8ed183df76d08024f15e051f4f5711535dde6372ff4beafecfff07f82e846800

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01-01-2024 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
Size

332KB
MD5

7286267a7eeaf2c3122635c5edb71e84
SHA1

d342d986442a20453d3c9a438766758301d88d4e
SHA256

3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f
SHA512

8567661bc656edbacd0ca59f1d1b38cad7c3101d8d06772ae1eba9828792327cbc6b4254e5e61d2b190f4f4350c6288ac2e5c811f7a4ed0c38bc4be8ccf636f0
SSDEEP

6144:0LI9sGqBET+/evZ9zgDU/JSrJyhSdDXR0sVWorEriYtkD:d9JL+/eh90DU/JYUh01YtkD

Score

10^/10

evasion ransomware

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1664 created 1252	1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe	11

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2392	bcdedit.exe
2536	bcdedit.exe

Renames multiple (4395) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes System State backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1684	wbadmin.exe

Deletes system backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1980	wbadmin.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened (read-only)	\??\R:	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened (read-only)	\??\Z:	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened (read-only)	\??\G:	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened (read-only)	\??\E:	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened (read-only)	\??\H:	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened (read-only)	\??\I:	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened (read-only)	\??\N:	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened (read-only)	\??\U:	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened (read-only)	\??\Y:	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened (read-only)	\??\A:	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened (read-only)	\??\K:	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened (read-only)	\??\L:	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened (read-only)	\??\P:	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened (read-only)	\??\Q:	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened (read-only)	\??\T:	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened (read-only)	\??\V:	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened (read-only)	\??\W:	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened (read-only)	\??\B:	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened (read-only)	\??\X:	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened (read-only)	\??\M:	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened (read-only)	\??\S:	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened (read-only)	\??\J:	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\en-US\OmdProject.dll.mui	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\bookbig.gif	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.zh_CN_5.5.0.165303.jar	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-utilities.jar	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Fortaleza	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00012_.WMF	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00224_.WMF	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196110.WMF	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\How_to_back_files.html	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Memo.emf	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\How_to_back_files.html	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoCanary.png	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199429.WMF	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\vintage.png	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santa_Isabel	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\How_to_back_files.html	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\af\How_to_back_files.html	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\d3d9\How_to_back_files.html	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_settings.png	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\library.js	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0183574.WMF	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187851.WMF	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Bishkek	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\How_to_back_files.html	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.SYD	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01173_.WMF	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107480.WMF	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0296288.WMF	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\Monticello	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Syowa	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Gibraltar	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Dotted_Lines.emf	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvm.xml	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Zaporozhye	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\calendar.js	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-first-quarter.png	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\javafx.properties	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\com-sun-tools-visualvm-modules-startup_ja.jar	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\How_to_back_files.html	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\How_to_back_files.html	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\slideShow.js	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-tools.jar	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Knox	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106020.WMF	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-4	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\highDpiImageSwap.js	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0233512.WMF	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh89	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\fonts\FreeSansBold.ttf	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\reveal_hov.png	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\rtscom.dll.mui	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-modules-appui.jar	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\msmdsrv.rll	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Grand_Turk	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-api.jar	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_up.png	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105368.WMF	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Goose_Bay	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00169_.GIF	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\de\How_to_back_files.html	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199473.WMF	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_snow.png	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1360	vssadmin.exe

Kills process with taskkill 14 IoCs

evasion

pid	Process
2344	taskkill.exe
2596	taskkill.exe
2608	taskkill.exe
2920	taskkill.exe
320	taskkill.exe
2840	taskkill.exe
1904	taskkill.exe
1344	taskkill.exe
2052	taskkill.exe
1156	taskkill.exe
2952	taskkill.exe
2732	taskkill.exe
2648	taskkill.exe
1676	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	2840	taskkill.exe
Token: SeDebugPrivilege	2732	taskkill.exe
Token: SeDebugPrivilege	2608	taskkill.exe
Token: SeDebugPrivilege	2052	taskkill.exe
Token: SeDebugPrivilege	2920	taskkill.exe
Token: SeDebugPrivilege	1156	taskkill.exe
Token: SeDebugPrivilege	1904	taskkill.exe
Token: SeDebugPrivilege	2648	taskkill.exe
Token: SeDebugPrivilege	1344	svchost.exe
Token: SeDebugPrivilege	320	taskkill.exe
Token: SeDebugPrivilege	1676	taskkill.exe
Token: SeDebugPrivilege	2952	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2260	WMIC.exe
Token: SeSecurityPrivilege	2260	WMIC.exe
Token: SeTakeOwnershipPrivilege	2260	WMIC.exe
Token: SeLoadDriverPrivilege	2260	WMIC.exe
Token: SeSystemProfilePrivilege	2260	WMIC.exe
Token: SeSystemtimePrivilege	2260	WMIC.exe
Token: SeProfSingleProcessPrivilege	2260	WMIC.exe
Token: SeIncBasePriorityPrivilege	2260	WMIC.exe
Token: SeCreatePagefilePrivilege	2260	WMIC.exe
Token: SeBackupPrivilege	2260	WMIC.exe
Token: SeRestorePrivilege	2260	WMIC.exe
Token: SeShutdownPrivilege	2260	WMIC.exe
Token: SeDebugPrivilege	2260	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2260	WMIC.exe
Token: SeRemoteShutdownPrivilege	2260	WMIC.exe
Token: SeUndockPrivilege	2260	WMIC.exe
Token: SeManageVolumePrivilege	2260	WMIC.exe
Token: 33	2260	WMIC.exe
Token: 34	2260	WMIC.exe
Token: 35	2260	WMIC.exe
Token: SeBackupPrivilege	2564	vssvc.exe
Token: SeRestorePrivilege	2564	vssvc.exe
Token: SeAuditPrivilege	2564	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 2392	1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe	78
PID 1664 wrote to memory of 2392	1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe	78
PID 1664 wrote to memory of 2392	1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe	78
PID 1664 wrote to memory of 2392	1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe	78
PID 2392 wrote to memory of 2268	2392	bcdedit.exe	31
PID 2392 wrote to memory of 2268	2392	bcdedit.exe	31
PID 2392 wrote to memory of 2268	2392	bcdedit.exe	31
PID 2392 wrote to memory of 2268	2392	bcdedit.exe	31
PID 1664 wrote to memory of 2704	1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe	155
PID 1664 wrote to memory of 2704	1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe	155
PID 1664 wrote to memory of 2704	1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe	155
PID 1664 wrote to memory of 2704	1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe	155
PID 2704 wrote to memory of 2824	2704	cmd.exe	32
PID 2704 wrote to memory of 2824	2704	cmd.exe	32
PID 2704 wrote to memory of 2824	2704	cmd.exe	32
PID 2704 wrote to memory of 2824	2704	cmd.exe	32
PID 2824 wrote to memory of 2840	2824	cmd.exe	33
PID 2824 wrote to memory of 2840	2824	cmd.exe	33
PID 2824 wrote to memory of 2840	2824	cmd.exe	33
PID 1664 wrote to memory of 2744	1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe	35
PID 1664 wrote to memory of 2744	1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe	35
PID 1664 wrote to memory of 2744	1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe	35
PID 1664 wrote to memory of 2744	1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe	35
PID 2744 wrote to memory of 2872	2744	cmd.exe	152
PID 2744 wrote to memory of 2872	2744	cmd.exe	152
PID 2744 wrote to memory of 2872	2744	cmd.exe	152
PID 2744 wrote to memory of 2872	2744	cmd.exe	152
PID 2872 wrote to memory of 2596	2872	cmd.exe	36
PID 2872 wrote to memory of 2596	2872	cmd.exe	36
PID 2872 wrote to memory of 2596	2872	cmd.exe	36
PID 1664 wrote to memory of 2588	1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe	151
PID 1664 wrote to memory of 2588	1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe	151
PID 1664 wrote to memory of 2588	1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe	151
PID 1664 wrote to memory of 2588	1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe	151
PID 2588 wrote to memory of 1684	2588	cmd.exe	82
PID 2588 wrote to memory of 1684	2588	cmd.exe	82
PID 2588 wrote to memory of 1684	2588	cmd.exe	82
PID 2588 wrote to memory of 1684	2588	cmd.exe	82
PID 1684 wrote to memory of 2732	1684	wbadmin.exe	38
PID 1684 wrote to memory of 2732	1684	wbadmin.exe	38
PID 1684 wrote to memory of 2732	1684	wbadmin.exe	38
PID 1664 wrote to memory of 2848	1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe	39
PID 1664 wrote to memory of 2848	1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe	39
PID 1664 wrote to memory of 2848	1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe	39
PID 1664 wrote to memory of 2848	1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe	39
PID 2848 wrote to memory of 2580	2848	cmd.exe	149
PID 2848 wrote to memory of 2580	2848	cmd.exe	149
PID 2848 wrote to memory of 2580	2848	cmd.exe	149
PID 2848 wrote to memory of 2580	2848	cmd.exe	149
PID 2580 wrote to memory of 2608	2580	cmd.exe	41
PID 2580 wrote to memory of 2608	2580	cmd.exe	41
PID 2580 wrote to memory of 2608	2580	cmd.exe	41
PID 1664 wrote to memory of 2108	1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe	42
PID 1664 wrote to memory of 2108	1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe	42
PID 1664 wrote to memory of 2108	1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe	42
PID 1664 wrote to memory of 2108	1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe	42
PID 2108 wrote to memory of 2368	2108	cmd.exe	147
PID 2108 wrote to memory of 2368	2108	cmd.exe	147
PID 2108 wrote to memory of 2368	2108	cmd.exe	147
PID 2108 wrote to memory of 2368	2108	cmd.exe	147
PID 2368 wrote to memory of 2052	2368	cmd.exe	43
PID 2368 wrote to memory of 2052	2368	cmd.exe	43
PID 2368 wrote to memory of 2052	2368	cmd.exe	43
PID 1664 wrote to memory of 1064	1664	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe	146

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1252
- C:\Users\Admin\AppData\Local\Temp\3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
  "C:\Users\Admin\AppData\Local\Temp\3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1664
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"
    3⤵
    PID:2392
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c rem Kill "SQL"
      4⤵
      PID:2268
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2872
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2580
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2368
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
    3⤵
    PID:532
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
      4⤵
      PID:1760
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
    3⤵
    PID:2428
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS
      4⤵
      PID:1440
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:2984
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
    3⤵
    PID:988
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
    3⤵
    PID:2208
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
    3⤵
    PID:1504
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    PID:1988
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
    3⤵
    PID:556
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS
    3⤵
    PID:2188
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
    3⤵
    PID:1364
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
    3⤵
    PID:1804
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
    3⤵
    PID:1140
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
    3⤵
    PID:2088
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe
    3⤵
    PID:1244
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
    3⤵
    PID:2384
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
    3⤵
    PID:568
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
    3⤵
    PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
    3⤵
    PID:588
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
    3⤵
    PID:1916
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
    3⤵
    PID:2956
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
    3⤵
    PID:1064
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2588
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2704
- C:\Users\Admin\AppData\Local\Temp\3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe
  \\?\C:\Users\Admin\AppData\Local\Temp\3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f.exe -network
  2⤵
  - System policy modification
  PID:2008

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Windows\system32\taskkill.exe
  taskkill -f -im sqlbrowser.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2840

C:\Windows\system32\taskkill.exe
taskkill -f -im sql writer.exe
1⤵
- Kills process with taskkill
PID:2596

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
1⤵
PID:1684
- C:\Windows\system32\taskkill.exe
  taskkill -f -im sqlserv.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2732

C:\Windows\system32\taskkill.exe
taskkill -f -im msmdsrv.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\Windows\system32\taskkill.exe
taskkill -f -im MsDtsSrvr.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2052

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
1⤵
PID:2904
- C:\Windows\system32\taskkill.exe
  taskkill -f -im sqlceip.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2920

C:\Windows\system32\taskkill.exe
taskkill -f -im fdlauncher.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1156

C:\Windows\system32\taskkill.exe
taskkill -f -im Ssms.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1904

C:\Windows\system32\taskkill.exe
taskkill -f -im SQLAGENT.EXE
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2648

C:\Windows\system32\taskkill.exe
taskkill -f -im fdhost.exe
1⤵
- Kills process with taskkill
PID:1344

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
1⤵
PID:1332
- C:\Windows\system32\taskkill.exe
  taskkill -f -im ReportingServicesService.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:320

C:\Windows\system32\taskkill.exe
taskkill -f -im msftesql.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
1⤵
PID:2100
- C:\Windows\system32\taskkill.exe
  taskkill -f -im pg_ctl.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2952

C:\Windows\system32\taskkill.exe
taskkill -f -impostgres.exe
1⤵
- Kills process with taskkill
PID:2344

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100
1⤵
PID:896

C:\Windows\system32\net.exe
net stop MSSQLServerADHelper100
1⤵
PID:2328

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW
1⤵
PID:2056
- C:\Windows\system32\net.exe
  net stop MSSQL$MSFW
  2⤵
  PID:396

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW
1⤵
PID:3004
- C:\Windows\system32\net.exe
  net stop SQLAgent$MSFW
  2⤵
  PID:1956

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
1⤵
PID:1868
- C:\Windows\system32\wbadmin.exe
  wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
  2⤵
  PID:1596

C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Modifies boot configuration data using bcdedit
- Suspicious use of WriteProcessMemory
PID:2392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c pause
1⤵
PID:2012

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2564

C:\Windows\system32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP
1⤵
- Deletes System State backups
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k swprv
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1344

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
1⤵
- Interacts with shadow copies
PID:1360

C:\Windows\System32\Wbem\WMIC.exe
wmic.exe SHADOWCOPY /nointeractive
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2260

C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoverynabled No
1⤵
- Modifies boot configuration data using bcdedit
PID:2536

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
1⤵
PID:1872

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
1⤵
PID:1196

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
1⤵
PID:1608

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
1⤵
PID:2024

C:\Windows\system32\wbadmin.exe
wbadmin delete backup -keepVersion:0 -quiet
1⤵
- Deletes system backups
- Drops file in Windows directory
PID:1980

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
1⤵
PID:1736

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
1⤵
PID:2200

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLWriter
1⤵
PID:2508

C:\Windows\system32\net.exe
net stop SQLWriter
1⤵
PID:1380

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop SQLWriter
1⤵
PID:1876

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop REportServer$ISARS
1⤵
PID:912

C:\Windows\system32\net.exe
net stop REportServer$ISARS
1⤵
PID:900

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS
1⤵
PID:1416

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLBrowser
1⤵
PID:1936

C:\Windows\system32\net.exe
net stop SQLBrowser
1⤵
PID:1036

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser
1⤵
PID:1816

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$MSFW
1⤵
PID:948

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ISARS
1⤵
PID:1444

C:\Windows\system32\net.exe
net stop SQLAgent$ISARS
1⤵
PID:1964

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS
1⤵
PID:1348

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$MSFW
1⤵
PID:2372

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$ISARS
1⤵
PID:1928

C:\Windows\system32\net.exe
net stop MSSQL$ISARS
1⤵
PID:1896

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
1⤵
PID:1812

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe
1⤵
PID:2236

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
1⤵
PID:284

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
1⤵
PID:436

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
1⤵
PID:1652

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
1⤵
PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
13KB

MD5
0ab30e27c7d4e8864166cae26b6b946b

SHA1
00c05dc9a686306993143d036fe6dfa70ccafec0

SHA256
011981dceb358d0451c52e2350d494dd4795126640c113b5a6bbb8f46e250d15

SHA512
cf66cb0d9b1637bfba01534bdc92e63b026a028396c6cc1337dd68c0039db336a0bbac965bf6fd1f1221a1200cf04757af696236576a0425991f45544cab5bd1

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
10KB

MD5
4931639fa88ecd776c5bfb383731d7d7

SHA1
4ad76a36f7c3fb596ba74ce24ca928c7275ebfee

SHA256
aaaddf75763d7e31b187a46bde8750166cfec353c000fb733f9dbf952f2465be

SHA512
409b68a517f2703d04795ffc8effb490339551cd345f7d8208343d5a795bcd2bec7d7da51ce8383be0ef7abd99d50196a18452dd30e50ec811158d7008d393ef

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf

Filesize
1KB

MD5
ef07ed728837e15ff345fd591ceb20b7

SHA1
bbe6a0978e75a42cd08006f4d4516a14176940b4

SHA256
c0fe197114b36ecede3496a595734df60c718a1725b879b60401987117556c6f

SHA512
4b8879b2a339af0e546f7c2afe3ebe473d9a931eb37d491abf136f8cbfba77fef3c22476df464635a5cff3caf2ea3b083ec1a5ba8347cf29b112de078afba3c3

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA

Filesize
8KB

MD5
7ea5d8bf6be5e719c42b7e7e40ff63d9

SHA1
7809071f4ce0195388d42d127681436c53d65130

SHA256
8f4ae82eb00172658b916cffe11639edd02ac0bcf475ee6c977cd0c7bebc7d79

SHA512
a73fc8408dc09beb16364730779e63b5f8abc283ed40365ce04b6891f4ed35aa4acd76a773f6207268533f29a57d0e2b1ef7e6fe4f27cc7d40c86393d7699bfd

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\eclipse.inf

Filesize
1KB

MD5
18941b1ba2126513c45e7d44510ca709

SHA1
273e65c0e12e93ee421010f994a365f3020d9e05

SHA256
8b36f81e60331f6d0a207662115e793672880b7b17837a494a54e11fb420c2a5

SHA512
744cbfe2cda350928ee3e2ff3ab395098d714bc6994aa5942889d5bf1c2f906598fecf86c8c541db26f07b8f274ebedc1d20b12aeb70f05614b83fbd2fe1e53e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\epl-v10.html

Filesize
1KB

MD5
f932d2f85d71402566cf6afc7b2a8763

SHA1
0c44b51feb3c1439199e8b991f07ef7551be4e79

SHA256
fd30cdf34221364a78ccf7395cfa7f6f52631589bfa0e6eb701bb7e7ff6adc33

SHA512
86a273749efedaf377c77f7dcd1229625e37f6d0321c1352dbf5f0bacdcd8199ce6c818eb9300ddef699af8b2097d104031c6e8767979a87421e7fd82ae34936

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\license.html

Filesize
10KB

MD5
ada69a111fa408ed20e2ab2258142d61

SHA1
14d8aabc90fcb5b1990e9e6b9cd4be1185ca368c

SHA256
d8f6b2f4babe0ad3fb62fe599e849bfcfe00e0bb84704b2013fa02b88b4eeb7c

SHA512
2730d19517e3e7fba8b2c5c5935de64089b52f3233f0c3a98366eb02aabf4bcaebc14198c0ecfd64bb76aa172d2583c9e1a950b8bea9a5357e6698d072254fe7

Download Submit
C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo

Filesize
35KB

MD5
c2af840a235b2b108f6d42a748b31f44

SHA1
f0ced96b4961fd438a1c2d7e5c11cca0c9e31773

SHA256
71dd78f87b23f460dea01ab8dbd05719bc58b240950e527c113686245951ccc1

SHA512
7e67c4be9e34767877adfebb4abdf56c8ca1b920015c076e6cc0dc7f0ea42583585be55307cd3eff77f205bf5089b2302567741963dc3ac4a57bf415070802ec

Download Submit