Analysis
-
max time kernel
171s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17-04-2024 13:20
Behavioral task
behavioral1
Sample
cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe
Resource
win10v2004-20240412-en
General
-
Target
cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe
-
Size
719KB
-
MD5
275e4a63fc63c995b3e0d464919f211b
-
SHA1
51d85210c2f621ca14d92a8375ee24d62f9d7f44
-
SHA256
cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46
-
SHA512
1723fb4a624859cb49f1d00100a44c5104a8a6ee4685b0e0988fa54f929dc7d70d171034577a17db2e6529d6c19b49d2ba023c4c98e9637f92981a3c1a5c9dac
-
SSDEEP
12288:OR8hjUV679Aa4Auw3gveB17cOT1WHWEQTe0udkuHgCNU7SY/qgjjmJ/:quK679Aa4Auw3gveB1TGWEQSzXY/tjq/
Malware Config
Extracted
C:\Users\Admin\Documents\ZfV6ho_readme_.txt
avaddon
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Favorites\Microsoft Websites\ZfV6ho_readme_.txt
avaddon
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Default\ZfV6ho_readme_.txt
avaddon
http://avaddonbotrxmuyl.onion
Signatures
-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (179) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-3787592910-3720486031-2929222812-1000\desktop.ini cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe File opened (read-only) \??\R: cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe File opened (read-only) \??\S: cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe File opened (read-only) \??\W: cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe File opened (read-only) \??\X: cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe File opened (read-only) \??\H: cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe File opened (read-only) \??\K: cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe File opened (read-only) \??\M: cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe File opened (read-only) \??\Y: cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe File opened (read-only) \??\Z: cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe File opened (read-only) \??\F: cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe File opened (read-only) \??\A: cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe File opened (read-only) \??\J: cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe File opened (read-only) \??\V: cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe File opened (read-only) \??\I: cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe File opened (read-only) \??\L: cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe File opened (read-only) \??\Q: cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe File opened (read-only) \??\B: cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe File opened (read-only) \??\E: cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe File opened (read-only) \??\G: cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe File opened (read-only) \??\U: cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe File opened (read-only) \??\O: cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe File opened (read-only) \??\P: cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe File opened (read-only) \??\T: cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2452 vssadmin.exe 2652 vssadmin.exe 2656 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1984 wmic.exe Token: SeSecurityPrivilege 1984 wmic.exe Token: SeTakeOwnershipPrivilege 1984 wmic.exe Token: SeLoadDriverPrivilege 1984 wmic.exe Token: SeSystemProfilePrivilege 1984 wmic.exe Token: SeSystemtimePrivilege 1984 wmic.exe Token: SeProfSingleProcessPrivilege 1984 wmic.exe Token: SeIncBasePriorityPrivilege 1984 wmic.exe Token: SeCreatePagefilePrivilege 1984 wmic.exe Token: SeBackupPrivilege 1984 wmic.exe Token: SeRestorePrivilege 1984 wmic.exe Token: SeShutdownPrivilege 1984 wmic.exe Token: SeDebugPrivilege 1984 wmic.exe Token: SeSystemEnvironmentPrivilege 1984 wmic.exe Token: SeRemoteShutdownPrivilege 1984 wmic.exe Token: SeUndockPrivilege 1984 wmic.exe Token: SeManageVolumePrivilege 1984 wmic.exe Token: 33 1984 wmic.exe Token: 34 1984 wmic.exe Token: 35 1984 wmic.exe Token: SeBackupPrivilege 2952 vssvc.exe Token: SeRestorePrivilege 2952 vssvc.exe Token: SeAuditPrivilege 2952 vssvc.exe Token: SeIncreaseQuotaPrivilege 2968 wmic.exe Token: SeSecurityPrivilege 2968 wmic.exe Token: SeTakeOwnershipPrivilege 2968 wmic.exe Token: SeLoadDriverPrivilege 2968 wmic.exe Token: SeSystemProfilePrivilege 2968 wmic.exe Token: SeSystemtimePrivilege 2968 wmic.exe Token: SeProfSingleProcessPrivilege 2968 wmic.exe Token: SeIncBasePriorityPrivilege 2968 wmic.exe Token: SeCreatePagefilePrivilege 2968 wmic.exe Token: SeBackupPrivilege 2968 wmic.exe Token: SeRestorePrivilege 2968 wmic.exe Token: SeShutdownPrivilege 2968 wmic.exe Token: SeDebugPrivilege 2968 wmic.exe Token: SeSystemEnvironmentPrivilege 2968 wmic.exe Token: SeRemoteShutdownPrivilege 2968 wmic.exe Token: SeUndockPrivilege 2968 wmic.exe Token: SeManageVolumePrivilege 2968 wmic.exe Token: 33 2968 wmic.exe Token: 34 2968 wmic.exe Token: 35 2968 wmic.exe Token: SeIncreaseQuotaPrivilege 2852 wmic.exe Token: SeSecurityPrivilege 2852 wmic.exe Token: SeTakeOwnershipPrivilege 2852 wmic.exe Token: SeLoadDriverPrivilege 2852 wmic.exe Token: SeSystemProfilePrivilege 2852 wmic.exe Token: SeSystemtimePrivilege 2852 wmic.exe Token: SeProfSingleProcessPrivilege 2852 wmic.exe Token: SeIncBasePriorityPrivilege 2852 wmic.exe Token: SeCreatePagefilePrivilege 2852 wmic.exe Token: SeBackupPrivilege 2852 wmic.exe Token: SeRestorePrivilege 2852 wmic.exe Token: SeShutdownPrivilege 2852 wmic.exe Token: SeDebugPrivilege 2852 wmic.exe Token: SeSystemEnvironmentPrivilege 2852 wmic.exe Token: SeRemoteShutdownPrivilege 2852 wmic.exe Token: SeUndockPrivilege 2852 wmic.exe Token: SeManageVolumePrivilege 2852 wmic.exe Token: 33 2852 wmic.exe Token: 34 2852 wmic.exe Token: 35 2852 wmic.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2200 wrote to memory of 1984 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 27 PID 2200 wrote to memory of 1984 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 27 PID 2200 wrote to memory of 1984 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 27 PID 2200 wrote to memory of 1984 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 27 PID 2200 wrote to memory of 2452 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 29 PID 2200 wrote to memory of 2452 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 29 PID 2200 wrote to memory of 2452 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 29 PID 2200 wrote to memory of 2452 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 29 PID 2200 wrote to memory of 2968 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 32 PID 2200 wrote to memory of 2968 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 32 PID 2200 wrote to memory of 2968 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 32 PID 2200 wrote to memory of 2968 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 32 PID 2200 wrote to memory of 2652 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 34 PID 2200 wrote to memory of 2652 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 34 PID 2200 wrote to memory of 2652 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 34 PID 2200 wrote to memory of 2652 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 34 PID 2200 wrote to memory of 2852 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 36 PID 2200 wrote to memory of 2852 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 36 PID 2200 wrote to memory of 2852 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 36 PID 2200 wrote to memory of 2852 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 36 PID 2200 wrote to memory of 2656 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 38 PID 2200 wrote to memory of 2656 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 38 PID 2200 wrote to memory of 2656 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 38 PID 2200 wrote to memory of 2656 2200 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 38 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe"C:\Users\Admin\AppData\Local\Temp\cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2200 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1984
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:2452
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:2652
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2852
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:2656
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2952
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
2File Deletion
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD576805ecdddcb52a769ce60100dffef3c
SHA100daffe57a804b48dda1b58de352707f2299a38e
SHA256963dacb7abc995307fb8bf4d422027acda5b975409e316cc37e34d85157fd527
SHA512813ae63e54f79e01e67340773239536bcbda30c7fa73944ac7b8cc3de52375e44993c2a4620c1b955cb3de03fa576248fbbd6a5f54cdc0cb0ca6e624aa16bf2a
-
Filesize
3KB
MD53d57dc5d94f3de41b17159714f944d1e
SHA132f31c93d988607866d655099e6ef804bfa85d10
SHA256188c8cebf2cb78597888cc3fb47f961ab1c1d97bffb592084419fe93de7714f8
SHA512304c093cac84723866bbb16b7907cba0470fc747b7a220eef07ce07eb7c773d64dbd254fbfcaa2f5f9fe0d18c7cf3a0214c9afe0baf9a77befd13dacf41fb84e
-
Filesize
3KB
MD500428c6a0c312872095702b80b55c1c8
SHA170c70d0b837f045a69a3ef60cafb4dc4fda767ae
SHA256657677b076e5581bee280fe21c7da0dc5274979b43b3e078e1f046d410d2fbbf
SHA512dc5aee6cec1accf2c6b0d4330e2d6b3b5c11b9b27c4dc61918d3f5363c00d4dfb7687b9f08a7c2737a7d94dce70e39525b8d4d6e0b2b8e6a90ad0bc0a3512b8e