2d06acb71440e4c8f46cf347fffd14f5162542edb3fdcc69b089588e3641723b

pid	Process
4312	bcdedit.exe
2848	bcdedit.exe

Renames multiple (6946) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes System State backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

Inhibit System Recovery

pid	Process
60	wbadmin.exe

Deletes system backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

Inhibit System Recovery

pid	Process
5064	wbadmin.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe\""	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe\""	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\U:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\L:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\Q:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\H:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\I:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\K:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\M:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\R:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\X:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\F:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\A:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\T:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\W:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\Y:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\B:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\P:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\J:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\N:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\O:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\V:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\Z:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\E:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\G:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\it-IT\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-24_altform-unplated_contrast-white.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-256_altform-lightunplated.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pt-br\ui-strings.js	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GOTHICBI.TTF	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\SmallTile.scale-125.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\iw_get.svg	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-ma\ui-strings.js	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\id\msipc.dll.mui	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\BUSINESS.ONE	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\cross.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\sv.pak	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-80_contrast-black.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-cn\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\30.jpg	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedMedTile.scale-100_contrast-black.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\lv-LV\View3d\3DViewerProductDescription-universal.xml	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ca-es\ui-strings.js	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\sound.properties	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-256_contrast-white.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\faf_icons_retina.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\eu-es\ui-strings.js	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\SearchEmail2x.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-80.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_2019.904.1644.0_neutral_~_8wekyb3d8bbwe\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\de\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\PopMeasure.001	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\Lighting.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-GoogleCloudCache.scale-150.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\zh-cn\ui-strings.js	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-80_altform-unplated.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-150.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookMedTile.scale-125.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\TXP_BillPay.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-100_contrast-high.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Franklin Gothic.xml	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL109.XML	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\LargeTile.scale-125_contrast-white.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\Help\RoundedFreehand3D.mp4	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\es-ES\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fi-fi\ui-strings.js	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\Windows Media Player\ja-JP\wmlaunch.exe.mui	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\MedTile.scale-125.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-il\ui-strings.js	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Square310x310Logo.scale-100.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalStoreLogo.scale-100_contrast-white.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ar-ae\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\zh-cn\ui-strings.js	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ko-kr\ui-strings.js	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-black\SmallTile.scale-125.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\tesselate.x3d	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\cs-cz\ui-strings.js	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\NavigationIcons\nav_icons_trending.targetsize-48.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

Inhibit System Recovery

pid	Process
3508	vssadmin.exe

Kills process with taskkill 14 IoCs

evasion

pid	Process
3624	taskkill.exe
4412	taskkill.exe
1064	taskkill.exe
376	taskkill.exe
624	taskkill.exe
4368	taskkill.exe
3648	taskkill.exe
1764	taskkill.exe
5032	taskkill.exe
368	taskkill.exe
1416	taskkill.exe
2264	taskkill.exe
3088	taskkill.exe
2832	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-356073083-3299209671-3108880702-1000\{6739E80D-D186-41EF-B3A3-ED7B8F222DAE}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	3648	taskkill.exe
Token: SeDebugPrivilege	624	taskkill.exe
Token: SeDebugPrivilege	4412	taskkill.exe
Token: SeDebugPrivilege	1064	taskkill.exe
Token: SeDebugPrivilege	1416	taskkill.exe
Token: SeDebugPrivilege	376	taskkill.exe
Token: SeDebugPrivilege	1764	taskkill.exe
Token: SeDebugPrivilege	5032	taskkill.exe
Token: SeDebugPrivilege	2264	taskkill.exe
Token: SeDebugPrivilege	3088	taskkill.exe
Token: SeDebugPrivilege	368	taskkill.exe
Token: SeDebugPrivilege	4368	taskkill.exe
Token: SeIncreaseQuotaPrivilege	4040	WMIC.exe
Token: SeSecurityPrivilege	4040	WMIC.exe
Token: SeTakeOwnershipPrivilege	4040	WMIC.exe
Token: SeLoadDriverPrivilege	4040	WMIC.exe
Token: SeSystemProfilePrivilege	4040	WMIC.exe
Token: SeSystemtimePrivilege	4040	WMIC.exe
Token: SeProfSingleProcessPrivilege	4040	WMIC.exe
Token: SeIncBasePriorityPrivilege	4040	WMIC.exe
Token: SeCreatePagefilePrivilege	4040	WMIC.exe
Token: SeBackupPrivilege	4040	WMIC.exe
Token: SeRestorePrivilege	4040	WMIC.exe
Token: SeShutdownPrivilege	4040	WMIC.exe
Token: SeDebugPrivilege	4040	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4040	WMIC.exe
Token: SeRemoteShutdownPrivilege	4040	WMIC.exe
Token: SeUndockPrivilege	4040	WMIC.exe
Token: SeManageVolumePrivilege	4040	WMIC.exe
Token: 33	4040	WMIC.exe
Token: 34	4040	WMIC.exe
Token: 35	4040	WMIC.exe
Token: 36	4040	WMIC.exe
Token: SeBackupPrivilege	1300	vssvc.exe
Token: SeRestorePrivilege	1300	vssvc.exe
Token: SeAuditPrivilege	1300	vssvc.exe
Token: SeShutdownPrivilege	1808	explorer.exe
Token: SeCreatePagefilePrivilege	1808	explorer.exe
Token: SeShutdownPrivilege	1808	explorer.exe
Token: SeCreatePagefilePrivilege	1808	explorer.exe
Token: SeShutdownPrivilege	1808	explorer.exe
Token: SeCreatePagefilePrivilege	1808	explorer.exe
Token: SeShutdownPrivilege	1808	explorer.exe
Token: SeCreatePagefilePrivilege	1808	explorer.exe
Token: SeShutdownPrivilege	1808	explorer.exe
Token: SeCreatePagefilePrivilege	1808	explorer.exe
Token: SeShutdownPrivilege	1808	explorer.exe
Token: SeCreatePagefilePrivilege	1808	explorer.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 5100	2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	86
PID 2796 wrote to memory of 5100	2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	86
PID 2796 wrote to memory of 5100	2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	86
PID 5100 wrote to memory of 3240	5100	cmd.exe	88
PID 5100 wrote to memory of 3240	5100	cmd.exe	88
PID 2796 wrote to memory of 1348	2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	89
PID 2796 wrote to memory of 1348	2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	89
PID 2796 wrote to memory of 1348	2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	89
PID 1348 wrote to memory of 1352	1348	cmd.exe	91
PID 1348 wrote to memory of 1352	1348	cmd.exe	91
PID 1352 wrote to memory of 3648	1352	cmd.exe	92
PID 1352 wrote to memory of 3648	1352	cmd.exe	92
PID 2796 wrote to memory of 260	2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	94
PID 2796 wrote to memory of 260	2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	94
PID 2796 wrote to memory of 260	2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	94
PID 260 wrote to memory of 4484	260	cmd.exe	96
PID 260 wrote to memory of 4484	260	cmd.exe	96
PID 4484 wrote to memory of 3624	4484	cmd.exe	97
PID 4484 wrote to memory of 3624	4484	cmd.exe	97
PID 2796 wrote to memory of 4736	2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	98
PID 2796 wrote to memory of 4736	2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	98
PID 2796 wrote to memory of 4736	2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	98
PID 4736 wrote to memory of 3868	4736	cmd.exe	100
PID 4736 wrote to memory of 3868	4736	cmd.exe	100
PID 3868 wrote to memory of 624	3868	cmd.exe	101
PID 3868 wrote to memory of 624	3868	cmd.exe	101
PID 2796 wrote to memory of 3100	2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	102
PID 2796 wrote to memory of 3100	2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	102
PID 2796 wrote to memory of 3100	2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	102
PID 3100 wrote to memory of 1808	3100	cmd.exe	104
PID 3100 wrote to memory of 1808	3100	cmd.exe	104
PID 1808 wrote to memory of 4412	1808	cmd.exe	105
PID 1808 wrote to memory of 4412	1808	cmd.exe	105
PID 2796 wrote to memory of 4508	2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	106
PID 2796 wrote to memory of 4508	2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	106
PID 2796 wrote to memory of 4508	2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	106
PID 4508 wrote to memory of 4576	4508	cmd.exe	108
PID 4508 wrote to memory of 4576	4508	cmd.exe	108
PID 4576 wrote to memory of 1064	4576	cmd.exe	109
PID 4576 wrote to memory of 1064	4576	cmd.exe	109
PID 2796 wrote to memory of 4564	2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	110
PID 2796 wrote to memory of 4564	2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	110
PID 2796 wrote to memory of 4564	2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	110
PID 4564 wrote to memory of 536	4564	cmd.exe	112
PID 4564 wrote to memory of 536	4564	cmd.exe	112
PID 536 wrote to memory of 1416	536	cmd.exe	113
PID 536 wrote to memory of 1416	536	cmd.exe	113
PID 2796 wrote to memory of 404	2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	114
PID 2796 wrote to memory of 404	2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	114
PID 2796 wrote to memory of 404	2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	114
PID 404 wrote to memory of 4052	404	cmd.exe	116
PID 404 wrote to memory of 4052	404	cmd.exe	116
PID 4052 wrote to memory of 376	4052	cmd.exe	117
PID 4052 wrote to memory of 376	4052	cmd.exe	117
PID 2796 wrote to memory of 2268	2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	118
PID 2796 wrote to memory of 2268	2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	118
PID 2796 wrote to memory of 2268	2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	118
PID 2268 wrote to memory of 872	2268	cmd.exe	120
PID 2268 wrote to memory of 872	2268	cmd.exe	120
PID 872 wrote to memory of 1764	872	cmd.exe	121
PID 872 wrote to memory of 1764	872	cmd.exe	121
PID 2796 wrote to memory of 3112	2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	122
PID 2796 wrote to memory of 3112	2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	122
PID 2796 wrote to memory of 3112	2796	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	122

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3320
- C:\Users\Admin\AppData\Local\Temp\51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
  "C:\Users\Admin\AppData\Local\Temp\51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2796
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill \"SQL\"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5100
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c rem Kill \"SQL\"
      4⤵
      PID:3240
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1348
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1352
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlbrowser.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3648
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:260
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4484
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sql writer.exe
        5⤵
        Kills process with taskkill
        
        PID:3624
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4736
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3868
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlserv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:624
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3100
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1808
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msmdsrv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4412
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4508
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4576
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im MsDtsSrvr.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1064
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4564
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:536
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlceip.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1416
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:404
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4052
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdlauncher.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:376
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:872
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im Ssms.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
    3⤵
    PID:3112
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
      4⤵
      PID:2852
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im SQLAGENT.EXE
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5032
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
    3⤵
    PID:4944
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
      4⤵
      PID:3108
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdhost.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
    3⤵
    PID:3360
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
      4⤵
      PID:4888
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im ReportingServicesService.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3088
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
    3⤵
    PID:3152
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
      4⤵
      PID:4748
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msftesql.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:368
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
    3⤵
    PID:2436
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
      4⤵
      PID:4780
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im pg_ctl.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4368
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe
    3⤵
    PID:3092
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe
      4⤵
      PID:4288
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -impostgres.exe
        5⤵
        Kills process with taskkill
        
        PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
    3⤵
    PID:4588
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
      4⤵
      PID:4760
    - - C:\Windows\system32\net.exe
        
        net stop MSSQLServerADHelper100
        5⤵
        
        PID:2004
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLServerADHelper100
        6⤵
        
        PID:1836
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
    3⤵
    PID:1844
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS
      4⤵
      PID:3948
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$ISARS
        5⤵
        
        PID:5068
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$ISARS
        6⤵
        
        PID:1748
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
    3⤵
    PID:4912
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW
      4⤵
      PID:260
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$MSFW
        5⤵
        
        PID:4108
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$MSFW
        6⤵
        
        PID:4196
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
    3⤵
    PID:3292
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS
      4⤵
      PID:448
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$ISARS
        5⤵
        
        PID:3256
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$ISARS
        6⤵
        
        PID:2864
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
    3⤵
    PID:4896
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW
      4⤵
      PID:3456
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$MSFW
        5⤵
        
        PID:3528
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$MSFW
        6⤵
        
        PID:3824
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
    3⤵
    PID:4560
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser
      4⤵
      PID:4012
    - - C:\Windows\system32\net.exe
        
        net stop SQLBrowser
        5⤵
        
        PID:1648
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLBrowser
        6⤵
        
        PID:4180
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS
    3⤵
    PID:764
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS
      4⤵
      PID:4028
    - - C:\Windows\system32\net.exe
        
        net stop REportServer$ISARS
        5⤵
        
        PID:4468
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop REportServer$ISARS
        6⤵
        
        PID:1288
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
    3⤵
    PID:2056
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLWriter
      4⤵
      PID:456
    - - C:\Windows\system32\net.exe
        
        net stop SQLWriter
        5⤵
        
        PID:3836
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLWriter
        6⤵
        
        PID:3744
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    PID:2924
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      PID:1784
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin.exe Delete Shadows /All /Quiet
        5⤵
        Interacts with shadow copies
        
        PID:3508
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
    3⤵
    PID:1668
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
      4⤵
      PID:4864
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete backup -keepVersion:0 -quiet
        5⤵
        Deletes system backups
        
        PID:5064
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
    3⤵
    PID:4408
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
      4⤵
      PID:2288
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic.exe SHADOWCOPY /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4040
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
    3⤵
    PID:2536
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
      4⤵
      PID:2264
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
        5⤵
        
        PID:3160
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
    3⤵
    PID:1340
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
      4⤵
      PID:4700
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} recoverynabled No
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:4312
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:1052
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      PID:1500
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2848
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
    3⤵
    PID:1764
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
      4⤵
      PID:1932
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin DELETE SYSTEMSTATEBACKUP
        5⤵
        Deletes System State backups
        Drops file in Windows directory
        
        PID:60
- C:\Users\Admin\AppData\Local\Temp\51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
  \\?\C:\Users\Admin\AppData\Local\Temp\51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe -network
  2⤵
  - Adds Run key to start application
  - System policy modification
  PID:4464

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Defense Evasion

Indicator Removal

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery