Recovery.txt Crypter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGREPFRM.DPV Crypter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143743.GIF Crypter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR9F.GIF.resq100 Crypter.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Hong_Kong.resq100 Crypter.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Australia\Darwin Crypter.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Indian\Mahe.resq100 Crypter.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Tarawa.resq100 Crypter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0296288.WMF.resq100 Crypter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04269_.WMF.resq100 Crypter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105336.WMF.resq100 Crypter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00938_.WMF.resq100 Crypter.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf Crypter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21321_.GIF Crypter.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT.resq100 Crypter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHSRN.DAT Crypter.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\THMBNAIL.PNG Crypter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02198_.GIF.resq100 Crypter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\LoanAmortization.xltx.resq100 Crypter.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\drag.png Crypter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00268_.WMF.resq100 Crypter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCINFO.XML.resq100 Crypter.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf_1.1.0.v20140408-1354.jar Crypter.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.nl_ja_4.4.0.v20140623020002.jar.resq100 Crypter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Status.accft.resq100 Crypter.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml Crypter.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\settings.css.resq100 Crypter.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pago_Pago.resq100 Crypter.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\updater.jar.resq100 Crypter.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\resq_Recovery.txt Crypter.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\0.png Crypter.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_zh_CN.jar Crypter.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multiview_ja.jar Crypter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Civic.xml.resq100 Crypter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OLAPPT.FAE Crypter.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\graph_down.png.resq100 Crypter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\TAB_ON.GIF Crypter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00468_.WMF.resq100 Crypter.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui.resq100 Crypter.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_videoinset.png.resq100 Crypter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152702.WMF Crypter.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02051_.WMF Crypter.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.p2.ui.overridden_5.5.0.165303.jar Crypter.exe File opened for modification C:\Program Files (x86)\Windows Media Player\es-ES\setup_wm.exe.mui.resq100 Crypter.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1064 schtasks.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1728 vssadmin.exe 828 vssadmin.exe -
Opens file in notepad (likely ransom note) 3 IoCs
pid Process 204 NOTEPAD.EXE 852 NOTEPAD.EXE 1512 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 36 IoCs
pid Process 1768 Crypter.exe 1768 Crypter.exe 1768 Crypter.exe 1768 Crypter.exe 1768 Crypter.exe 1768 Crypter.exe 1768 Crypter.exe 1768 Crypter.exe 1768 Crypter.exe 1768 Crypter.exe 1768 Crypter.exe 1768 Crypter.exe 1768 Crypter.exe 1768 Crypter.exe 1768 Crypter.exe 1768 Crypter.exe 1768 Crypter.exe 1768 Crypter.exe 1768 Crypter.exe 1768 Crypter.exe 1768 Crypter.exe 1768 Crypter.exe 1768 Crypter.exe 1768 Crypter.exe 1768 Crypter.exe 1768 Crypter.exe 1768 Crypter.exe 1768 Crypter.exe 1768 Crypter.exe 1768 Crypter.exe 1768 Crypter.exe 1768 Crypter.exe 1768 Crypter.exe 1768 Crypter.exe 1768 Crypter.exe 1768 Crypter.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1768 Crypter.exe Token: SeRestorePrivilege 1768 Crypter.exe Token: SeBackupPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeAuditPrivilege 1768 Crypter.exe Token: SeSecurityPrivilege 1768 Crypter.exe Token: SeIncBasePriorityPrivilege 1768 Crypter.exe Token: SeBackupPrivilege 960 vssvc.exe Token: SeRestorePrivilege 960 vssvc.exe Token: SeAuditPrivilege 960 vssvc.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe Token: SeTakeOwnershipPrivilege 1768 Crypter.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 292 7zG.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 1768 wrote to memory of 1716 1768 Crypter.exe 29 PID 1768 wrote to memory of 1716 1768 Crypter.exe 29 PID 1768 wrote to memory of 1716 1768 Crypter.exe 29 PID 1768 wrote to memory of 1716 1768 Crypter.exe 29 PID 1768 wrote to memory of 1252 1768 Crypter.exe 31 PID 1768 wrote to memory of 1252 1768 Crypter.exe 31 PID 1768 wrote to memory of 1252 1768 Crypter.exe 31 PID 1768 wrote to memory of 1252 1768 Crypter.exe 31 PID 1716 wrote to memory of 1064 1716 cmd.exe 33 PID 1716 wrote to memory of 1064 1716 cmd.exe 33 PID 1716 wrote to memory of 1064 1716 cmd.exe 33 PID 1716 wrote to memory of 1064 1716 cmd.exe 33 PID 1252 wrote to memory of 1728 1252 cmd.exe 34 PID 1252 wrote to memory of 1728 1252 cmd.exe 34 PID 1252 wrote to memory of 1728 1252 cmd.exe 34 PID 1768 wrote to memory of 1948 1768 Crypter.exe 45 PID 1768 wrote to memory of 1948 1768 Crypter.exe 45 PID 1768 wrote to memory of 1948 1768 Crypter.exe 45 PID 1768 wrote to memory of 1948 1768 Crypter.exe 45 PID 1768 wrote to memory of 288 1768 Crypter.exe 47 PID 1768 wrote to memory of 288 1768 Crypter.exe 47 PID 1768 wrote to memory of 288 1768 Crypter.exe 47 PID 1768 wrote to memory of 288 1768 Crypter.exe 47 PID 1768 wrote to memory of 1288 1768 Crypter.exe 48 PID 1768 wrote to memory of 1288 1768 Crypter.exe 48 PID 1768 wrote to memory of 1288 1768 Crypter.exe 48 PID 1768 wrote to memory of 1288 1768 Crypter.exe 48 PID 1948 wrote to memory of 828 1948 cmd.exe 51 PID 1948 wrote to memory of 828 1948 cmd.exe 51 PID 1948 wrote to memory of 828 1948 cmd.exe 51 PID 288 wrote to memory of 924 288 cmd.exe 52 PID 288 wrote to memory of 924 288 cmd.exe 52 PID 288 wrote to memory of 924 288 cmd.exe 52 PID 288 wrote to memory of 924 288 cmd.exe 52 PID 1288 wrote to memory of 1060 1288 cmd.exe 53 PID 1288 wrote to memory of 1060 1288 cmd.exe 53 PID 1288 wrote to memory of 1060 1288 cmd.exe 53 PID 1288 wrote to memory of 1060 1288 cmd.exe 53 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Crypter.exe"C:\Users\Admin\AppData\Local\Temp\Crypter.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update BETA" /TR "C:\Users\Admin\AppData\Local\Temp\Crypter.exe" /F2⤵
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update BETA" /TR "C:\Users\Admin\AppData\Local\Temp\Crypter.exe" /F3⤵
- Creates scheduled task(s)
PID:1064
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1728
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:828
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\L11.tmp"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:288 -
C:\Users\Admin\AppData\Local\Temp\L11.tmpC:\Users\Admin\AppData\Local\Temp\L11.tmp3⤵
- Executes dropped EXE
PID:924
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Update BETA" /F2⤵
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS.exe /Delete /TN "Windows Update BETA" /F3⤵PID:1060
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:960
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\resq_Recovery.txt1⤵
- Opens file in notepad (likely ransom note)
PID:852
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\resq_Recovery.txt1⤵
- Opens file in notepad (likely ransom note)
PID:1512
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\resq_Recovery.txt1⤵
- Opens file in notepad (likely ransom note)
PID:204
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap18302:282:7zEvent14191 -ad -saa -- "C:\Users\Admin\Documents\Documents"1⤵
- Suspicious use of FindShellTrayWindow
PID:292
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5701⤵PID:2040
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD5ab65af4349e7c5b0872c8b808d036980
SHA1414b2a2748b7ea6176c1d2453f89fdc8a2d349d0
SHA256a6c41f368f42a7c57c307a48ce2440a60a744226b6414fadb6517a80a5d160a2
SHA5122c61c56e8c299677bad4ce223e3187200c341aa4dd4503fac1217aa8e15687af03544a6d160bb2b1b131a56ea9df2967e00359aa622f12d1b82605c40cca6679
-
Filesize
5KB
MD5ab65af4349e7c5b0872c8b808d036980
SHA1414b2a2748b7ea6176c1d2453f89fdc8a2d349d0
SHA256a6c41f368f42a7c57c307a48ce2440a60a744226b6414fadb6517a80a5d160a2
SHA5122c61c56e8c299677bad4ce223e3187200c341aa4dd4503fac1217aa8e15687af03544a6d160bb2b1b131a56ea9df2967e00359aa622f12d1b82605c40cca6679
-
Filesize
690B
MD5557f56a43cfbac7ddf83eeefb5aaeaa6
SHA10a9a5a5d46c60dd3d2acaae5e0a7c5bfd2677c4a
SHA2563aa1bc73e902b58f6ab3dc7ff49e71e355eae50ae00448b554c8c509e99f4c78
SHA5121c1c5cf1101195f19036ac7f2cd1addb3412ae53401801443becfa708bbe9ed3198093455a608947af5a211dc787913f06902c10e3c850d0272cac69df4993df
-
Filesize
821KB
MD5eb01332a8b8c2fa528c0d2f8d35f5a85
SHA15bf0972a788b0312c2084452b081c022edb0290a
SHA2564944a94c603a747582d2bce8fa0c88786b0eb30afeda46acfcd34c483ad06cf4
SHA5127316544220f8a2269cba8cd1037b6a90cc6695680f8ce78faafb7c1c65380e82025544d33cea390c923cb725bfab0fd789221d193365db5a944f23803f584151
-
Filesize
403KB
MD53e10e0145b26950172d73096e853e95c
SHA1796d15533fbdec1943088513d483484bdb2f3ee3
SHA256701372039a93f9c2ee1bd1c47348e4d6961a48587d835cbebb0d50d3a566b3a2
SHA5127dfa16e4687dfec304bf3da426f34cc375c047f474e309fd3163f40c60a370c7d70cd4fe0f7db445b7acc115d92ddb4f0ae53000df1f0ab9fe1d59f284ed74b7
-
Filesize
690B
MD5557f56a43cfbac7ddf83eeefb5aaeaa6
SHA10a9a5a5d46c60dd3d2acaae5e0a7c5bfd2677c4a
SHA2563aa1bc73e902b58f6ab3dc7ff49e71e355eae50ae00448b554c8c509e99f4c78
SHA5121c1c5cf1101195f19036ac7f2cd1addb3412ae53401801443becfa708bbe9ed3198093455a608947af5a211dc787913f06902c10e3c850d0272cac69df4993df
-
Filesize
690B
MD5557f56a43cfbac7ddf83eeefb5aaeaa6
SHA10a9a5a5d46c60dd3d2acaae5e0a7c5bfd2677c4a
SHA2563aa1bc73e902b58f6ab3dc7ff49e71e355eae50ae00448b554c8c509e99f4c78
SHA5121c1c5cf1101195f19036ac7f2cd1addb3412ae53401801443becfa708bbe9ed3198093455a608947af5a211dc787913f06902c10e3c850d0272cac69df4993df
-
Filesize
5KB
MD5ab65af4349e7c5b0872c8b808d036980
SHA1414b2a2748b7ea6176c1d2453f89fdc8a2d349d0
SHA256a6c41f368f42a7c57c307a48ce2440a60a744226b6414fadb6517a80a5d160a2
SHA5122c61c56e8c299677bad4ce223e3187200c341aa4dd4503fac1217aa8e15687af03544a6d160bb2b1b131a56ea9df2967e00359aa622f12d1b82605c40cca6679