Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
24/02/2022, 06:26
Static task
static1
Behavioral task
behavioral1
Sample
8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
Resource
win10v2004-en-20220112
General
-
Target
8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
-
Size
161KB
-
MD5
8e4fa69d87a6d3c6d7e6c699b25cc2ab
-
SHA1
e5981cfe6ded85b01b10f4b2a5fc2f8537a63b31
-
SHA256
6a0d713e89b61a8709f8d55e19631ec31370d87880a478704609eee78ccd3c18
-
SHA512
fd6ad515c7227a8525e3f3c7b390c547e86b43624424acb978e14d0a7dfa6a90f3cf95518a3b97509f36aed1eb3173dae9d31b6f23990abc232c9dcfb1245994
Malware Config
Extracted
C:\Program Files\RECOVERY INFORMATION.txt
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 788 bcdedit.exe 2764 bcdedit.exe -
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\DisconnectFormat.crw => C:\Users\Admin\Pictures\DisconnectFormat.crw.consultransom 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File renamed C:\Users\Admin\Pictures\DisconnectOpen.raw => C:\Users\Admin\Pictures\DisconnectOpen.raw.consultransom 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File renamed C:\Users\Admin\Pictures\SplitCheckpoint.tif => C:\Users\Admin\Pictures\SplitCheckpoint.tif.consultransom 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Users\Admin\Pictures\SaveConnect.tiff 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File renamed C:\Users\Admin\Pictures\SaveConnect.tiff => C:\Users\Admin\Pictures\SaveConnect.tiff.consultransom 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File renamed C:\Users\Admin\Pictures\WatchResume.png => C:\Users\Admin\Pictures\WatchResume.png.consultransom 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\V: 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened (read-only) \??\A: 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened (read-only) \??\H: 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened (read-only) \??\K: 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened (read-only) \??\P: 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened (read-only) \??\S: 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened (read-only) \??\T: 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened (read-only) \??\U: 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened (read-only) \??\W: 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened (read-only) \??\Y: 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened (read-only) \??\G: 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened (read-only) \??\M: 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened (read-only) \??\Q: 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened (read-only) \??\R: 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened (read-only) \??\B: 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened (read-only) \??\I: 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened (read-only) \??\Z: 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened (read-only) \??\E: 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened (read-only) \??\F: 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened (read-only) \??\J: 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened (read-only) \??\L: 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened (read-only) \??\N: 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened (read-only) \??\O: 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened (read-only) \??\X: 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\THMBNAIL.PNG 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Edge.dat.LOG1 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\ja-jp\ui-strings.js 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-gb\ui-strings.js 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fi-fi\ui-strings.js 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\RECOVERY INFORMATION.txt 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sl-sl\RECOVERY INFORMATION.txt 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-il\ui-strings.js 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\share_icons.png 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\illustrations.png 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\ui-strings.js 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ko-kr\RECOVERY INFORMATION.txt 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RIPPLE\THMBNAIL.PNG 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\next-arrow-hover.svg 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons.png 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\RECOVERY INFORMATION.txt 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nb-no\ui-strings.js 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sv-se\ui-strings.js 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-remote.xml 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ul-oob.xrm-ms 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-pl.xrm-ms 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-pl.xrm-ms 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\acrobat_parcel_generic_32.svg 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\ui-strings.js 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-gb\RECOVERY INFORMATION.txt 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fr-fr\RECOVERY INFORMATION.txt 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-ma\ui-strings.js 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ppd.xrm-ms 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_sv.properties 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\OptimizePDF_R_RHP.aapp 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nl-nl\RECOVERY INFORMATION.txt 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core_0.10.100.v20140424-2042.jar 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\da-dk\ui-strings.js 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.SF 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\RECOVERY INFORMATION.txt 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sl-si\RECOVERY INFORMATION.txt 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\RECOVERY INFORMATION.txt 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\RECOVERY INFORMATION.txt 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-attach.xml 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-oob.xrm-ms 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ApothecaryLetter.dotx 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-fr\RECOVERY INFORMATION.txt 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\he-il\RECOVERY INFORMATION.txt 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-templates.xml 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\uk-ua\ui-strings.js 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ko-kr\RECOVERY INFORMATION.txt 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-phn.xrm-ms 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\RECOVERY INFORMATION.txt 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nl-nl\ui-strings.js 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\check-mark-2x.png 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-swing-outline.jar 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-pl.xrm-ms 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GADUGIB.TTF 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\RECOVERY INFORMATION.txt 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files\7-Zip\Lang\sk.txt 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SaveAsRTF.api 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\zh-tw\ui-strings.js 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\es-es\ui-strings.js 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\kok.pak 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\collect_feedback\RECOVERY INFORMATION.txt 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\RECOVERY INFORMATION.txt 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220112143027.pma 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\it-it\RECOVERY INFORMATION.txt 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2604 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3820 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe 3820 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3820 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe Token: SeDebugPrivilege 3820 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe Token: SeBackupPrivilege 3572 vssvc.exe Token: SeRestorePrivilege 3572 vssvc.exe Token: SeAuditPrivilege 3572 vssvc.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 3820 wrote to memory of 2604 3820 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe 61 PID 3820 wrote to memory of 2604 3820 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe 61 PID 3820 wrote to memory of 3028 3820 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe 63 PID 3820 wrote to memory of 3028 3820 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe 63 PID 3820 wrote to memory of 2628 3820 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe 65 PID 3820 wrote to memory of 2628 3820 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe 65 PID 2628 wrote to memory of 2764 2628 cmd.exe 69 PID 2628 wrote to memory of 2764 2628 cmd.exe 69 PID 3028 wrote to memory of 788 3028 cmd.exe 68 PID 3028 wrote to memory of 788 3028 cmd.exe 68
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe"C:\Users\Admin\AppData\Local\Temp\8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe"1⤵
- Modifies extensions of user files
- Checks computer location settings
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\system32\vssadmin.exe"C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:2604
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\system32\bcdedit.exebcdedit /set {current} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:788
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} recoveryenabled no2⤵
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\system32\bcdedit.exebcdedit /set {current} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:2764
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3572