Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
25-10-2021 19:38
Static task
static1
Behavioral task
behavioral1
Sample
603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
Resource
win10-en-20211014
General
-
Target
603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
-
Size
194KB
-
MD5
38c68c11f6fff05be28c7f70f9e00255
-
SHA1
f49dd6576e63ff72cab929d7008acaeb8a74be8e
-
SHA256
603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b
-
SHA512
6e141309ec23e740eeca34757db4eafa9373574ddfa222e1467c29bfc4cbfc42b7b7bba36294ad58e0adc7fdab0ad25818f2f01f8b4dcf5ff590821db31aacfd
Malware Config
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.click
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exedescription ioc process File renamed C:\Users\Admin\Pictures\OpenWrite.png => C:\Users\Admin\Pictures\OpenWrite.png.LNVWO 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File renamed C:\Users\Admin\Pictures\TestExport.crw => C:\Users\Admin\Pictures\TestExport.crw.LNVWO 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File renamed C:\Users\Admin\Pictures\WaitUse.tif => C:\Users\Admin\Pictures\WaitUse.tif.LNVWO 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File renamed C:\Users\Admin\Pictures\ClearGroup.tif => C:\Users\Admin\Pictures\ClearGroup.tif.LNVWO 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File renamed C:\Users\Admin\Pictures\ConvertFromReset.tif => C:\Users\Admin\Pictures\ConvertFromReset.tif.LNVWO 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File renamed C:\Users\Admin\Pictures\ExpandOpen.raw => C:\Users\Admin\Pictures\ExpandOpen.raw.LNVWO 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File renamed C:\Users\Admin\Pictures\MeasureRequest.crw => C:\Users\Admin\Pictures\MeasureRequest.crw.LNVWO 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe -
Drops startup file 1 IoCs
Processes:
603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\charsets.jar 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\de-de\ui-strings.js 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\sv-se\readme.txt 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-80.png 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File created C:\Program Files\VideoLAN\VLC\locale\tl\LC_MESSAGES\readme.txt 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fr-ma\readme.txt 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\pt-br\readme.txt 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ul-phn.xrm-ms 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.ja_5.5.0.165303.jar 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\next-arrow-disabled.svg 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File opened for modification C:\Program Files\7-Zip\Lang\lij.txt 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-pl.xrm-ms 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sampler_ja.jar 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon.png 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\it-it\readme.txt 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\hr-hr\ui-strings.js 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\excluded.txt 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themeless\S_ThumbUpOutline_22_N.svg 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sk-sk\readme.txt 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\icons_retina.png 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File opened for modification C:\Program Files\7-Zip\Lang\kab.txt 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-ppd.xrm-ms 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-180.png 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-gb\ui-strings.js 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\he-il\readme.txt 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ExcelFloatieXLEditTextModel.bin 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File created C:\Program Files\VideoLAN\VLC\plugins\access_output\readme.txt 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\JOURNAL\JOURNAL.INF 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_patterns_header.png 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File created C:\Program Files\Common Files\microsoft shared\ink\nb-NO\readme.txt 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\readme.txt 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Grace-ppd.xrm-ms 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\rhp_world_icon_hover.png 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ja-jp\readme.txt 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine.nl_zh_4.4.0.v20140623020002.jar 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\license.html 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fr-fr\ui-strings.js 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\zh-cn\readme.txt 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\readme.txt 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ja-jp\readme.txt 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Grace-ul-oob.xrm-ms 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-ppd.xrm-ms 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwcapitalized.dotx 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-spi-quicksearch.jar 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RMNSQUE\PREVIEW.GIF 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ui-strings.js 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\readme.txt 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\readme.txt 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ppd.xrm-ms 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ul-oob.xrm-ms 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Hand Prints.htm 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentlogon.xml 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\SFMESSAGES.XML 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_comment_18.svg 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\bg_get.svg 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL103.XML 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\tr.gif 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\readme.txt 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_ellipses_selected.svg 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\css\readme.txt 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\affDescription.txt 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-ul-oob.xrm-ms 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exepid process 2828 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe 2828 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
vssvc.exeWMIC.exedescription pid process Token: SeBackupPrivilege 1404 vssvc.exe Token: SeRestorePrivilege 1404 vssvc.exe Token: SeAuditPrivilege 1404 vssvc.exe Token: SeIncreaseQuotaPrivilege 1052 WMIC.exe Token: SeSecurityPrivilege 1052 WMIC.exe Token: SeTakeOwnershipPrivilege 1052 WMIC.exe Token: SeLoadDriverPrivilege 1052 WMIC.exe Token: SeSystemProfilePrivilege 1052 WMIC.exe Token: SeSystemtimePrivilege 1052 WMIC.exe Token: SeProfSingleProcessPrivilege 1052 WMIC.exe Token: SeIncBasePriorityPrivilege 1052 WMIC.exe Token: SeCreatePagefilePrivilege 1052 WMIC.exe Token: SeBackupPrivilege 1052 WMIC.exe Token: SeRestorePrivilege 1052 WMIC.exe Token: SeShutdownPrivilege 1052 WMIC.exe Token: SeDebugPrivilege 1052 WMIC.exe Token: SeSystemEnvironmentPrivilege 1052 WMIC.exe Token: SeRemoteShutdownPrivilege 1052 WMIC.exe Token: SeUndockPrivilege 1052 WMIC.exe Token: SeManageVolumePrivilege 1052 WMIC.exe Token: 33 1052 WMIC.exe Token: 34 1052 WMIC.exe Token: 35 1052 WMIC.exe Token: 36 1052 WMIC.exe Token: SeIncreaseQuotaPrivilege 1052 WMIC.exe Token: SeSecurityPrivilege 1052 WMIC.exe Token: SeTakeOwnershipPrivilege 1052 WMIC.exe Token: SeLoadDriverPrivilege 1052 WMIC.exe Token: SeSystemProfilePrivilege 1052 WMIC.exe Token: SeSystemtimePrivilege 1052 WMIC.exe Token: SeProfSingleProcessPrivilege 1052 WMIC.exe Token: SeIncBasePriorityPrivilege 1052 WMIC.exe Token: SeCreatePagefilePrivilege 1052 WMIC.exe Token: SeBackupPrivilege 1052 WMIC.exe Token: SeRestorePrivilege 1052 WMIC.exe Token: SeShutdownPrivilege 1052 WMIC.exe Token: SeDebugPrivilege 1052 WMIC.exe Token: SeSystemEnvironmentPrivilege 1052 WMIC.exe Token: SeRemoteShutdownPrivilege 1052 WMIC.exe Token: SeUndockPrivilege 1052 WMIC.exe Token: SeManageVolumePrivilege 1052 WMIC.exe Token: 33 1052 WMIC.exe Token: 34 1052 WMIC.exe Token: 35 1052 WMIC.exe Token: 36 1052 WMIC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.execmd.exedescription pid process target process PID 2828 wrote to memory of 2376 2828 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe cmd.exe PID 2828 wrote to memory of 2376 2828 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe cmd.exe PID 2376 wrote to memory of 1052 2376 cmd.exe WMIC.exe PID 2376 wrote to memory of 1052 2376 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe"C:\Users\Admin\AppData\Local\Temp\603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{19CDF45A-AB26-4CD3-A80A-DC59EDB6A247}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{19CDF45A-AB26-4CD3-A80A-DC59EDB6A247}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken