conti | 41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2024, 10:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
Size

329KB
MD5

f365f7f6c852c1ac172a331d75e8cad5
SHA1

683100cbbdf110828e0ee5e4acf20fc17f596c7a
SHA256

41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5
SHA512

054f22c4fbb377a08bc1c64d441d6b09d3f6451b6b1b2073e77da54fd05075a61dd650525e395d74491856602188ebaf0c19e157ad2153494bcdb2e2e35fc4b8
SSDEEP

6144:8y4IzfDPuh+i2G1EVxJelMWEWEWfiN+DDo0fRjy1KGTKc4dPdEkBC92hOZg+7H:Lf6h+i2hxcKNtpGDFfxy1rK7dW2Cf7H

Score

10^/10

conti ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files (x86)\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.ws YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- nxGtsvw2bTXAT1KrASQNsiIDqMUk1njit8CpshTA40lnS7JPQpZTLdDQ1YYlM3YX ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.ws

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti
Renames multiple (7249) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\el.pak	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBLR6.CHM	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\main.css	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\uk.pak.DATA	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\readme.txt	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sl-si\ui-strings.js	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-ul-oob.xrm-ms	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\readme.txt	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\MS.JPG	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ca-es\ui-strings.js	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\nl-nl\ui-strings.js	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\s_close.png	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ppd.xrm-ms	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\ENUtxt.pdf	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Orange.xml	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\IA32.api	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\readme.txt	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-ul-oob.xrm-ms	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_M365_eula.txt	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\en-US\readme.txt	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\AddressBook.png	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-ma\readme.txt	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ro-ro\readme.txt	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-pl.xrm-ms	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN096.XML	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\readme.txt	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-fr\ui-strings.js	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\en_get.svg	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\readme.txt	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ppd.xrm-ms	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremDemoR_BypassTrial365-ppd.xrm-ms	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ul-oob.xrm-ms	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sv-SE\readme.txt	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL089.XML	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ro-ro\ui-strings.js	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File created	C:\Program Files\Mozilla Firefox\fonts\readme.txt	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\ReadMe.htm	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\share.svg	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-tw\readme.txt	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sk-sk\readme.txt	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ppd.xrm-ms	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\readme.txt	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-sl\readme.txt	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hr-hr\readme.txt	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\pl-pl\readme.txt	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\adobe_logo.png	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ul-oob.xrm-ms	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\autofill_labeling.ort	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\ODBCMESSAGES.XML	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\en-us\readme.txt	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\readme.txt	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-left.gif	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ul-oob.xrm-ms	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Grace-ppd.xrm-ms	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File created	C:\Program Files\Microsoft Office\root\vfs\SystemX86\readme.txt	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GOTHICB.TTF	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\readme.txt	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_agreement_filetype.svg	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\collect_feedback\css\readme.txt	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\en-gb\ui-strings.js	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
624	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
624	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeBackupPrivilege	3148	vssvc.exe
Token: SeRestorePrivilege	3148	vssvc.exe
Token: SeAuditPrivilege	3148	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4552	WMIC.exe
Token: SeSecurityPrivilege	4552	WMIC.exe
Token: SeTakeOwnershipPrivilege	4552	WMIC.exe
Token: SeLoadDriverPrivilege	4552	WMIC.exe
Token: SeSystemProfilePrivilege	4552	WMIC.exe
Token: SeSystemtimePrivilege	4552	WMIC.exe
Token: SeProfSingleProcessPrivilege	4552	WMIC.exe
Token: SeIncBasePriorityPrivilege	4552	WMIC.exe
Token: SeCreatePagefilePrivilege	4552	WMIC.exe
Token: SeBackupPrivilege	4552	WMIC.exe
Token: SeRestorePrivilege	4552	WMIC.exe
Token: SeShutdownPrivilege	4552	WMIC.exe
Token: SeDebugPrivilege	4552	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4552	WMIC.exe
Token: SeRemoteShutdownPrivilege	4552	WMIC.exe
Token: SeUndockPrivilege	4552	WMIC.exe
Token: SeManageVolumePrivilege	4552	WMIC.exe
Token: 33	4552	WMIC.exe
Token: 34	4552	WMIC.exe
Token: 35	4552	WMIC.exe
Token: 36	4552	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4552	WMIC.exe
Token: SeSecurityPrivilege	4552	WMIC.exe
Token: SeTakeOwnershipPrivilege	4552	WMIC.exe
Token: SeLoadDriverPrivilege	4552	WMIC.exe
Token: SeSystemProfilePrivilege	4552	WMIC.exe
Token: SeSystemtimePrivilege	4552	WMIC.exe
Token: SeProfSingleProcessPrivilege	4552	WMIC.exe
Token: SeIncBasePriorityPrivilege	4552	WMIC.exe
Token: SeCreatePagefilePrivilege	4552	WMIC.exe
Token: SeBackupPrivilege	4552	WMIC.exe
Token: SeRestorePrivilege	4552	WMIC.exe
Token: SeShutdownPrivilege	4552	WMIC.exe
Token: SeDebugPrivilege	4552	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4552	WMIC.exe
Token: SeRemoteShutdownPrivilege	4552	WMIC.exe
Token: SeUndockPrivilege	4552	WMIC.exe
Token: SeManageVolumePrivilege	4552	WMIC.exe
Token: 33	4552	WMIC.exe
Token: 34	4552	WMIC.exe
Token: 35	4552	WMIC.exe
Token: 36	4552	WMIC.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 4100	624	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe	98
PID 624 wrote to memory of 4100	624	41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe	98
PID 4100 wrote to memory of 4552	4100	cmd.exe	100
PID 4100 wrote to memory of 4552	4100	cmd.exe	100

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe
"C:\Users\Admin\AppData\Local\Temp\41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5.exe"
1⤵
- Drops startup file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:624
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5F0454BC-95BB-4EEE-BE84-B270146C6B6F}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4100
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5F0454BC-95BB-4EEE-BE84-B270146C6B6F}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4552

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\readme.txt

Filesize
1KB

MD5
0ff023d9e019bb28379a77375272c2ee

SHA1
3c380eadd80214eaba0dfb65ae9e2be962fbefff

SHA256
59b5cf7e0c7fc4dec3122b6047814b4a01c6652598f9f58ee85451211d48b5e0

SHA512
44980825a0056c0d4805e1f13cb2d0c247271cd66344dd571cb6390ec16899363cfdee05e3b693b7bbd3ea4948d376ed91ee515d88c68607b737d9332a4f3cf6

Download Submit
memory/624-18233-0x000000007F0C0000-0x000000007F0F4000-memory.dmp

Filesize
208KB

Download
memory/624-16-0x000000007F0C0000-0x000000007F0F4000-memory.dmp

Filesize
208KB

Download
memory/624-8-0x000000007F0C0000-0x000000007F0F4000-memory.dmp

Filesize
208KB

Download
memory/624-10690-0x000000007F0C0000-0x000000007F0F4000-memory.dmp

Filesize
208KB

Download
memory/624-18231-0x000000007F0C0000-0x000000007F0F4000-memory.dmp

Filesize
208KB

Download
memory/624-0-0x000000007F0C0000-0x000000007F0F4000-memory.dmp

Filesize
208KB

Download
memory/624-18234-0x000000007F0C0000-0x000000007F0F4000-memory.dmp

Filesize
208KB

Download
memory/624-18236-0x000000007F0C0000-0x000000007F0F4000-memory.dmp

Filesize
208KB

Download
memory/624-18235-0x000000007F0C0000-0x000000007F0F4000-memory.dmp

Filesize
208KB

Download
memory/624-18241-0x000000007F0C0000-0x000000007F0F4000-memory.dmp

Filesize
208KB

Download
memory/624-18242-0x000000007F0C0000-0x000000007F0F4000-memory.dmp

Filesize
208KB

Download
memory/624-18249-0x000000007F0C0000-0x000000007F0F4000-memory.dmp

Filesize
208KB

Download