a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154

Analysis

max time kernel
162s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
07-06-2022 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
Size

62KB
MD5

131a20e9f579bc9f7dd9832b4c5f25bd
SHA1

83979db718962e3a0b45e5f70320fe5b4f009b7c
SHA256

a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154
SHA512

92e83892f635efb13d6f268ccab884b2079451a82a1e53a8482c632e126b14d3453c5ab17463d55b4cd2341d6b44034eb523867258932a9cd47deba435494f1c

Score

9^/10

ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Enumerates connected drives 3 TTPs 18 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
780	sc.exe
2576	sc.exe
3228	sc.exe
2284	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
3784	vssadmin.exe
2316	vssadmin.exe
1572	vssadmin.exe
2204	vssadmin.exe
2304	vssadmin.exe
2728	vssadmin.exe
1836	vssadmin.exe
4312	vssadmin.exe
2532	vssadmin.exe
4060	vssadmin.exe
3660	vssadmin.exe
4296	vssadmin.exe
3256	vssadmin.exe
692	vssadmin.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
1228	taskkill.exe
204	taskkill.exe
4004	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
Token: SeDebugPrivilege	1228	taskkill.exe
Token: SeDebugPrivilege	204	taskkill.exe
Token: SeDebugPrivilege	4004	taskkill.exe
Token: SeBackupPrivilege	4076	vssvc.exe
Token: SeRestorePrivilege	4076	vssvc.exe
Token: SeAuditPrivilege	4076	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3892 wrote to memory of 4836	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	77
PID 3892 wrote to memory of 4836	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	77
PID 4836 wrote to memory of 4484	4836	net.exe	79
PID 4836 wrote to memory of 4484	4836	net.exe	79
PID 3892 wrote to memory of 3880	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	80
PID 3892 wrote to memory of 3880	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	80
PID 3880 wrote to memory of 3520	3880	net.exe	82
PID 3880 wrote to memory of 3520	3880	net.exe	82
PID 3892 wrote to memory of 4576	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	83
PID 3892 wrote to memory of 4576	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	83
PID 4576 wrote to memory of 4476	4576	net.exe	85
PID 4576 wrote to memory of 4476	4576	net.exe	85
PID 3892 wrote to memory of 4548	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	86
PID 3892 wrote to memory of 4548	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	86
PID 4548 wrote to memory of 3260	4548	net.exe	88
PID 4548 wrote to memory of 3260	4548	net.exe	88
PID 3892 wrote to memory of 3516	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	89
PID 3892 wrote to memory of 3516	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	89
PID 3516 wrote to memory of 1508	3516	net.exe	91
PID 3516 wrote to memory of 1508	3516	net.exe	91
PID 3892 wrote to memory of 3228	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	92
PID 3892 wrote to memory of 3228	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	92
PID 3892 wrote to memory of 2284	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	94
PID 3892 wrote to memory of 2284	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	94
PID 3892 wrote to memory of 780	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	96
PID 3892 wrote to memory of 780	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	96
PID 3892 wrote to memory of 2576	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	98
PID 3892 wrote to memory of 2576	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	98
PID 3892 wrote to memory of 1228	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	100
PID 3892 wrote to memory of 1228	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	100
PID 3892 wrote to memory of 204	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	102
PID 3892 wrote to memory of 204	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	102
PID 3892 wrote to memory of 4004	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	104
PID 3892 wrote to memory of 4004	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	104
PID 3892 wrote to memory of 3784	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	106
PID 3892 wrote to memory of 3784	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	106
PID 3892 wrote to memory of 2304	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	110
PID 3892 wrote to memory of 2304	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	110
PID 3892 wrote to memory of 2316	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	112
PID 3892 wrote to memory of 2316	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	112
PID 3892 wrote to memory of 2728	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	114
PID 3892 wrote to memory of 2728	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	114
PID 3892 wrote to memory of 4060	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	116
PID 3892 wrote to memory of 4060	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	116
PID 3892 wrote to memory of 4312	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	118
PID 3892 wrote to memory of 4312	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	118
PID 3892 wrote to memory of 3660	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	120
PID 3892 wrote to memory of 3660	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	120
PID 3892 wrote to memory of 4296	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	122
PID 3892 wrote to memory of 4296	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	122
PID 3892 wrote to memory of 2532	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	124
PID 3892 wrote to memory of 2532	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	124
PID 3892 wrote to memory of 1572	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	126
PID 3892 wrote to memory of 1572	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	126
PID 3892 wrote to memory of 3256	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	128
PID 3892 wrote to memory of 3256	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	128
PID 3892 wrote to memory of 1836	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	130
PID 3892 wrote to memory of 1836	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	130
PID 3892 wrote to memory of 2204	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	132
PID 3892 wrote to memory of 2204	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	132
PID 3892 wrote to memory of 692	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	134
PID 3892 wrote to memory of 692	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	134
PID 3892 wrote to memory of 3120	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	136
PID 3892 wrote to memory of 3120	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	136

C:\Users\Admin\AppData\Local\Temp\a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
"C:\Users\Admin\AppData\Local\Temp\a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3892
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop avpsus /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4836
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop avpsus /y
    3⤵
    PID:4484
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McAfeeDLPAgentService /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3880
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
    3⤵
    PID:3520
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mfewc /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4576
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfewc /y
    3⤵
    PID:4476
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BMR Boot Service /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4548
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BMR Boot Service /y
    3⤵
    PID:3260
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop NetBackup BMR MTFTP Service /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3516
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:1508
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  - Launches sc.exe
  PID:3228
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  - Launches sc.exe
  PID:2284
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  - Launches sc.exe
  PID:780
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:2576
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1228
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:204
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4004
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:3784
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:2304
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:2316
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:2728
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:4060
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:4312
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:3660
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:4296
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:2532
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1572
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:3256
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1836
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:2204
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:692
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:3120

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4076

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3892-133-0x00007FFAE0AF0000-0x00007FFAE15B1000-memory.dmp

Filesize
10.8MB

Download
memory/3892-164-0x00007FFAE0AF0000-0x00007FFAE15B1000-memory.dmp

Filesize
10.8MB

Download
memory/3892-130-0x0000000000C30000-0x0000000000C46000-memory.dmp

Filesize
88KB

Download