d7b21d35c8b924b9b59fbb4cb104c3e386a2cd2aec9eb9d149fd6f9cac9a4672

pid	Process
2040	bcdedit.exe
3232	bcdedit.exe

Renames multiple (6521) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes System State backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

Inhibit System Recovery

pid	Process
4112	wbadmin.exe

Deletes system backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

Inhibit System Recovery

pid	Process
1220	wbadmin.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe\""	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe\""	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe

Enumerates connected drives 3 TTPs 26 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\L:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\S:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\U:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\Y:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\P:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\B:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\E:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\N:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\R:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\V:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\X:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\F:	cipher.exe
File opened (read-only)	\??\M:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\O:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\Q:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\Z:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\F:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\K:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\T:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\A:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\G:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\H:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\I:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\W:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\A:	cipher.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-20_altform-lightunplated.png	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxMediumTile.scale-100.png	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\HOW_TO_BACK_FILES.html	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\themeless\mobile_reader_logo.svg	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Dark\GlowInTheDark.png	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-100.png	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-gb\ui-strings.js	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\da-dk\HOW_TO_BACK_FILES.html	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.contrast-white_scale-100.png	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-256_altform-unplated_contrast-white_devicefamily-colorfulunplated.png	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-24_altform-lightunplated.png	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\video.png	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluEmptyStateDCFiles_280x192.svg	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-60_altform-unplated.png	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\LargeTile.scale-200.png	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SmallLogo.scale-200_contrast-white.png	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\zh-cn\HOW_TO_BACK_FILES.html	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\HOW_TO_BACK_FILES.html	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\STUDIO.INF	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\66.png	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\MarkAsReadToastQuickAction.scale-80.png	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\HOW_TO_BACK_FILES.html	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\root\ui-strings.js	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\MatchExactly.Tests.ps1	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ia\HOW_TO_BACK_FILES.html	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\YellowAbstractNote.scale-100.png	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\CalculatorMedTile.contrast-black_scale-100.png	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptySearch-Dark.scale-200.png	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsSmallTile.scale-100.png	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.b783ffe3.pri	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jopt-simple.md	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\jquery-ui-1.8.13.custom.css	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ja-jp\HOW_TO_BACK_FILES.html	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\en-us\HOW_TO_BACK_FILES.html	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-ppd.xrm-ms	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosMedTile.scale-100.png	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-24_altform-unplated.png	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailLargeTile.scale-400.png	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\LightTheme.acrotheme	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-pl.xrm-ms	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\HOW_TO_BACK_FILES.html	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\nl-nl\HOW_TO_BACK_FILES.html	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptySearch.scale-150.png	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-ul-oob.xrm-ms	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\gl-ES\View3d\HOW_TO_BACK_FILES.html	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\Windows Media Player\ja-JP\wmlaunch.exe.mui	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_SplashScreen.scale-200.png	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-oob.xrm-ms	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\microsoft.system.package.metadata\HOW_TO_BACK_FILES.html	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-125.png	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-64.png	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\he-il\HOW_TO_BACK_FILES.html	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ExcelFloatieXLEditTextModel.bin	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-16_contrast-white.png	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File created	C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\HOW_TO_BACK_FILES.html	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Exchange.scale-400.png	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\de-DE\MSFT_PackageManagementSource.strings.psd1	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-pl.xrm-ms	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-48_altform-unplated_contrast-black.png	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\HOW_TO_BACK_FILES.html	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\3difr.x3d	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

Inhibit System Recovery

pid	Process
3056	vssadmin.exe

Kills process with taskkill 14 IoCs

evasion

pid	Process
1216	taskkill.exe
4280	taskkill.exe
2772	taskkill.exe
2216	taskkill.exe
3172	taskkill.exe
1404	taskkill.exe
920	taskkill.exe
3860	taskkill.exe
4616	taskkill.exe
3928	taskkill.exe
5056	taskkill.exe
2040	taskkill.exe
4828	taskkill.exe
4460	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1497073144-2389943819-3385106915-1000\{D9963C76-9F92-45E7-AB41-79374555209F}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	3928	taskkill.exe
Token: SeDebugPrivilege	5056	taskkill.exe
Token: SeDebugPrivilege	1404	taskkill.exe
Token: SeDebugPrivilege	2040	taskkill.exe
Token: SeDebugPrivilege	920	taskkill.exe
Token: SeDebugPrivilege	3860	taskkill.exe
Token: SeDebugPrivilege	4828	taskkill.exe
Token: SeDebugPrivilege	1216	taskkill.exe
Token: SeDebugPrivilege	4280	taskkill.exe
Token: SeDebugPrivilege	4460	taskkill.exe
Token: SeDebugPrivilege	2772	taskkill.exe
Token: SeDebugPrivilege	4616	taskkill.exe
Token: SeIncreaseQuotaPrivilege	4660	WMIC.exe
Token: SeSecurityPrivilege	4660	WMIC.exe
Token: SeTakeOwnershipPrivilege	4660	WMIC.exe
Token: SeLoadDriverPrivilege	4660	WMIC.exe
Token: SeSystemProfilePrivilege	4660	WMIC.exe
Token: SeSystemtimePrivilege	4660	WMIC.exe
Token: SeProfSingleProcessPrivilege	4660	WMIC.exe
Token: SeIncBasePriorityPrivilege	4660	WMIC.exe
Token: SeCreatePagefilePrivilege	4660	WMIC.exe
Token: SeBackupPrivilege	4660	WMIC.exe
Token: SeRestorePrivilege	4660	WMIC.exe
Token: SeShutdownPrivilege	4660	WMIC.exe
Token: SeDebugPrivilege	4660	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4660	WMIC.exe
Token: SeRemoteShutdownPrivilege	4660	WMIC.exe
Token: SeUndockPrivilege	4660	WMIC.exe
Token: SeManageVolumePrivilege	4660	WMIC.exe
Token: 33	4660	WMIC.exe
Token: 34	4660	WMIC.exe
Token: 35	4660	WMIC.exe
Token: 36	4660	WMIC.exe
Token: SeBackupPrivilege	4604	vssvc.exe
Token: SeRestorePrivilege	4604	vssvc.exe
Token: SeAuditPrivilege	4604	vssvc.exe
Token: SeShutdownPrivilege	4864	explorer.exe
Token: SeCreatePagefilePrivilege	4864	explorer.exe
Token: SeShutdownPrivilege	4864	explorer.exe
Token: SeCreatePagefilePrivilege	4864	explorer.exe
Token: SeShutdownPrivilege	4864	explorer.exe
Token: SeCreatePagefilePrivilege	4864	explorer.exe
Token: SeShutdownPrivilege	4864	explorer.exe
Token: SeCreatePagefilePrivilege	4864	explorer.exe
Token: SeShutdownPrivilege	4864	explorer.exe
Token: SeCreatePagefilePrivilege	4864	explorer.exe
Token: SeShutdownPrivilege	4864	explorer.exe
Token: SeCreatePagefilePrivilege	4864	explorer.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
4864	explorer.exe
4864	explorer.exe
4864	explorer.exe
4864	explorer.exe
4864	explorer.exe
4864	explorer.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
4864	explorer.exe
4864	explorer.exe
4864	explorer.exe
4864	explorer.exe
4864	explorer.exe
4864	explorer.exe
4864	explorer.exe
4864	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3084 wrote to memory of 4444	3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	93
PID 3084 wrote to memory of 4444	3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	93
PID 3084 wrote to memory of 4444	3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	93
PID 4444 wrote to memory of 1400	4444	cmd.exe	95
PID 4444 wrote to memory of 1400	4444	cmd.exe	95
PID 3084 wrote to memory of 5052	3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	97
PID 3084 wrote to memory of 5052	3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	97
PID 3084 wrote to memory of 5052	3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	97
PID 5052 wrote to memory of 4588	5052	cmd.exe	98
PID 5052 wrote to memory of 4588	5052	cmd.exe	98
PID 4588 wrote to memory of 3928	4588	cmd.exe	99
PID 4588 wrote to memory of 3928	4588	cmd.exe	99
PID 3084 wrote to memory of 5044	3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	101
PID 3084 wrote to memory of 5044	3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	101
PID 3084 wrote to memory of 5044	3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	101
PID 5044 wrote to memory of 2808	5044	cmd.exe	103
PID 5044 wrote to memory of 2808	5044	cmd.exe	103
PID 2808 wrote to memory of 3172	2808	cmd.exe	104
PID 2808 wrote to memory of 3172	2808	cmd.exe	104
PID 3084 wrote to memory of 4784	3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	105
PID 3084 wrote to memory of 4784	3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	105
PID 3084 wrote to memory of 4784	3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	105
PID 4784 wrote to memory of 4864	4784	cmd.exe	107
PID 4784 wrote to memory of 4864	4784	cmd.exe	107
PID 4864 wrote to memory of 5056	4864	cmd.exe	108
PID 4864 wrote to memory of 5056	4864	cmd.exe	108
PID 3084 wrote to memory of 3020	3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	109
PID 3084 wrote to memory of 3020	3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	109
PID 3084 wrote to memory of 3020	3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	109
PID 3020 wrote to memory of 3972	3020	cmd.exe	111
PID 3020 wrote to memory of 3972	3020	cmd.exe	111
PID 3972 wrote to memory of 1404	3972	cmd.exe	112
PID 3972 wrote to memory of 1404	3972	cmd.exe	112
PID 3084 wrote to memory of 2320	3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	113
PID 3084 wrote to memory of 2320	3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	113
PID 3084 wrote to memory of 2320	3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	113
PID 2320 wrote to memory of 228	2320	cmd.exe	115
PID 2320 wrote to memory of 228	2320	cmd.exe	115
PID 228 wrote to memory of 2040	228	cmd.exe	116
PID 228 wrote to memory of 2040	228	cmd.exe	116
PID 3084 wrote to memory of 3388	3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	117
PID 3084 wrote to memory of 3388	3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	117
PID 3084 wrote to memory of 3388	3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	117
PID 3388 wrote to memory of 4120	3388	cmd.exe	119
PID 3388 wrote to memory of 4120	3388	cmd.exe	119
PID 4120 wrote to memory of 920	4120	cmd.exe	120
PID 4120 wrote to memory of 920	4120	cmd.exe	120
PID 3084 wrote to memory of 4944	3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	121
PID 3084 wrote to memory of 4944	3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	121
PID 3084 wrote to memory of 4944	3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	121
PID 4944 wrote to memory of 4080	4944	cmd.exe	123
PID 4944 wrote to memory of 4080	4944	cmd.exe	123
PID 4080 wrote to memory of 3860	4080	cmd.exe	124
PID 4080 wrote to memory of 3860	4080	cmd.exe	124
PID 3084 wrote to memory of 3884	3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	125
PID 3084 wrote to memory of 3884	3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	125
PID 3084 wrote to memory of 3884	3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	125
PID 3884 wrote to memory of 2728	3884	cmd.exe	127
PID 3884 wrote to memory of 2728	3884	cmd.exe	127
PID 2728 wrote to memory of 4828	2728	cmd.exe	128
PID 2728 wrote to memory of 4828	2728	cmd.exe	128
PID 3084 wrote to memory of 4140	3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	129
PID 3084 wrote to memory of 4140	3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	129
PID 3084 wrote to memory of 4140	3084	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	129

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3344
- C:\Users\Admin\AppData\Local\Temp\902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
  "C:\Users\Admin\AppData\Local\Temp\902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3084
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill \"SQL\"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4444
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c rem Kill \"SQL\"
      4⤵
      PID:1400
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5052
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4588
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlbrowser.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3928
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5044
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2808
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sql writer.exe
        5⤵
        Kills process with taskkill
        
        PID:3172
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4784
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4864
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlserv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5056
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3020
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3972
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msmdsrv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1404
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:228
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im MsDtsSrvr.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3388
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4120
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlceip.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:920
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4944
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4080
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdlauncher.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3860
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3884
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2728
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im Ssms.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4828
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
    3⤵
    PID:4140
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
      4⤵
      PID:2580
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im SQLAGENT.EXE
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1216
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
    3⤵
    PID:4116
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
      4⤵
      PID:4304
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdhost.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4280
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
    3⤵
    PID:1528
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
      4⤵
      PID:3852
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im ReportingServicesService.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4460
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
    3⤵
    PID:1436
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
      4⤵
      PID:4928
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msftesql.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
        6⤵
        
        PID:2080
        
        C:\Windows\system32\wbadmin.exe
        
        wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
        7⤵
        Drops file in Windows directory
        
        PID:2068
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
        5⤵
        
        PID:1172
      - C:\Windows\system32\vssadmin.exe
        
        vssadmin.exe Delete Shadows /All /Quiet
        6⤵
        Interacts with shadow copies
        
        PID:3056
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
    3⤵
    PID:1916
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
      4⤵
      PID:5080
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im pg_ctl.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4616
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe
    3⤵
    PID:2100
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe
      4⤵
      PID:4864
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -impostgres.exe
        5⤵
        Kills process with taskkill
        
        PID:2216
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
    3⤵
    PID:4660
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
      4⤵
      PID:1312
    - - C:\Windows\system32\net.exe
        
        net stop MSSQLServerADHelper100
        5⤵
        
        PID:1728
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLServerADHelper100
        6⤵
        
        PID:1612
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
    3⤵
    PID:1936
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS
      4⤵
      PID:228
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$ISARS
        5⤵
        
        PID:4160
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$ISARS
        6⤵
        
        PID:4396
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
    3⤵
    PID:3632
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW
      4⤵
      PID:3584
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$MSFW
        5⤵
        
        PID:3824
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$MSFW
        6⤵
        
        PID:1540
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
    3⤵
    PID:4072
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS
      4⤵
      PID:436
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$ISARS
        5⤵
        
        PID:3860
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$ISARS
        6⤵
        
        PID:4056
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
    3⤵
    PID:4788
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW
      4⤵
      PID:3784
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
    3⤵
    PID:5104
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser
      4⤵
      PID:4404
    - - C:\Windows\system32\net.exe
        
        net stop SQLBrowser
        5⤵
        
        PID:3384
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLBrowser
        6⤵
        
        PID:892
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS
    3⤵
    PID:1716
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS
      4⤵
      PID:4200
    - - C:\Windows\system32\net.exe
        
        net stop REportServer$ISARS
        5⤵
        
        PID:1268
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop REportServer$ISARS
        6⤵
        
        PID:4484
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
    3⤵
    PID:4544
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLWriter
      4⤵
      PID:468
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:2492
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      PID:1728
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:3232
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
    3⤵
    PID:1344
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
    3⤵
    PID:1420
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
    3⤵
    PID:2772
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
    3⤵
    PID:536
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
    3⤵
    PID:864
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    PID:4928
- - C:\Windows\SysWOW64\cipher.exe
    cipher /w:\\?\F:
    3⤵
    - Enumerates connected drives
    PID:220
- - C:\Windows\SysWOW64\cipher.exe
    cipher /w:\\?\C:
    3⤵
    PID:1152
- - C:\Windows\SysWOW64\cipher.exe
    cipher /w:\\?\A:
    3⤵
    - Enumerates connected drives
    PID:3384
- C:\Users\Admin\AppData\Local\Temp\902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
  \\?\C:\Users\Admin\AppData\Local\Temp\902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe -network
  2⤵
  - Adds Run key to start application
  - System policy modification
  PID:5100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c pause
    3⤵
    PID:2644

C:\Windows\system32\net.exe
net stop SQLAgent$MSFW
1⤵
PID:3884
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop SQLAgent$MSFW
  2⤵
  PID:688

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
1⤵
PID:3188
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} recoverynabled No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2040

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
1⤵
PID:4468
- C:\Windows\system32\wbadmin.exe
  wbadmin delete backup -keepVersion:0 -quiet
  2⤵
  - Deletes system backups
  PID:1220

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
1⤵
PID:4216
- C:\Windows\system32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  - Deletes System State backups
  PID:4112

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
1⤵
PID:3904
- C:\Windows\System32\Wbem\WMIC.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4660

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLWriter
1⤵
PID:4588

C:\Windows\system32\net.exe
net stop SQLWriter
1⤵
PID:4692

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4604

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Defense Evasion

Indicator Removal

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery