Analysis
-
max time kernel
162s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
07-06-2022 18:28
Static task
static1
Behavioral task
behavioral1
Sample
a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
Resource
win10v2004-20220414-en
General
-
Target
a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
-
Size
62KB
-
MD5
131a20e9f579bc9f7dd9832b4c5f25bd
-
SHA1
83979db718962e3a0b45e5f70320fe5b4f009b7c
-
SHA256
a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154
-
SHA512
92e83892f635efb13d6f268ccab884b2079451a82a1e53a8482c632e126b14d3453c5ab17463d55b4cd2341d6b44034eb523867258932a9cd47deba435494f1c
Score
9/10
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates connected drives 3 TTPs 18 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exedescription ioc process File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 780 sc.exe 2576 sc.exe 3228 sc.exe 2284 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 14 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 3784 vssadmin.exe 2316 vssadmin.exe 1572 vssadmin.exe 2204 vssadmin.exe 2304 vssadmin.exe 2728 vssadmin.exe 1836 vssadmin.exe 4312 vssadmin.exe 2532 vssadmin.exe 4060 vssadmin.exe 3660 vssadmin.exe 4296 vssadmin.exe 3256 vssadmin.exe 692 vssadmin.exe -
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 1228 taskkill.exe 204 taskkill.exe 4004 taskkill.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exepid process 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exetaskkill.exetaskkill.exetaskkill.exevssvc.exedescription pid process Token: SeDebugPrivilege 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe Token: SeDebugPrivilege 1228 taskkill.exe Token: SeDebugPrivilege 204 taskkill.exe Token: SeDebugPrivilege 4004 taskkill.exe Token: SeBackupPrivilege 4076 vssvc.exe Token: SeRestorePrivilege 4076 vssvc.exe Token: SeAuditPrivilege 4076 vssvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 3892 wrote to memory of 4836 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe net.exe PID 3892 wrote to memory of 4836 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe net.exe PID 4836 wrote to memory of 4484 4836 net.exe net1.exe PID 4836 wrote to memory of 4484 4836 net.exe net1.exe PID 3892 wrote to memory of 3880 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe net.exe PID 3892 wrote to memory of 3880 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe net.exe PID 3880 wrote to memory of 3520 3880 net.exe net1.exe PID 3880 wrote to memory of 3520 3880 net.exe net1.exe PID 3892 wrote to memory of 4576 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe net.exe PID 3892 wrote to memory of 4576 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe net.exe PID 4576 wrote to memory of 4476 4576 net.exe net1.exe PID 4576 wrote to memory of 4476 4576 net.exe net1.exe PID 3892 wrote to memory of 4548 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe net.exe PID 3892 wrote to memory of 4548 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe net.exe PID 4548 wrote to memory of 3260 4548 net.exe net1.exe PID 4548 wrote to memory of 3260 4548 net.exe net1.exe PID 3892 wrote to memory of 3516 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe net.exe PID 3892 wrote to memory of 3516 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe net.exe PID 3516 wrote to memory of 1508 3516 net.exe net1.exe PID 3516 wrote to memory of 1508 3516 net.exe net1.exe PID 3892 wrote to memory of 3228 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe sc.exe PID 3892 wrote to memory of 3228 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe sc.exe PID 3892 wrote to memory of 2284 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe sc.exe PID 3892 wrote to memory of 2284 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe sc.exe PID 3892 wrote to memory of 780 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe sc.exe PID 3892 wrote to memory of 780 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe sc.exe PID 3892 wrote to memory of 2576 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe sc.exe PID 3892 wrote to memory of 2576 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe sc.exe PID 3892 wrote to memory of 1228 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe taskkill.exe PID 3892 wrote to memory of 1228 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe taskkill.exe PID 3892 wrote to memory of 204 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe taskkill.exe PID 3892 wrote to memory of 204 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe taskkill.exe PID 3892 wrote to memory of 4004 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe taskkill.exe PID 3892 wrote to memory of 4004 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe taskkill.exe PID 3892 wrote to memory of 3784 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe vssadmin.exe PID 3892 wrote to memory of 3784 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe vssadmin.exe PID 3892 wrote to memory of 2304 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe vssadmin.exe PID 3892 wrote to memory of 2304 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe vssadmin.exe PID 3892 wrote to memory of 2316 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe vssadmin.exe PID 3892 wrote to memory of 2316 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe vssadmin.exe PID 3892 wrote to memory of 2728 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe vssadmin.exe PID 3892 wrote to memory of 2728 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe vssadmin.exe PID 3892 wrote to memory of 4060 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe vssadmin.exe PID 3892 wrote to memory of 4060 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe vssadmin.exe PID 3892 wrote to memory of 4312 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe vssadmin.exe PID 3892 wrote to memory of 4312 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe vssadmin.exe PID 3892 wrote to memory of 3660 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe vssadmin.exe PID 3892 wrote to memory of 3660 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe vssadmin.exe PID 3892 wrote to memory of 4296 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe vssadmin.exe PID 3892 wrote to memory of 4296 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe vssadmin.exe PID 3892 wrote to memory of 2532 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe vssadmin.exe PID 3892 wrote to memory of 2532 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe vssadmin.exe PID 3892 wrote to memory of 1572 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe vssadmin.exe PID 3892 wrote to memory of 1572 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe vssadmin.exe PID 3892 wrote to memory of 3256 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe vssadmin.exe PID 3892 wrote to memory of 3256 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe vssadmin.exe PID 3892 wrote to memory of 1836 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe vssadmin.exe PID 3892 wrote to memory of 1836 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe vssadmin.exe PID 3892 wrote to memory of 2204 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe vssadmin.exe PID 3892 wrote to memory of 2204 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe vssadmin.exe PID 3892 wrote to memory of 692 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe vssadmin.exe PID 3892 wrote to memory of 692 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe vssadmin.exe PID 3892 wrote to memory of 3120 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe arp.exe PID 3892 wrote to memory of 3120 3892 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe arp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe"C:\Users\Admin\AppData\Local\Temp\a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe"
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop avpsus /y
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop avpsus /y
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop McAfeeDLPAgentService /y
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop mfewc /y
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfewc /y
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BMR Boot Service /y
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop NetBackup BMR MTFTP Service /y
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY start= disabled
- Launches sc.exe
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
- Launches sc.exe
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLWriter start= disabled
- Launches sc.exe
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SstpSvc start= disabled
- Launches sc.exe
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mspub.exe /F
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\arp.exe"arp" -a
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
00:00
00:00
Downloads
-
memory/204-147-0x0000000000000000-mapping.dmp
-
memory/692-162-0x0000000000000000-mapping.dmp
-
memory/780-144-0x0000000000000000-mapping.dmp
-
memory/1228-146-0x0000000000000000-mapping.dmp
-
memory/1508-141-0x0000000000000000-mapping.dmp
-
memory/1572-158-0x0000000000000000-mapping.dmp
-
memory/1836-160-0x0000000000000000-mapping.dmp
-
memory/2204-161-0x0000000000000000-mapping.dmp
-
memory/2284-143-0x0000000000000000-mapping.dmp
-
memory/2304-150-0x0000000000000000-mapping.dmp
-
memory/2316-151-0x0000000000000000-mapping.dmp
-
memory/2532-157-0x0000000000000000-mapping.dmp
-
memory/2576-145-0x0000000000000000-mapping.dmp
-
memory/2728-152-0x0000000000000000-mapping.dmp
-
memory/3120-163-0x0000000000000000-mapping.dmp
-
memory/3228-142-0x0000000000000000-mapping.dmp
-
memory/3256-159-0x0000000000000000-mapping.dmp
-
memory/3260-139-0x0000000000000000-mapping.dmp
-
memory/3516-140-0x0000000000000000-mapping.dmp
-
memory/3520-135-0x0000000000000000-mapping.dmp
-
memory/3660-155-0x0000000000000000-mapping.dmp
-
memory/3784-149-0x0000000000000000-mapping.dmp
-
memory/3880-134-0x0000000000000000-mapping.dmp
-
memory/3892-133-0x00007FFAE0AF0000-0x00007FFAE15B1000-memory.dmpFilesize
10MB
-
memory/3892-164-0x00007FFAE0AF0000-0x00007FFAE15B1000-memory.dmpFilesize
10MB
-
memory/3892-130-0x0000000000C30000-0x0000000000C46000-memory.dmpFilesize
88KB
-
memory/4004-148-0x0000000000000000-mapping.dmp
-
memory/4060-153-0x0000000000000000-mapping.dmp
-
memory/4296-156-0x0000000000000000-mapping.dmp
-
memory/4312-154-0x0000000000000000-mapping.dmp
-
memory/4476-137-0x0000000000000000-mapping.dmp
-
memory/4484-132-0x0000000000000000-mapping.dmp
-
memory/4548-138-0x0000000000000000-mapping.dmp
-
memory/4576-136-0x0000000000000000-mapping.dmp
-
memory/4836-131-0x0000000000000000-mapping.dmp