conti | cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902

Analysis

max time kernel
144s
max time network
134s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11-10-2023 14:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
Size

268KB
MD5

cfea8286f13e566324aca989bbf1ecdd
SHA1

0a295ca16213502d5a6629553cf2b168b2a4dfc7
SHA256

cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902
SHA512

674cf146d76a5ecfa18da92c987eea09c8f055d6a2474311c825e6a5877ca4f8eb72413dba393c8e314016665d85534842103bece430c417b1c004aa2aadcd70
SSDEEP

3072:pLJGBP1t82ETTwPAobQ3tOqmb14Gul22QZkN7S44EXZNxRx6kFYDRzuU:VJEPCTwPp03YqyNulakL96fDRH

Score

10^/10

conti ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.xyz/ YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- UER3GkowzzbBdoDPcmyBX9VeFqJwjP3eaRdqiYnKkc9wCu2jcHrnl8Vstgl447Ve ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.xyz/

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti
Renames multiple (2809) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops desktop.ini file(s) 31 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files\desktop.ini	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Users\Public\desktop.ini	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0199661.WMF	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\it-IT\readme.txt	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File B.txt	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105638.WMF	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\readme.txt	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00255_.WMF	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185798.WMF	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Opulent.xml	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CLASSIC2.WMF	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\ED00010_.WMF	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107282.WMF	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY01253_.WMF	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02746G.GIF	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00190_.WMF	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02791_.WMF	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV.HXS	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeAUM_rootCert.cer	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File created	C:\Program Files (x86)\Common Files\System\ado\readme.txt	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105246.WMF	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\readme.txt	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.ICO	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00006_.WMF	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185780.WMF	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185786.WMF	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341654.JPG	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386120.JPG	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files\FormatBlock.wma	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01184_.WMF	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00513_.WMF	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387591.JPG	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02750G.GIF	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLPERF.H	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0149407.WMF	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSOUC_K_COL.HXK	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382942.JPG	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02369_.WMF	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL01395_.WMF	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Essential.xml	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_ButtonGraphic.png	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107266.WMF	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02431_.WMF	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0211949.WMF	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200383.WMF	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382944.JPG	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Newsprint.eftx	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01630_.WMF	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107502.WMF	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OWSHLP10.CHM	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Bears.jpg	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00433_.WMF	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01247U.BMP	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00390_.WMF	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105410.WMF	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0282126.WMF	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01562U.BMP	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Module.xml	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files\ExpandUnlock.mpv2	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\eula.rtf	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	2628	vssvc.exe
Token: SeRestorePrivilege	2628	vssvc.exe
Token: SeAuditPrivilege	2628	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3044	WMIC.exe
Token: SeSecurityPrivilege	3044	WMIC.exe
Token: SeTakeOwnershipPrivilege	3044	WMIC.exe
Token: SeLoadDriverPrivilege	3044	WMIC.exe
Token: SeSystemProfilePrivilege	3044	WMIC.exe
Token: SeSystemtimePrivilege	3044	WMIC.exe
Token: SeProfSingleProcessPrivilege	3044	WMIC.exe
Token: SeIncBasePriorityPrivilege	3044	WMIC.exe
Token: SeCreatePagefilePrivilege	3044	WMIC.exe
Token: SeBackupPrivilege	3044	WMIC.exe
Token: SeRestorePrivilege	3044	WMIC.exe
Token: SeShutdownPrivilege	3044	WMIC.exe
Token: SeDebugPrivilege	3044	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3044	WMIC.exe
Token: SeRemoteShutdownPrivilege	3044	WMIC.exe
Token: SeUndockPrivilege	3044	WMIC.exe
Token: SeManageVolumePrivilege	3044	WMIC.exe
Token: 33	3044	WMIC.exe
Token: 34	3044	WMIC.exe
Token: 35	3044	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3044	WMIC.exe
Token: SeSecurityPrivilege	3044	WMIC.exe
Token: SeTakeOwnershipPrivilege	3044	WMIC.exe
Token: SeLoadDriverPrivilege	3044	WMIC.exe
Token: SeSystemProfilePrivilege	3044	WMIC.exe
Token: SeSystemtimePrivilege	3044	WMIC.exe
Token: SeProfSingleProcessPrivilege	3044	WMIC.exe
Token: SeIncBasePriorityPrivilege	3044	WMIC.exe
Token: SeCreatePagefilePrivilege	3044	WMIC.exe
Token: SeBackupPrivilege	3044	WMIC.exe
Token: SeRestorePrivilege	3044	WMIC.exe
Token: SeShutdownPrivilege	3044	WMIC.exe
Token: SeDebugPrivilege	3044	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3044	WMIC.exe
Token: SeRemoteShutdownPrivilege	3044	WMIC.exe
Token: SeUndockPrivilege	3044	WMIC.exe
Token: SeManageVolumePrivilege	3044	WMIC.exe
Token: 33	3044	WMIC.exe
Token: 34	3044	WMIC.exe
Token: 35	3044	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2556	WMIC.exe
Token: SeSecurityPrivilege	2556	WMIC.exe
Token: SeTakeOwnershipPrivilege	2556	WMIC.exe
Token: SeLoadDriverPrivilege	2556	WMIC.exe
Token: SeSystemProfilePrivilege	2556	WMIC.exe
Token: SeSystemtimePrivilege	2556	WMIC.exe
Token: SeProfSingleProcessPrivilege	2556	WMIC.exe
Token: SeIncBasePriorityPrivilege	2556	WMIC.exe
Token: SeCreatePagefilePrivilege	2556	WMIC.exe
Token: SeBackupPrivilege	2556	WMIC.exe
Token: SeRestorePrivilege	2556	WMIC.exe
Token: SeShutdownPrivilege	2556	WMIC.exe
Token: SeDebugPrivilege	2556	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2556	WMIC.exe
Token: SeRemoteShutdownPrivilege	2556	WMIC.exe
Token: SeUndockPrivilege	2556	WMIC.exe
Token: SeManageVolumePrivilege	2556	WMIC.exe
Token: 33	2556	WMIC.exe
Token: 34	2556	WMIC.exe
Token: 35	2556	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2556	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 2856	3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe	32
PID 3060 wrote to memory of 2856	3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe	32
PID 3060 wrote to memory of 2856	3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe	32
PID 3060 wrote to memory of 2856	3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe	32
PID 2856 wrote to memory of 3044	2856	cmd.exe	33
PID 2856 wrote to memory of 3044	2856	cmd.exe	33
PID 2856 wrote to memory of 3044	2856	cmd.exe	33
PID 3060 wrote to memory of 2524	3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe	34
PID 3060 wrote to memory of 2524	3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe	34
PID 3060 wrote to memory of 2524	3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe	34
PID 3060 wrote to memory of 2524	3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe	34
PID 2524 wrote to memory of 2556	2524	cmd.exe	36
PID 2524 wrote to memory of 2556	2524	cmd.exe	36
PID 2524 wrote to memory of 2556	2524	cmd.exe	36
PID 3060 wrote to memory of 3012	3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe	37
PID 3060 wrote to memory of 3012	3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe	37
PID 3060 wrote to memory of 3012	3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe	37
PID 3060 wrote to memory of 3012	3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe	37
PID 3012 wrote to memory of 2056	3012	cmd.exe	39
PID 3012 wrote to memory of 2056	3012	cmd.exe	39
PID 3012 wrote to memory of 2056	3012	cmd.exe	39
PID 3060 wrote to memory of 1664	3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe	40
PID 3060 wrote to memory of 1664	3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe	40
PID 3060 wrote to memory of 1664	3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe	40
PID 3060 wrote to memory of 1664	3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe	40
PID 1664 wrote to memory of 1924	1664	cmd.exe	42
PID 1664 wrote to memory of 1924	1664	cmd.exe	42
PID 1664 wrote to memory of 1924	1664	cmd.exe	42
PID 3060 wrote to memory of 2824	3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe	43
PID 3060 wrote to memory of 2824	3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe	43
PID 3060 wrote to memory of 2824	3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe	43
PID 3060 wrote to memory of 2824	3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe	43
PID 2824 wrote to memory of 2828	2824	cmd.exe	45
PID 2824 wrote to memory of 2828	2824	cmd.exe	45
PID 2824 wrote to memory of 2828	2824	cmd.exe	45
PID 3060 wrote to memory of 2884	3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe	46
PID 3060 wrote to memory of 2884	3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe	46
PID 3060 wrote to memory of 2884	3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe	46
PID 3060 wrote to memory of 2884	3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe	46
PID 2884 wrote to memory of 112	2884	cmd.exe	48
PID 2884 wrote to memory of 112	2884	cmd.exe	48
PID 2884 wrote to memory of 112	2884	cmd.exe	48
PID 3060 wrote to memory of 1640	3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe	49
PID 3060 wrote to memory of 1640	3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe	49
PID 3060 wrote to memory of 1640	3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe	49
PID 3060 wrote to memory of 1640	3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe	49
PID 1640 wrote to memory of 1948	1640	cmd.exe	51
PID 1640 wrote to memory of 1948	1640	cmd.exe	51
PID 1640 wrote to memory of 1948	1640	cmd.exe	51
PID 3060 wrote to memory of 2476	3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe	52
PID 3060 wrote to memory of 2476	3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe	52
PID 3060 wrote to memory of 2476	3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe	52
PID 3060 wrote to memory of 2476	3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe	52
PID 2476 wrote to memory of 796	2476	cmd.exe	54
PID 2476 wrote to memory of 796	2476	cmd.exe	54
PID 2476 wrote to memory of 796	2476	cmd.exe	54
PID 3060 wrote to memory of 524	3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe	55
PID 3060 wrote to memory of 524	3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe	55
PID 3060 wrote to memory of 524	3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe	55
PID 3060 wrote to memory of 524	3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe	55
PID 524 wrote to memory of 268	524	cmd.exe	57
PID 524 wrote to memory of 268	524	cmd.exe	57
PID 524 wrote to memory of 268	524	cmd.exe	57
PID 3060 wrote to memory of 1060	3060	cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe	58

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe
"C:\Users\Admin\AppData\Local\Temp\cf941154cc06005a15ff3ca2f601e13b537794254d338f63eadd260855115902.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9313BACB-D388-4C87-8603-2A9BDA02A711}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9313BACB-D388-4C87-8603-2A9BDA02A711}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3044
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7DD74019-AEB2-44E3-8204-38EC7532FEC9}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7DD74019-AEB2-44E3-8204-38EC7532FEC9}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2556
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C6DB5F5F-8C90-4996-8420-A9F3DF9F3AB7}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C6DB5F5F-8C90-4996-8420-A9F3DF9F3AB7}'" delete
    3⤵
    PID:2056
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{10362B48-D31F-4682-91AC-19CA638138CE}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{10362B48-D31F-4682-91AC-19CA638138CE}'" delete
    3⤵
    PID:1924
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{47FD83EB-E169-4C9D-977D-43210B750448}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{47FD83EB-E169-4C9D-977D-43210B750448}'" delete
    3⤵
    PID:2828
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AEA06FF1-79E6-4132-B5B9-4B8848B82D07}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AEA06FF1-79E6-4132-B5B9-4B8848B82D07}'" delete
    3⤵
    PID:112
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4E4A1BCA-2AB1-4247-8793-00BE06DDD994}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4E4A1BCA-2AB1-4247-8793-00BE06DDD994}'" delete
    3⤵
    PID:1948
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{39999679-6A1C-4F23-8778-476E20A1E6E8}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{39999679-6A1C-4F23-8778-476E20A1E6E8}'" delete
    3⤵
    PID:796
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D906C982-D450-4B94-BED7-AA42ED633193}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:524
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D906C982-D450-4B94-BED7-AA42ED633193}'" delete
    3⤵
    PID:268
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4090A7AE-3DC7-4B05-9A93-B38573F81E72}'" delete
  2⤵
  PID:1060
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4090A7AE-3DC7-4B05-9A93-B38573F81E72}'" delete
    3⤵
    PID:2184
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7BC0186E-06CA-424E-9D24-78A9062327A7}'" delete
  2⤵
  PID:1652
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7BC0186E-06CA-424E-9D24-78A9062327A7}'" delete
    3⤵
    PID:1112
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8A3BB1CE-2423-4A7D-8594-71140A532E6D}'" delete
  2⤵
  PID:1560
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8A3BB1CE-2423-4A7D-8594-71140A532E6D}'" delete
    3⤵
    PID:1632
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5C6A06A5-58C0-4BEF-8FE4-AECB87783278}'" delete
  2⤵
  PID:2288
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5C6A06A5-58C0-4BEF-8FE4-AECB87783278}'" delete
    3⤵
    PID:2900
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{234F8A6D-1D4F-4AE6-B12B-4155730082D7}'" delete
  2⤵
  PID:2952
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{234F8A6D-1D4F-4AE6-B12B-4155730082D7}'" delete
    3⤵
    PID:2848
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{11BFC72D-5805-4D28-A03F-9C9A5D744F11}'" delete
  2⤵
  PID:2148
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{11BFC72D-5805-4D28-A03F-9C9A5D744F11}'" delete
    3⤵
    PID:2372
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3FA88673-7A73-45B5-BA33-CC3AED24ED76}'" delete
  2⤵
  PID:2040
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3FA88673-7A73-45B5-BA33-CC3AED24ED76}'" delete
    3⤵
    PID:2196
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{697AD7B8-85C0-4FD6-872E-7BEFA0B9A9F1}'" delete
  2⤵
  PID:396
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{697AD7B8-85C0-4FD6-872E-7BEFA0B9A9F1}'" delete
    3⤵
    PID:3024
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{293929E6-A6DC-4F4F-A229-67BBCE870129}'" delete
  2⤵
  PID:2420
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{293929E6-A6DC-4F4F-A229-67BBCE870129}'" delete
    3⤵
    PID:1040

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2628

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\readme.txt

Filesize
1KB

MD5
02aca66083f85518ca1ac4bb688e7b4f

SHA1
8b6dab3ceb858ce768bc4d584597605dae5963cc

SHA256
60b63e95a062a9ac3694683db5f6b72f60856073f66a402558152ed5b34d2dd8

SHA512
304e6827421e72c614e69006eafa7b8863446980351d4875fb733b6388aee8787b08b87afee194988dbadf0a2d620ac3db3836f70b9e1eb271c23fa0f354de39

Download Submit
memory/3060-0-0x0000000000CF0000-0x0000000000D39000-memory.dmp

Filesize
292KB

Download
memory/3060-139-0x0000000000CF0000-0x0000000000D39000-memory.dmp

Filesize
292KB

Download
memory/3060-309-0x0000000000CF0000-0x0000000000D39000-memory.dmp

Filesize
292KB

Download
memory/3060-1251-0x0000000000CF0000-0x0000000000D39000-memory.dmp

Filesize
292KB

Download
memory/3060-1525-0x0000000000CF0000-0x0000000000D39000-memory.dmp

Filesize
292KB

Download
memory/3060-1526-0x0000000000CF0000-0x0000000000D39000-memory.dmp

Filesize
292KB

Download