b0c29ba285c7b4c5ff41831278822437bcb05dee70d4cac7f0d1965eddd4fa79

pid	Process
4188	bcdedit.exe
1108	bcdedit.exe

Renames multiple (6574) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Deletes System State backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

Inhibit System Recovery

pid	Process
4288	wbadmin.exe

Deletes system backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

Inhibit System Recovery

pid	Process
3052	wbadmin.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	\??\A:\$RECYCLE.BIN\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini	explorer.exe

Enumerates connected drives 3 TTPs 47 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\J:	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened (read-only)	\??\Q:	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened (read-only)	\??\H:	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened (read-only)	\??\A:	explorer.exe
File opened (read-only)	\??\B:	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened (read-only)	\??\M:	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened (read-only)	\??\V:	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\G:	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened (read-only)	\??\K:	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened (read-only)	\??\X:	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened (read-only)	\??\A:	cipher.exe
File opened (read-only)	\??\F:	cipher.exe
File opened (read-only)	\??\A:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\O:	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened (read-only)	\??\W:	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened (read-only)	\??\A:	explorer.exe
File opened (read-only)	\??\A:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\I:	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened (read-only)	\??\P:	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened (read-only)	\??\U:	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened (read-only)	\??\A:	explorer.exe
File opened (read-only)	\??\F:	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened (read-only)	\??\E:	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened (read-only)	\??\R:	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\A:	explorer.exe
File opened (read-only)	\??\L:	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened (read-only)	\??\N:	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened (read-only)	\??\T:	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened (read-only)	\??\Y:	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened (read-only)	\??\A:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\A:	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened (read-only)	\??\S:	5df80f40ad8f77e7574e4dda1629ed60N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\text_2x.png	5df80f40ad8f77e7574e4dda1629ed60N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-fr\How_to_back_files.html	5df80f40ad8f77e7574e4dda1629ed60N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\How_to_back_files.html	5df80f40ad8f77e7574e4dda1629ed60N.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\nb-NO\How_to_back_files.html	5df80f40ad8f77e7574e4dda1629ed60N.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\Fonts\How_to_back_files.html	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\NavigationIcons\nav_icons_achievements.targetsize-48.png	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\accessibilitychecker\main.js	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-200.png	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-si\ui-strings.js	5df80f40ad8f77e7574e4dda1629ed60N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ko-kr\How_to_back_files.html	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hr-hr\ui-strings.js	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ppd.xrm-ms	5df80f40ad8f77e7574e4dda1629ed60N.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_2019.125.2243.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\How_to_back_files.html	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-256_altform-lightunplated.png	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Describe.ps1	5df80f40ad8f77e7574e4dda1629ed60N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\tr-tr\How_to_back_files.html	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\msdasqlr.dll.mui	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\id.pak	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\SmallTile.scale-200.png	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Be.Tests.ps1	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\BUSINESS.ONE	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\WideTile.scale-200.png	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_LogoSmall.targetsize-24_altform-unplated.png	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-40_altform-lightunplated.png	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-96_altform-unplated.png	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Compare_R_RHP.aapp	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-high-contrast.css	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ms.pak	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ul-oob.xrm-ms	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile_browse.html	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-20_altform-unplated.png	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\TellMeOneNote.nrr	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-16_altform-unplated_contrast-white.png	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\eo\LC_MESSAGES\vlc.mo	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderMedTile.contrast-black_scale-125.png	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sl-si\ui-strings.js	5df80f40ad8f77e7574e4dda1629ed60N.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\How_to_back_files.html	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\offsyml.ttf	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	5df80f40ad8f77e7574e4dda1629ed60N.exe
File created	C:\Program Files\Mozilla Firefox\How_to_back_files.html	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ta-IN\View3d\3DViewerProductDescription-universal.xml	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_0.m4a	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-48_altform-unplated.png	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Outlook.scale-100.png	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\JSByteCodeWin.bin	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql2000.xsl	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\officemuiset.msi.16.en-us.boot.tree.dat	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.dll.mui	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\MedTile.scale-100.png	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-16_contrast-white.png	5df80f40ad8f77e7574e4dda1629ed60N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-tw\How_to_back_files.html	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ppd.xrm-ms	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-100.png	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Light.scale-200.png	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\SmallTile.scale-125.png	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxSignature.p7x	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-US\en-US_female_TTS\common.lua	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml	5df80f40ad8f77e7574e4dda1629ed60N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\How_to_back_files.html	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WorldClockSmallTile.contrast-black_scale-125.png	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Concrete.dxt	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-32_contrast-white.png	5df80f40ad8f77e7574e4dda1629ed60N.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cipher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cipher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cipher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5df80f40ad8f77e7574e4dda1629ed60N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5df80f40ad8f77e7574e4dda1629ed60N.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

Inhibit System Recovery

Direct Volume Access

T1006

pid	Process
4968	vssadmin.exe

Kills process with taskkill 14 IoCs

evasion

pid	Process
4692	taskkill.exe
2692	taskkill.exe
916	taskkill.exe
5032	taskkill.exe
4460	taskkill.exe
4320	taskkill.exe
4012	taskkill.exe
4896	taskkill.exe
3800	taskkill.exe
912	taskkill.exe
4300	taskkill.exe
3728	taskkill.exe
4744	taskkill.exe
5088	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2718105630-359604950-2820636825-1000\{5EE81723-9609-44BE-9C9C-B110E6E370E4}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2718105630-359604950-2820636825-1000\{61D2B992-0E04-455A-9831-4B7D3247A091}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2718105630-359604950-2820636825-1000\{AE1F1FD2-C7CB-4563-A3FA-253933165672}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2718105630-359604950-2820636825-1000\{9DC2D196-3487-4513-8F9A-5356BCA582EF}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe
1104	5df80f40ad8f77e7574e4dda1629ed60N.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4896	taskkill.exe
Token: SeDebugPrivilege	3800	taskkill.exe
Token: SeDebugPrivilege	3728	taskkill.exe
Token: SeDebugPrivilege	4744	taskkill.exe
Token: SeDebugPrivilege	5088	taskkill.exe
Token: SeDebugPrivilege	912	taskkill.exe
Token: SeDebugPrivilege	2692	taskkill.exe
Token: SeDebugPrivilege	5032	taskkill.exe
Token: SeDebugPrivilege	916	taskkill.exe
Token: SeDebugPrivilege	4460	taskkill.exe
Token: SeDebugPrivilege	4320	taskkill.exe
Token: SeDebugPrivilege	4300	taskkill.exe
Token: SeIncreaseQuotaPrivilege	4640	WMIC.exe
Token: SeSecurityPrivilege	4640	WMIC.exe
Token: SeTakeOwnershipPrivilege	4640	WMIC.exe
Token: SeLoadDriverPrivilege	4640	WMIC.exe
Token: SeSystemProfilePrivilege	4640	WMIC.exe
Token: SeSystemtimePrivilege	4640	WMIC.exe
Token: SeProfSingleProcessPrivilege	4640	WMIC.exe
Token: SeIncBasePriorityPrivilege	4640	WMIC.exe
Token: SeCreatePagefilePrivilege	4640	WMIC.exe
Token: SeBackupPrivilege	4640	WMIC.exe
Token: SeRestorePrivilege	4640	WMIC.exe
Token: SeShutdownPrivilege	4640	WMIC.exe
Token: SeDebugPrivilege	4640	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4640	WMIC.exe
Token: SeRemoteShutdownPrivilege	4640	WMIC.exe
Token: SeUndockPrivilege	4640	WMIC.exe
Token: SeManageVolumePrivilege	4640	WMIC.exe
Token: 33	4640	WMIC.exe
Token: 34	4640	WMIC.exe
Token: 35	4640	WMIC.exe
Token: 36	4640	WMIC.exe
Token: SeBackupPrivilege	4264	vssvc.exe
Token: SeRestorePrivilege	4264	vssvc.exe
Token: SeAuditPrivilege	4264	vssvc.exe
Token: SeShutdownPrivilege	5088	explorer.exe
Token: SeCreatePagefilePrivilege	5088	explorer.exe
Token: SeShutdownPrivilege	5088	explorer.exe
Token: SeCreatePagefilePrivilege	5088	explorer.exe
Token: SeShutdownPrivilege	5088	explorer.exe
Token: SeCreatePagefilePrivilege	5088	explorer.exe
Token: SeShutdownPrivilege	5088	explorer.exe
Token: SeCreatePagefilePrivilege	5088	explorer.exe
Token: SeShutdownPrivilege	5088	explorer.exe
Token: SeCreatePagefilePrivilege	5088	explorer.exe
Token: SeShutdownPrivilege	5088	explorer.exe
Token: SeCreatePagefilePrivilege	5088	explorer.exe
Token: SeShutdownPrivilege	5088	explorer.exe
Token: SeCreatePagefilePrivilege	5088	explorer.exe
Token: SeShutdownPrivilege	5088	explorer.exe
Token: SeCreatePagefilePrivilege	5088	explorer.exe
Token: SeShutdownPrivilege	5088	explorer.exe
Token: SeCreatePagefilePrivilege	5088	explorer.exe
Token: SeShutdownPrivilege	5088	explorer.exe
Token: SeCreatePagefilePrivilege	5088	explorer.exe
Token: SeShutdownPrivilege	684	explorer.exe
Token: SeCreatePagefilePrivilege	684	explorer.exe
Token: SeShutdownPrivilege	684	explorer.exe
Token: SeCreatePagefilePrivilege	684	explorer.exe
Token: SeShutdownPrivilege	684	explorer.exe
Token: SeCreatePagefilePrivilege	684	explorer.exe
Token: SeShutdownPrivilege	684	explorer.exe
Token: SeCreatePagefilePrivilege	684	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
684	explorer.exe
4104	explorer.exe
4104	explorer.exe
4104	explorer.exe
4104	explorer.exe
4104	explorer.exe
4104	explorer.exe
4104	explorer.exe
4104	explorer.exe
4104	explorer.exe
4104	explorer.exe
4104	explorer.exe
4104	explorer.exe
4104	explorer.exe
4104	explorer.exe
4104	explorer.exe
4104	explorer.exe
4104	explorer.exe
4104	explorer.exe
4104	explorer.exe
4104	explorer.exe
4104	explorer.exe
4104	explorer.exe
4104	explorer.exe
4104	explorer.exe
4104	explorer.exe
4104	explorer.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2932	StartMenuExperienceHost.exe
304	StartMenuExperienceHost.exe
2720	SearchApp.exe
3912	StartMenuExperienceHost.exe
1264	SearchApp.exe
2012	StartMenuExperienceHost.exe
4996	StartMenuExperienceHost.exe
2060	SearchApp.exe
4648	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 4712	1104	5df80f40ad8f77e7574e4dda1629ed60N.exe	88
PID 1104 wrote to memory of 4712	1104	5df80f40ad8f77e7574e4dda1629ed60N.exe	88
PID 1104 wrote to memory of 4712	1104	5df80f40ad8f77e7574e4dda1629ed60N.exe	88
PID 4712 wrote to memory of 1656	4712	cmd.exe	90
PID 4712 wrote to memory of 1656	4712	cmd.exe	90
PID 1104 wrote to memory of 3696	1104	5df80f40ad8f77e7574e4dda1629ed60N.exe	91
PID 1104 wrote to memory of 3696	1104	5df80f40ad8f77e7574e4dda1629ed60N.exe	91
PID 1104 wrote to memory of 3696	1104	5df80f40ad8f77e7574e4dda1629ed60N.exe	91
PID 3696 wrote to memory of 4336	3696	cmd.exe	93
PID 3696 wrote to memory of 4336	3696	cmd.exe	93
PID 4336 wrote to memory of 4896	4336	cmd.exe	94
PID 4336 wrote to memory of 4896	4336	cmd.exe	94
PID 1104 wrote to memory of 4484	1104	5df80f40ad8f77e7574e4dda1629ed60N.exe	96
PID 1104 wrote to memory of 4484	1104	5df80f40ad8f77e7574e4dda1629ed60N.exe	96
PID 1104 wrote to memory of 4484	1104	5df80f40ad8f77e7574e4dda1629ed60N.exe	96
PID 4484 wrote to memory of 3816	4484	cmd.exe	98
PID 4484 wrote to memory of 3816	4484	cmd.exe	98
PID 3816 wrote to memory of 4692	3816	cmd.exe	99
PID 3816 wrote to memory of 4692	3816	cmd.exe	99
PID 1104 wrote to memory of 1700	1104	5df80f40ad8f77e7574e4dda1629ed60N.exe	100
PID 1104 wrote to memory of 1700	1104	5df80f40ad8f77e7574e4dda1629ed60N.exe	100
PID 1104 wrote to memory of 1700	1104	5df80f40ad8f77e7574e4dda1629ed60N.exe	100
PID 1700 wrote to memory of 1692	1700	cmd.exe	102
PID 1700 wrote to memory of 1692	1700	cmd.exe	102
PID 1692 wrote to memory of 3800	1692	cmd.exe	103
PID 1692 wrote to memory of 3800	1692	cmd.exe	103
PID 1104 wrote to memory of 4212	1104	5df80f40ad8f77e7574e4dda1629ed60N.exe	104
PID 1104 wrote to memory of 4212	1104	5df80f40ad8f77e7574e4dda1629ed60N.exe	104
PID 1104 wrote to memory of 4212	1104	5df80f40ad8f77e7574e4dda1629ed60N.exe	104
PID 4212 wrote to memory of 4708	4212	cmd.exe	106
PID 4212 wrote to memory of 4708	4212	cmd.exe	106
PID 4708 wrote to memory of 3728	4708	cmd.exe	107
PID 4708 wrote to memory of 3728	4708	cmd.exe	107
PID 1104 wrote to memory of 448	1104	5df80f40ad8f77e7574e4dda1629ed60N.exe	108
PID 1104 wrote to memory of 448	1104	5df80f40ad8f77e7574e4dda1629ed60N.exe	108
PID 1104 wrote to memory of 448	1104	5df80f40ad8f77e7574e4dda1629ed60N.exe	108
PID 448 wrote to memory of 1664	448	cmd.exe	110
PID 448 wrote to memory of 1664	448	cmd.exe	110
PID 1664 wrote to memory of 4744	1664	cmd.exe	111
PID 1664 wrote to memory of 4744	1664	cmd.exe	111
PID 1104 wrote to memory of 5012	1104	5df80f40ad8f77e7574e4dda1629ed60N.exe	112
PID 1104 wrote to memory of 5012	1104	5df80f40ad8f77e7574e4dda1629ed60N.exe	112
PID 1104 wrote to memory of 5012	1104	5df80f40ad8f77e7574e4dda1629ed60N.exe	112
PID 5012 wrote to memory of 2212	5012	cmd.exe	114
PID 5012 wrote to memory of 2212	5012	cmd.exe	114
PID 2212 wrote to memory of 5088	2212	cmd.exe	115
PID 2212 wrote to memory of 5088	2212	cmd.exe	115
PID 1104 wrote to memory of 1444	1104	5df80f40ad8f77e7574e4dda1629ed60N.exe	116
PID 1104 wrote to memory of 1444	1104	5df80f40ad8f77e7574e4dda1629ed60N.exe	116
PID 1104 wrote to memory of 1444	1104	5df80f40ad8f77e7574e4dda1629ed60N.exe	116
PID 1444 wrote to memory of 2328	1444	cmd.exe	118
PID 1444 wrote to memory of 2328	1444	cmd.exe	118
PID 2328 wrote to memory of 912	2328	cmd.exe	119
PID 2328 wrote to memory of 912	2328	cmd.exe	119
PID 1104 wrote to memory of 4456	1104	5df80f40ad8f77e7574e4dda1629ed60N.exe	120
PID 1104 wrote to memory of 4456	1104	5df80f40ad8f77e7574e4dda1629ed60N.exe	120
PID 1104 wrote to memory of 4456	1104	5df80f40ad8f77e7574e4dda1629ed60N.exe	120
PID 4456 wrote to memory of 3996	4456	cmd.exe	122
PID 4456 wrote to memory of 3996	4456	cmd.exe	122
PID 3996 wrote to memory of 2692	3996	cmd.exe	123
PID 3996 wrote to memory of 2692	3996	cmd.exe	123
PID 1104 wrote to memory of 4124	1104	5df80f40ad8f77e7574e4dda1629ed60N.exe	124
PID 1104 wrote to memory of 4124	1104	5df80f40ad8f77e7574e4dda1629ed60N.exe	124
PID 1104 wrote to memory of 4124	1104	5df80f40ad8f77e7574e4dda1629ed60N.exe	124

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	5df80f40ad8f77e7574e4dda1629ed60N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	5df80f40ad8f77e7574e4dda1629ed60N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	5df80f40ad8f77e7574e4dda1629ed60N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	5df80f40ad8f77e7574e4dda1629ed60N.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3516
- C:\Users\Admin\AppData\Local\Temp\5df80f40ad8f77e7574e4dda1629ed60N.exe
  "C:\Users\Admin\AppData\Local\Temp\5df80f40ad8f77e7574e4dda1629ed60N.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Enumerates connected drives
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1104
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4712
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c rem Kill "SQL"
      4⤵
      PID:1656
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3696
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4336
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlbrowser.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4896
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4484
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3816
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sql writer.exe
        5⤵
        Kills process with taskkill
        
        PID:4692
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1700
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1692
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlserv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3800
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4212
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4708
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msmdsrv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3728
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:448
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1664
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im MsDtsSrvr.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4744
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5012
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2212
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlceip.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5088
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1444
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2328
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdlauncher.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:912
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4456
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3996
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im Ssms.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4124
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
      4⤵
      PID:980
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im SQLAGENT.EXE
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5032
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4752
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
      4⤵
      PID:5004
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdhost.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:916
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3580
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
      4⤵
      PID:3980
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im ReportingServicesService.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4460
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1264
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
      4⤵
      PID:812
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msftesql.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4320
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3060
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
      4⤵
      PID:4304
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im pg_ctl.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4300
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3204
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe
      4⤵
      PID:508
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -impostgres.exe
        5⤵
        Kills process with taskkill
        
        PID:4012
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
    3⤵
    - System Location Discovery: System Language Discovery
    PID:660
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
      4⤵
      PID:1684
    - - C:\Windows\system32\net.exe
        
        net stop MSSQLServerADHelper100
        5⤵
        
        PID:3268
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLServerADHelper100
        6⤵
        
        PID:4928
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3560
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS
      4⤵
      PID:4948
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$ISARS
        5⤵
        
        PID:1488
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$ISARS
        6⤵
        
        PID:1988
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4224
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW
      4⤵
      PID:1952
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$MSFW
        5⤵
        
        PID:4944
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$MSFW
        6⤵
        
        PID:1136
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4684
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS
      4⤵
      PID:1496
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$ISARS
        5⤵
        
        PID:2932
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$ISARS
        6⤵
        
        PID:2960
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4212
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW
      4⤵
      PID:372
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$MSFW
        5⤵
        
        PID:2636
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$MSFW
        6⤵
        
        PID:4776
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
    3⤵
    - System Location Discovery: System Language Discovery
    PID:460
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser
      4⤵
      PID:3460
    - - C:\Windows\system32\net.exe
        
        net stop SQLBrowser
        5⤵
        
        PID:428
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLBrowser
        6⤵
        
        PID:3452
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2436
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS
      4⤵
      PID:1444
    - - C:\Windows\system32\net.exe
        
        net stop REportServer$ISARS
        5⤵
        
        PID:1504
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop REportServer$ISARS
        6⤵
        
        PID:3884
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
    3⤵
    - System Location Discovery: System Language Discovery
    PID:664
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLWriter
      4⤵
      PID:936
    - - C:\Windows\system32\net.exe
        
        net stop SQLWriter
        5⤵
        
        PID:2508
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLWriter
        6⤵
        
        PID:2720
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    PID:980
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      PID:4648
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin.exe Delete Shadows /All /Quiet
        5⤵
        Interacts with shadow copies
        
        PID:4968
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2052
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
      4⤵
      PID:3012
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete backup -keepVersion:0 -quiet
        5⤵
        Deletes system backups
        Drops file in Windows directory
        
        PID:3052
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5032
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
      4⤵
      PID:5104
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin DELETE SYSTEMSTATEBACKUP
        5⤵
        Deletes System State backups
        
        PID:4288
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4124
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
      4⤵
      PID:4740
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
        5⤵
        
        PID:3508
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1120
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
      4⤵
      PID:760
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic.exe SHADOWCOPY /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4640
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1712
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
      4⤵
      PID:5004
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} recoverynabled No
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:4188
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4924
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      PID:2940
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1108
- - C:\Windows\SysWOW64\cipher.exe
    cipher /w:\\?\A:
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    PID:3068
- - C:\Windows\SysWOW64\cipher.exe
    cipher /w:\\?\C:
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3644
- - C:\Windows\SysWOW64\cipher.exe
    cipher /w:\\?\F:
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    PID:3708
- C:\Users\Admin\AppData\Local\Temp\5df80f40ad8f77e7574e4dda1629ed60N.exe
  \\?\C:\Users\Admin\AppData\Local\Temp\5df80f40ad8f77e7574e4dda1629ed60N.exe -network
  2⤵
  - System Location Discovery: System Language Discovery
  - System policy modification
  PID:1656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c pause
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1620

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4264

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5088

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2932

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops desktop.ini file(s)
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:684

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:304

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2720

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:4104

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3912

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1264

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:3324

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2012

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:2672

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4996

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2060

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:968

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4648

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Modifies registry class
PID:2800

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4204

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:536

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3740

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3712

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2556

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:724

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:944

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:772

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1564

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2036

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4516

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4156

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4760

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3528

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3768

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4640

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2556

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2744

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2248

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1164

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3964

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:632

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery