733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e

Analysis

max time kernel
161s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
16/11/2023, 08:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
Size

244KB
MD5

c91d610830720daaf552f5f7ac2259bc
SHA1

b566d48ae9127d8841afc4df802b1a957f0bbdcb
SHA256

733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e
SHA512

34fc24e2939370b3e532370aaa1f70c0eabb55286f24822ed3ecabff24dac5463b695f780ccebac1f1413d778e674ee4dc3613a6c1c5820161ce3ffe140dc88c
SSDEEP

6144:pN2Q8nvV11UyrSYVnr+9V3C6jx444444v:pmvV1qymYCJC6j

Score

6^/10

Malware Config

Signatures

Drops desktop.ini file(s) 24 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Users\Public\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ul-oob.xrm-ms	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ul-phn.xrm-ms	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ppd.xrm-ms	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\adcvbs.inc	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-ppd.xrm-ms	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee90.tlb	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ul-oob.xrm-ms	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-pl.xrm-ms	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ul-oob.xrm-ms	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-phn.xrm-ms	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-pl.xrm-ms	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-oob.xrm-ms	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10.mp4	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient.man	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ppd.xrm-ms	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-ppd.xrm-ms	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProDemoR_BypassTrial180-ul-oob.xrm-ms	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-pl.xrm-ms	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-ul-oob.xrm-ms	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-ppd.xrm-ms	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ul-phn.xrm-ms	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\lib\deployment.config	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ppd.xrm-ms	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Grace-ppd.xrm-ms	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\flavormap.properties	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ul-oob.xrm-ms	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ul-phn.xrm-ms	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\updater.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ul-oob.xrm-ms	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-ul-oob.xrm-ms	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ul-oob.xrm-ms	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-pl.xrm-ms	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\lib\jvm.lib	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado26.tlb	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ul-oob.xrm-ms	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul-oob.xrm-ms	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ul-phn.xrm-ms	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-pl.xrm-ms	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\calendars.properties	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-ul-oob.xrm-ms	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ul-oob.xrm-ms	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-ul-oob.xrm-ms	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-ul-phn.xrm-ms	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ul-oob.xrm-ms	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ppd.xrm-ms	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Mozilla Firefox\postSigningData	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ul-oob.xrm-ms	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ul-oob.xrm-ms	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\PopDismount.xml	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-oob.xrm-ms	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-ul-oob.xrm-ms	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-pl.xrm-ms	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ul-phn.xrm-ms	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-phn.xrm-ms	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul-oob.xrm-ms	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Grace-ppd.xrm-ms	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4500	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
4500	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeBackupPrivilege	3880	vssvc.exe
Token: SeRestorePrivilege	3880	vssvc.exe
Token: SeAuditPrivilege	3880	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4844	WMIC.exe
Token: SeSecurityPrivilege	4844	WMIC.exe
Token: SeTakeOwnershipPrivilege	4844	WMIC.exe
Token: SeLoadDriverPrivilege	4844	WMIC.exe
Token: SeSystemProfilePrivilege	4844	WMIC.exe
Token: SeSystemtimePrivilege	4844	WMIC.exe
Token: SeProfSingleProcessPrivilege	4844	WMIC.exe
Token: SeIncBasePriorityPrivilege	4844	WMIC.exe
Token: SeCreatePagefilePrivilege	4844	WMIC.exe
Token: SeBackupPrivilege	4844	WMIC.exe
Token: SeRestorePrivilege	4844	WMIC.exe
Token: SeShutdownPrivilege	4844	WMIC.exe
Token: SeDebugPrivilege	4844	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4844	WMIC.exe
Token: SeRemoteShutdownPrivilege	4844	WMIC.exe
Token: SeUndockPrivilege	4844	WMIC.exe
Token: SeManageVolumePrivilege	4844	WMIC.exe
Token: 33	4844	WMIC.exe
Token: 34	4844	WMIC.exe
Token: 35	4844	WMIC.exe
Token: 36	4844	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4844	WMIC.exe
Token: SeSecurityPrivilege	4844	WMIC.exe
Token: SeTakeOwnershipPrivilege	4844	WMIC.exe
Token: SeLoadDriverPrivilege	4844	WMIC.exe
Token: SeSystemProfilePrivilege	4844	WMIC.exe
Token: SeSystemtimePrivilege	4844	WMIC.exe
Token: SeProfSingleProcessPrivilege	4844	WMIC.exe
Token: SeIncBasePriorityPrivilege	4844	WMIC.exe
Token: SeCreatePagefilePrivilege	4844	WMIC.exe
Token: SeBackupPrivilege	4844	WMIC.exe
Token: SeRestorePrivilege	4844	WMIC.exe
Token: SeShutdownPrivilege	4844	WMIC.exe
Token: SeDebugPrivilege	4844	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4844	WMIC.exe
Token: SeRemoteShutdownPrivilege	4844	WMIC.exe
Token: SeUndockPrivilege	4844	WMIC.exe
Token: SeManageVolumePrivilege	4844	WMIC.exe
Token: 33	4844	WMIC.exe
Token: 34	4844	WMIC.exe
Token: 35	4844	WMIC.exe
Token: 36	4844	WMIC.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4500 wrote to memory of 3900	4500	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe	89
PID 4500 wrote to memory of 3900	4500	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe	89
PID 3900 wrote to memory of 4844	3900	cmd.exe	91
PID 3900 wrote to memory of 4844	3900	cmd.exe	91

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
"C:\Users\Admin\AppData\Local\Temp\733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{45605555-E851-4D59-8C36-BBD3E6DB0143}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3900
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{45605555-E851-4D59-8C36-BBD3E6DB0143}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4844

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3880

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads