Analysis
-
max time kernel
1802s -
max time network
1808s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
23-08-2021 11:12
Static task
static1
Behavioral task
behavioral1
Sample
fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe
Resource
win10v20210408
General
-
Target
fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe
-
Size
122KB
-
MD5
fc9edc350d7ffdcb9e53390dae26ea5a
-
SHA1
06b1f63eb58202a630cfab82c608111a53177db3
-
SHA256
fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87
-
SHA512
84b377ea7f5b066b26f2ba60d3b9dc7fbb088d2f0cca16716bc99fc7bfcdd6f1451bcf3b134b925c090f291bb97fdc5f589dd645795e4d1e5c124a316756c86a
Malware Config
Extracted
C:\60lzy13l-readme.txt
http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion/
https://www.coveware.com/blog/2019/7/15/ransomware-amounts-rise-3x-in-q2-as-ryuk-amp-sodinokibi-spread
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9E49B77C3E305A09
http://decoder.re/9E49B77C3E305A09
Signatures
-
suricata: ET MALWARE Known Sinkhole Response Header
suricata: ET MALWARE Known Sinkhole Response Header
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exedescription ioc process File renamed C:\Users\Admin\Pictures\EnableUnlock.crw => \??\c:\users\admin\pictures\EnableUnlock.crw.60lzy13l fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File renamed C:\Users\Admin\Pictures\OptimizeApprove.png => \??\c:\users\admin\pictures\OptimizeApprove.png.60lzy13l fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File renamed C:\Users\Admin\Pictures\ShowDisconnect.tif => \??\c:\users\admin\pictures\ShowDisconnect.tif.60lzy13l fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File renamed C:\Users\Admin\Pictures\UnlockTest.png => \??\c:\users\admin\pictures\UnlockTest.png.60lzy13l fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File renamed C:\Users\Admin\Pictures\WaitPop.tif => \??\c:\users\admin\pictures\WaitPop.tif.60lzy13l fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File renamed C:\Users\Admin\Pictures\ClearConvertFrom.tif => \??\c:\users\admin\pictures\ClearConvertFrom.tif.60lzy13l fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File renamed C:\Users\Admin\Pictures\CompareRevoke.tif => \??\c:\users\admin\pictures\CompareRevoke.tif.60lzy13l fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File opened for modification \??\c:\users\admin\pictures\MergeSearch.tiff fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File renamed C:\Users\Admin\Pictures\MergeSearch.tiff => \??\c:\users\admin\pictures\MergeSearch.tiff.60lzy13l fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File renamed C:\Users\Admin\Pictures\MergeTrace.raw => \??\c:\users\admin\pictures\MergeTrace.raw.60lzy13l fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\t32mMaunsR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe" fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exedescription ioc process File opened (read-only) \??\N: fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File opened (read-only) \??\W: fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File opened (read-only) \??\D: fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File opened (read-only) \??\F: fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File opened (read-only) \??\I: fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File opened (read-only) \??\P: fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File opened (read-only) \??\Q: fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File opened (read-only) \??\S: fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File opened (read-only) \??\X: fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File opened (read-only) \??\B: fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File opened (read-only) \??\L: fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File opened (read-only) \??\O: fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File opened (read-only) \??\R: fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File opened (read-only) \??\T: fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File opened (read-only) \??\Z: fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File opened (read-only) \??\A: fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File opened (read-only) \??\G: fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File opened (read-only) \??\H: fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File opened (read-only) \??\J: fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File opened (read-only) \??\K: fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File opened (read-only) \??\M: fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File opened (read-only) \??\U: fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File opened (read-only) \??\V: fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File opened (read-only) \??\E: fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File opened (read-only) \??\Y: fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hyp6f3vl0ak7.bmp" fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe -
Drops file in Program Files directory 31 IoCs
Processes:
fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exedescription ioc process File created \??\c:\program files\60lzy13l-readme.txt fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File created \??\c:\program files (x86)\tmp fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File created \??\c:\program files (x86)\60lzy13l-readme.txt fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File opened for modification \??\c:\program files\CompleteRedo.mp3 fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File opened for modification \??\c:\program files\ConnectNew.htm fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File opened for modification \??\c:\program files\ConvertShow.ps1xml fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File opened for modification \??\c:\program files\SubmitLimit.rtf fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File opened for modification \??\c:\program files\GrantPop.M2T fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File opened for modification \??\c:\program files\InvokePop.vsw fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File opened for modification \??\c:\program files\LockResume.mp3 fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File opened for modification \??\c:\program files\UninstallBackup.js fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File opened for modification \??\c:\program files\BackupCompress.tiff fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File opened for modification \??\c:\program files\CompressEnter.i64 fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File opened for modification \??\c:\program files\DenyEnable.aif fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File opened for modification \??\c:\program files\JoinPop.xht fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File opened for modification \??\c:\program files\PushSelect.mpeg fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File opened for modification \??\c:\program files\BlockReceive.pub fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File opened for modification \??\c:\program files\DenyDebug.doc fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File opened for modification \??\c:\program files\RemoveConvertTo.WTV fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File opened for modification \??\c:\program files\ResetApprove.mov fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File opened for modification \??\c:\program files\RestartSet.bmp fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File opened for modification \??\c:\program files\ConnectRead.asx fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File opened for modification \??\c:\program files\EnterShow.asx fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File opened for modification \??\c:\program files\InvokeSet.easmx fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File opened for modification \??\c:\program files\SetGrant.shtml fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File opened for modification \??\c:\program files\UnblockFind.xps fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File opened for modification \??\c:\program files\UnregisterResume.vsdx fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File created \??\c:\program files\tmp fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File opened for modification \??\c:\program files\CopyBackup.xltm fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File opened for modification \??\c:\program files\GroupRead.jpe fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe File opened for modification \??\c:\program files\PingHide.mov fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\SystemCertificates\CA\Certificates\2F7AA2D86056A8775796F798C481A079E538E004 fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\SystemCertificates\CA\Certificates\2F7AA2D86056A8775796F798C481A079E538E004\Blob = 0300000001000000140000002f7aa2d86056a8775796f798c481a079e538e00414000000010000001400000012c9889b2fc9447a7d12f1df4003429892c724d6040000000100000010000000249f06a9652b2112fc4d7368e6372fec0f00000001000000200000008929be84b4db8bea07b5a70b3bc65a39b1e9b28722689c21893afae875b2ed0c190000000100000010000000d0e6e37d30133bf9aa9f1b76135668425c0000000100000004000000000800001800000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000550500003082055130820439a00302010202100c08966535b942a9735265e4f97540bc300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3230303731363132323134345a170d3233303533313233353935395a3059310b300906035504061302555331153013060355040a130c446967694365727420496e63313330310603550403132a47656f547275737420544c5320445620525341204d697865642053484132353620323032302043412d3130820122300d06092a864886f70d01010105000382010f003082010a0282010100b3bd41fb6be6dfa251bf541463c675a651eee388a73a78a09b9e5b917ca5a85933fac66c0750339979fa53f1cc16dde5a69961d34da2ef939402e4c4c95f97d11a6e09da34540bb238c6dd4dad717dbade9bedcb49a04bc363a77f3364b7c7ba7673d21b5286ae9c12e4e7a0ab7cf3efaad5da852308682b1c78e69bafb466fe47d5c18b632c5ccc02f211ded0e9a40c8db9f99accebcc83ab5d84e0aaed19df8f3b553a43b65c114e5af431b6eabd646858109966b2bef39f1a858312a8d7025fec271e6fdf8f80c747edde4b33d31f78b4193b8b13d5f35af35373dd9429245b6d5916cf01c92eeb50450e99f9b6de4527a45e306f8fc3cd4767082d3188c90203010001a382020b30820207301d0603551d0e0416041412c9889b2fc9447a7d12f1df4003429892c724d6301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b0601050507030230120603551d130101ff040830060101ff020100303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63726c3081ce0603551d200481c63081c33081c00604551d20003081b7302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f43505330818a06082b06010505070202307e0c7c416e7920757365206f66207468697320436572746966696361746520636f6e737469747574657320616363657074616e6365206f66207468652052656c79696e672050617274792041677265656d656e74206c6f63617465642061742068747470733a2f2f7777772e64696769636572742e636f6d2f7270612d7561300d06092a864886f70d01010b050003820101007f4bfc33ba6545c2d8416b8e48ab3c02c8fa11b0e61e714ecc57f7b57473f922b366d3ab97940b27c90eec681a72450ba8875a14c4ba8b178db3b1a576074a0e9852b0f602ab8596ff420ac2f3af50013dc6c7f5834b4ce2c7e300d4df3861f3e914914b7882cca69e7ab2a63afa90f80529512072cc4abd23ec3c6bcb586b2724562ddedc1ebb3bbaa1e7560a02812847f57b2dcb9d13b87959eb40799ae97afc6ef9fa9a410b3b667b87334029f321c619ffc944f5949ff11467e87c13d6bd2313cd2b27d5fe8bba6df3ea58bc17acd14e993c89c12aed7f96c04284c91c31cb3347a1e5f69539909df5aa2b56a10b4df2f54fcd48118e88aec57257a53d12 fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exepid process 640 fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe 640 fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe 640 fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe 640 fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe 640 fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe 640 fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe 640 fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe 640 fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe 640 fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe 640 fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exevssvc.exedescription pid process Token: SeDebugPrivilege 640 fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe Token: SeTakeOwnershipPrivilege 640 fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe Token: SeBackupPrivilege 208 vssvc.exe Token: SeRestorePrivilege 208 vssvc.exe Token: SeAuditPrivilege 208 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exedescription pid process target process PID 640 wrote to memory of 3280 640 fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe netsh.exe PID 640 wrote to memory of 3280 640 fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe netsh.exe PID 640 wrote to memory of 3280 640 fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe"C:\Users\Admin\AppData\Local\Temp\fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall set rule group="Network Discovery" new enable=Yes2⤵PID:3280
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2664
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:208
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3280-114-0x0000000000000000-mapping.dmp