Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
07/04/2024, 03:02
240407-djjf4abh74 1007/04/2024, 03:01
240407-djdwlsbh69 1007/04/2024, 03:01
240407-dh9xnabd4y 1007/04/2024, 03:01
240407-dh3tcabd31 1019/06/2020, 09:02
200619-7wsmkj8vh6 10Analysis
-
max time kernel
854s -
max time network
842s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07/04/2024, 03:01
Static task
static1
Behavioral task
behavioral1
Sample
0a0ae5d804271f56c1fa5e1e695cc514.exe
Resource
win7-20240221-en
General
-
Target
0a0ae5d804271f56c1fa5e1e695cc514.exe
-
Size
1.0MB
-
MD5
0a0ae5d804271f56c1fa5e1e695cc514
-
SHA1
e8d307b58856cd38c5b43f576a5dfd451f29b11c
-
SHA256
50119da56e84ae4baa207a9391a0143fe5aa66c212aeba08e2d6d864af0a0d83
-
SHA512
27d1a4cb2e8a62ea02191db8171d66d2cd485cae7649be03a65e5bf936d6d92e98a888d33b3c4826f47eae26b3e45cd8efeca7b73626ae9913b055fd2b5bfe11
-
SSDEEP
12288:Mi94bywx1Dj5+h7ZCn0P5T7lHDbIi9dszYjN5HbPiLsptcyx7tbFEujtgDi:MHx13SZW0x5j5dsYnHeYpuyx7tx/tgDi
Malware Config
Signatures
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/884-1-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-2-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-3-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-4-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-5-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-6-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-12-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-13-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-16-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-37-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-39-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-40-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-38-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-41-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-42-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-43-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-44-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-45-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-46-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-47-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-48-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-49-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-50-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-51-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-52-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-53-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-54-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-55-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-56-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-57-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-58-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-59-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-60-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-61-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-62-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-63-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-64-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-65-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-66-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-67-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-68-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-69-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-70-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-71-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-72-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-73-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-74-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-75-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-76-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-77-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-78-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-79-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-81-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-80-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-82-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-83-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-84-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-85-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-86-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-87-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-88-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-89-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-91-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/884-90-0x0000000000400000-0x0000000000608000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" 0a0ae5d804271f56c1fa5e1e695cc514.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" 0a0ae5d804271f56c1fa5e1e695cc514.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: 0a0ae5d804271f56c1fa5e1e695cc514.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\1DDF67051DDF6705.bmp" 0a0ae5d804271f56c1fa5e1e695cc514.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-tabcontrol.xml 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrlatinlm.dat 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\gadget.xml 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\settings.css 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\flyout.css 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\currency.js 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rightnav.gif 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\CompleteSend.jpeg 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\1047x576black.png 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIcon.png 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_WMC_LogoText.png 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\vignettemask25.png 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\25.png 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_basestyle.css 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-search.xml 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\7-Zip\Lang\si.txt 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\next_hov.png 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-explorer.xml 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\1047x576black.png 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-overlay.png 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_buttongraphic.png 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_h.png 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\splash.gif 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_INTRO_BG.wmv 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sampler.xml 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-attach.xml 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground_PAL.wmv 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile16.png 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\about.html 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\vintage.png 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\pagecurl.png 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\drag.png 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_MCELogo_mousedown.png 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\vistabg.png 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\gadget.xml 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\license.html 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jmx.xml 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\README.html 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\flyout.css 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationRight_SelectionSubpicture.png 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\background.png 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sampler.xml 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-next-static.png 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\7-Zip\Lang\eu.txt 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\ehshellLogo.png 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup.xml 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\high-contrast.css 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_flyout.png 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\localizedStrings.js 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\flight_recorder.png 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-snaptracer.xml 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-multiview.xml 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\DVD Maker\Shared\DissolveNoise.png 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\gadget.xml 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\ContentDirectory.xml 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js\calendar.js 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720_480shadow.png 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\dicjp.bin 0a0ae5d804271f56c1fa5e1e695cc514.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-gibbous_partly-cloudy.png 0a0ae5d804271f56c1fa5e1e695cc514.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2224 vssadmin.exe 1060 vssadmin.exe 1324 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 884 0a0ae5d804271f56c1fa5e1e695cc514.exe 884 0a0ae5d804271f56c1fa5e1e695cc514.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 2740 vssvc.exe Token: SeRestorePrivilege 2740 vssvc.exe Token: SeAuditPrivilege 2740 vssvc.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 884 0a0ae5d804271f56c1fa5e1e695cc514.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 884 wrote to memory of 2224 884 0a0ae5d804271f56c1fa5e1e695cc514.exe 30 PID 884 wrote to memory of 2224 884 0a0ae5d804271f56c1fa5e1e695cc514.exe 30 PID 884 wrote to memory of 2224 884 0a0ae5d804271f56c1fa5e1e695cc514.exe 30 PID 884 wrote to memory of 2224 884 0a0ae5d804271f56c1fa5e1e695cc514.exe 30 PID 884 wrote to memory of 1060 884 0a0ae5d804271f56c1fa5e1e695cc514.exe 34 PID 884 wrote to memory of 1060 884 0a0ae5d804271f56c1fa5e1e695cc514.exe 34 PID 884 wrote to memory of 1060 884 0a0ae5d804271f56c1fa5e1e695cc514.exe 34 PID 884 wrote to memory of 1060 884 0a0ae5d804271f56c1fa5e1e695cc514.exe 34 PID 884 wrote to memory of 1324 884 0a0ae5d804271f56c1fa5e1e695cc514.exe 36 PID 884 wrote to memory of 1324 884 0a0ae5d804271f56c1fa5e1e695cc514.exe 36 PID 884 wrote to memory of 1324 884 0a0ae5d804271f56c1fa5e1e695cc514.exe 36 PID 884 wrote to memory of 1324 884 0a0ae5d804271f56c1fa5e1e695cc514.exe 36 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a0ae5d804271f56c1fa5e1e695cc514.exe"C:\Users\Admin\AppData\Local\Temp\0a0ae5d804271f56c1fa5e1e695cc514.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe List Shadows2⤵
- Interacts with shadow copies
PID:2224
-
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:1060
-
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe List Shadows2⤵
- Interacts with shadow copies
PID:1324
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2740
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD5a428769d7dc079222802d58e581b22e5
SHA1ffb9240b61bab2dd55de4492a46f325612060b5e
SHA256cb176a73b7202414ca6d06c8876678b52f1f298cb54d6ecf8e1ef1b58b049f41
SHA512754d1f7e08562a659dea720d6ea68de91ad649056b0a4ce8042a71fb7f6f636770fd16f2e9a91493796d4874aac3636078810dcaaefa14d816c8b06c62e43c98