medusalocker | 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

pid	Process
1728	bcdedit.exe
2360	bcdedit.exe

Renames multiple (648) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes System State backups 3 TTPs 2 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

pid	Process
2416	wbadmin.exe
5104	wbadmin.exe

Drops file in Drivers directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\drivers\etc\networks	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\drivers\etc\networks.inprocess	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\drivers\etc\protocol	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\drivers\etc\protocol.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts.inprocess	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\drivers\etc\networks.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\drivers\etc\protocol.inprocess	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\drivers\etc\services	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\drivers\etc\services.inprocess	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\drivers\etc\services.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 10 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/3824-0-0x00007FF770EE0000-0x00007FF771721000-memory.dmp	themida
behavioral2/memory/3824-2-0x00007FF770EE0000-0x00007FF771721000-memory.dmp	themida
behavioral2/memory/3824-4-0x00007FF770EE0000-0x00007FF771721000-memory.dmp	themida
behavioral2/memory/3824-3-0x00007FF770EE0000-0x00007FF771721000-memory.dmp	themida
behavioral2/memory/3824-7-0x00007FF770EE0000-0x00007FF771721000-memory.dmp	themida
behavioral2/memory/3824-8-0x00007FF770EE0000-0x00007FF771721000-memory.dmp	themida
behavioral2/memory/3824-6-0x00007FF770EE0000-0x00007FF771721000-memory.dmp	themida
behavioral2/memory/3824-5-0x00007FF770EE0000-0x00007FF771721000-memory.dmp	themida
behavioral2/memory/3824-595-0x00007FF770EE0000-0x00007FF771721000-memory.dmp	themida
behavioral2/memory/3824-1612-0x00007FF770EE0000-0x00007FF771721000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSFEEditor = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe\" e"	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	\??\E:\$RECYCLE.BIN\S-1-5-21-293923083-2364846840-4256557006-1000\desktop.ini	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe

Enumerates connected drives 3 TTPs 39 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\B:	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened (read-only)	\??\N:	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened (read-only)	\??\R:	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened (read-only)	\??\U:	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened (read-only)	\??\Y:	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\L:	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened (read-only)	\??\Z:	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\G:	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened (read-only)	\??\H:	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened (read-only)	\??\K:	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened (read-only)	\??\S:	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened (read-only)	\??\W:	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened (read-only)	\??\F:	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\A:	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened (read-only)	\??\Q:	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened (read-only)	\??\X:	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened (read-only)	\??\I:	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\J:	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened (read-only)	\??\M:	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened (read-only)	\??\O:	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened (read-only)	\??\D:	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened (read-only)	\??\E:	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened (read-only)	\??\P:	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened (read-only)	\??\T:	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened (read-only)	\??\V:	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred.inprocess	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\e6a488c4-d766-4010-a655-76f0d55b82f3	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\daf1fcaa-10a4-496f-9c63-c065a3f3fed3.inprocess	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\config\DRIVERS.inprocess	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D.inprocess	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\config\BCD-Template.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\config\COMPONENTS.inprocess	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\daf1fcaa-10a4-496f-9c63-c065a3f3fed3	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor.inprocess	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\config\ELAM	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\AppContainerUserCertRead.inprocess	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\Preferred.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0D848F74F70BB2EAA93746D24D9749	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\config\SYSTEM	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\417649e3-4db4-4636-815b-e3961d44e69e.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506.inprocess	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\ResPriLMImageList	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\config\BCD-Template.inprocess	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\417649e3-4db4-4636-815b-e3961d44e69e	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\AppContainerUserCertRead	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\config\SECURITY	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\daf1fcaa-10a4-496f-9c63-c065a3f3fed3.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\config\COMPONENTS.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\config\SAM	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\2f3d9245-d6fd-4efd-a5be-c88ecac86a48	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\e6a488c4-d766-4010-a655-76f0d55b82f3.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187.inprocess	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\ResPriHMImageList	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\ResPriUHMImageList	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\config\ELAM.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Diagnostic.inprocess	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\e6a488c4-d766-4010-a655-76f0d55b82f3.inprocess	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\ResPriHMImageListLowCost	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749.inprocess	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\417649e3-4db4-4636-815b-e3961d44e69e.inprocess	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\2f3d9245-d6fd-4efd-a5be-c88ecac86a48.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\config\BBI	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\config\DRIVERS.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\System32\config\ELAM.inprocess	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe

Drops file in Program Files directory 52 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\postSigningData.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\initial_preferences.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.inprocess	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile.inprocess	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Program Files\Mozilla Firefox\removed-files.inprocess	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\initial_preferences	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.inprocess	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008.inprocess	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033.inprocess	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Program Files\Mozilla Firefox\postSigningData	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Program Files\Mozilla Firefox\precomplete	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.inprocess	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050.inprocess	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Program Files\Mozilla Firefox\precomplete.inprocess	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.inprocess	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Program Files\Mozilla Firefox\precomplete.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Program Files\Mozilla Firefox\removed-files.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011.inprocess	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009.inprocess	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\initial_preferences.inprocess	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.inprocess	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Program Files\Mozilla Firefox\postSigningData.inprocess	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.inprocess	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Program Files\Mozilla Firefox\removed-files	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.inprocess	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Installer\SourceHash{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\Installer\SourceHash{AC76BA86-7AD7-1033-7B44-AC0F074E4100}.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\Installer\SourceHash{B175520C-86A2-35A7-8619-86DC379688B9}.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\Installer\SourceHash{BF08E976-B92E-4336-B56F-2171179476C4}	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\Installer\SourceHash{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.inprocess	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\SharedFileCache\053d063bc0bd73dcab349a3000df8955f9bfc54d2c963978102e1294546dbbc4	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\AppContainerUserCertRead	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\Installer\SourceHash{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}.inprocess	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\Installer\SourceHash{71024AE4-039E-4CA4-87B4-2F64180401F0}.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\Installer\SourceHash{90160000-007E-0000-1000-0000000FF1CE}	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\Installer\SourceHash{90160000-008C-0409-1000-0000000FF1CE}.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\Installer\SourceHash{E634F316-BEB6-4FB3-A612-F7102F576165}	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\Installer\SourceHash{2BB73336-4F69-4141-9797-E9BD6FE3980A}.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\Installer\SourceHash{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}.inprocess	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\Boot\PCAT\bootnxt	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Installer\SourceHash{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\Installer\SourceHash{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}.inprocess	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\Installer\SourceHash{79043ED0-7ED1-4227-A5E5-04C5594D21F7}	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\Installer\SourceHash{B175520C-86A2-35A7-8619-86DC379688B9}	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\Installer\SourceHash{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D.inprocess	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Installer\SourceHash{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\Installer\SourceHash{662A0088-6FCD-45DD-9EA7-68674058AED5}.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\Installer\SourceHash{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\Installer\SourceHash{90160000-007E-0000-1000-0000000FF1CE}.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\Installer\SourceHash{CB0836EC-B072-368D-82B2-D3470BF95707}	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata.inprocess	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\AppContainerUserCertRead.inprocess	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\Installer\SourceHash{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\SharedFileCache\053d063bc0bd73dcab349a3000df8955f9bfc54d2c963978102e1294546dbbc4.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_75c3ddb7-c9de-4243-85c4-4f244c31f3a9.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Installer\SourceHash{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}.inprocess	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\Installer\SourceHash{1D8E6291-B0D5-35EC-8441-6616F567A0F7}	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\Installer\SourceHash{79043ED0-7ED1-4227-A5E5-04C5594D21F7}.inprocess	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\Installer\SourceHash{9BE518E6-ECC6-35A9-88E4-87755C07200F}	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_75c3ddb7-c9de-4243-85c4-4f244c31f3a9.inprocess	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Installer\SourceHash{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\Installer\SourceHash{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\Boot\DVD\EFI\BCD	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\Boot\DVD\PCAT\BCD	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\Installer\SourceHash{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\Installer\SourceHash{71024AE4-039E-4CA4-87B4-2F64180401F0}.inprocess	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\Installer\SourceHash{9F51D16B-42E8-4A4A-8228-75045541A2AE}.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\Installer\SourceHash{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\Installer\SourceHash{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\Installer\SourceHash{2BB73336-4F69-4141-9797-E9BD6FE3980A}.inprocess	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\Installer\SourceHash{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\Installer\SourceHash{90160000-008C-0409-1000-0000000FF1CE}	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\Installer\SourceHash{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}.inprocess	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\Installer\SourceHash{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\Installer\SourceHash{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\Installer\SourceHash{662A0088-6FCD-45DD-9EA7-68674058AED5}	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\Installer\SourceHash{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\Installer\SourceHash{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\Installer\SourceHash{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\Installer\SourceHash{90160000-007E-0000-1000-0000000FF1CE}.inprocess	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\Installer\SourceHash{9F51D16B-42E8-4A4A-8228-75045541A2AE}.inprocess	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\Installer\SourceHash{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
File opened for modification	C:\Windows\Installer\SourceHash{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}.ReadInstructions	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 13 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

pid	Process
4452	vssadmin.exe
1464	vssadmin.exe
3744	vssadmin.exe
2872	vssadmin.exe
2880	vssadmin.exe
244	vssadmin.exe
1904	vssadmin.exe
4064	vssadmin.exe
3332	vssadmin.exe
3124	vssadmin.exe
1296	vssadmin.exe
3112	vssadmin.exe
2664	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeBackupPrivilege	1012	vssvc.exe
Token: SeRestorePrivilege	1012	vssvc.exe
Token: SeAuditPrivilege	1012	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1600	wmic.exe
Token: SeSecurityPrivilege	1600	wmic.exe
Token: SeTakeOwnershipPrivilege	1600	wmic.exe
Token: SeLoadDriverPrivilege	1600	wmic.exe
Token: SeSystemProfilePrivilege	1600	wmic.exe
Token: SeSystemtimePrivilege	1600	wmic.exe
Token: SeProfSingleProcessPrivilege	1600	wmic.exe
Token: SeIncBasePriorityPrivilege	1600	wmic.exe
Token: SeCreatePagefilePrivilege	1600	wmic.exe
Token: SeBackupPrivilege	1600	wmic.exe
Token: SeRestorePrivilege	1600	wmic.exe
Token: SeShutdownPrivilege	1600	wmic.exe
Token: SeDebugPrivilege	1600	wmic.exe
Token: SeSystemEnvironmentPrivilege	1600	wmic.exe
Token: SeRemoteShutdownPrivilege	1600	wmic.exe
Token: SeUndockPrivilege	1600	wmic.exe
Token: SeManageVolumePrivilege	1600	wmic.exe
Token: 33	1600	wmic.exe
Token: 34	1600	wmic.exe
Token: 35	1600	wmic.exe
Token: 36	1600	wmic.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 3824 wrote to memory of 3744	3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe	82
PID 3824 wrote to memory of 3744	3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe	82
PID 3824 wrote to memory of 4452	3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe	86
PID 3824 wrote to memory of 4452	3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe	86
PID 3824 wrote to memory of 2872	3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe	88
PID 3824 wrote to memory of 2872	3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe	88
PID 3824 wrote to memory of 1464	3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe	90
PID 3824 wrote to memory of 1464	3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe	90
PID 3824 wrote to memory of 3332	3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe	92
PID 3824 wrote to memory of 3332	3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe	92
PID 3824 wrote to memory of 3124	3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe	94
PID 3824 wrote to memory of 3124	3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe	94
PID 3824 wrote to memory of 1296	3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe	96
PID 3824 wrote to memory of 1296	3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe	96
PID 3824 wrote to memory of 3112	3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe	98
PID 3824 wrote to memory of 3112	3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe	98
PID 3824 wrote to memory of 244	3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe	100
PID 3824 wrote to memory of 244	3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe	100
PID 3824 wrote to memory of 1904	3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe	102
PID 3824 wrote to memory of 1904	3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe	102
PID 3824 wrote to memory of 2880	3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe	104
PID 3824 wrote to memory of 2880	3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe	104
PID 3824 wrote to memory of 4064	3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe	106
PID 3824 wrote to memory of 4064	3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe	106
PID 3824 wrote to memory of 2664	3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe	108
PID 3824 wrote to memory of 2664	3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe	108
PID 3824 wrote to memory of 2360	3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe	110
PID 3824 wrote to memory of 2360	3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe	110
PID 3824 wrote to memory of 1728	3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe	112
PID 3824 wrote to memory of 1728	3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe	112
PID 3824 wrote to memory of 2416	3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe	114
PID 3824 wrote to memory of 2416	3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe	114
PID 3824 wrote to memory of 5104	3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe	116
PID 3824 wrote to memory of 5104	3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe	116
PID 3824 wrote to memory of 1600	3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe	118
PID 3824 wrote to memory of 1600	3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe	118
PID 3824 wrote to memory of 1320	3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe	121
PID 3824 wrote to memory of 1320	3824	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe	121

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
"C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3824
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3744
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:4452
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:2872
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1464
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:3332
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:3124
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1296
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:3112
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:244
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1904
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:2880
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:4064
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:2664
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe /set {default} recoveryenabled No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2360
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1728
- C:\Windows\SYSTEM32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  - Deletes System State backups
  - Drops file in Windows directory
  PID:2416
- C:\Windows\SYSTEM32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  2⤵
  - Deletes System State backups
  - Drops file in Windows directory
  PID:5104
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1600
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\0DD34E~1.EXE >> NUL
  2⤵
  PID:1320

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery