Analysis
-
max time kernel
149s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14-08-2024 11:01
Static task
static1
Behavioral task
behavioral1
Sample
ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe
Resource
win10v2004-20240802-en
General
-
Target
ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe
-
Size
422KB
-
MD5
f736ee661d70a5d7aa322f017e04b1d2
-
SHA1
eee99e6b7c58ecc95c75cd52eb7ac02d812c1a54
-
SHA256
ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679
-
SHA512
23ff1b49955354a9a882ca2fd884157f75d937f00be2928acebab2a01fddcd018159cfd85df0e890cb2ecc0e40e6a02be926db29418928b320517ea6b538c8b8
-
SSDEEP
6144:MTqhlztbElkd+s0zyykmkkES0J2txMLVesCjuwptsOXNZcX9PNCFR09KKPOeFhbb:RhDdkybr/J2tx2VeFusZXQJhkeFhbb
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 3876 created 3380 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 56 -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 2804 bcdedit.exe 2728 bcdedit.exe -
Renames multiple (135) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 1184 wbadmin.exe -
pid Process 2880 wbadmin.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe\"" ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe\"" ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe -
Enumerates connected drives 3 TTPs 26 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe File opened (read-only) \??\L: ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe File opened (read-only) \??\Z: ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe File opened (read-only) \??\P: ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe File opened (read-only) \??\Q: ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe File opened (read-only) \??\R: ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe File opened (read-only) \??\V: ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe File opened (read-only) \??\A: cipher.exe File opened (read-only) \??\A: ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe File opened (read-only) \??\H: ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe File opened (read-only) \??\K: ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe File opened (read-only) \??\J: ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe File opened (read-only) \??\O: ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe File opened (read-only) \??\W: ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe File opened (read-only) \??\X: ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe File opened (read-only) \??\F: ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe File opened (read-only) \??\G: ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe File opened (read-only) \??\M: ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe File opened (read-only) \??\T: ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe File opened (read-only) \??\N: ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe File opened (read-only) \??\S: ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe File opened (read-only) \??\F: cipher.exe File opened (read-only) \??\E: ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe File opened (read-only) \??\U: ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe File opened (read-only) \??\Y: ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe File opened (read-only) \??\B: ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl wbadmin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 30 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 828 vssadmin.exe -
Kills process with taskkill 14 IoCs
pid Process 4992 taskkill.exe 1136 taskkill.exe 1508 taskkill.exe 3680 taskkill.exe 5036 taskkill.exe 2808 taskkill.exe 5052 taskkill.exe 404 taskkill.exe 2408 taskkill.exe 4792 taskkill.exe 2920 taskkill.exe 2440 taskkill.exe 1180 taskkill.exe 844 taskkill.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: SeDebugPrivilege 4992 taskkill.exe Token: SeDebugPrivilege 4792 taskkill.exe Token: SeDebugPrivilege 2920 taskkill.exe Token: SeDebugPrivilege 1136 taskkill.exe Token: SeDebugPrivilege 1508 taskkill.exe Token: SeDebugPrivilege 1180 taskkill.exe Token: SeDebugPrivilege 3680 taskkill.exe Token: SeDebugPrivilege 5036 taskkill.exe Token: SeDebugPrivilege 5052 taskkill.exe Token: SeDebugPrivilege 404 taskkill.exe Token: SeDebugPrivilege 2808 taskkill.exe Token: SeDebugPrivilege 2408 taskkill.exe Token: SeIncreaseQuotaPrivilege 4284 WMIC.exe Token: SeSecurityPrivilege 4284 WMIC.exe Token: SeTakeOwnershipPrivilege 4284 WMIC.exe Token: SeLoadDriverPrivilege 4284 WMIC.exe Token: SeSystemProfilePrivilege 4284 WMIC.exe Token: SeSystemtimePrivilege 4284 WMIC.exe Token: SeProfSingleProcessPrivilege 4284 WMIC.exe Token: SeIncBasePriorityPrivilege 4284 WMIC.exe Token: SeCreatePagefilePrivilege 4284 WMIC.exe Token: SeBackupPrivilege 4284 WMIC.exe Token: SeRestorePrivilege 4284 WMIC.exe Token: SeShutdownPrivilege 4284 WMIC.exe Token: SeDebugPrivilege 4284 WMIC.exe Token: SeSystemEnvironmentPrivilege 4284 WMIC.exe Token: SeRemoteShutdownPrivilege 4284 WMIC.exe Token: SeUndockPrivilege 4284 WMIC.exe Token: SeManageVolumePrivilege 4284 WMIC.exe Token: 33 4284 WMIC.exe Token: 34 4284 WMIC.exe Token: 35 4284 WMIC.exe Token: 36 4284 WMIC.exe Token: SeBackupPrivilege 800 vssvc.exe Token: SeRestorePrivilege 800 vssvc.exe Token: SeAuditPrivilege 800 vssvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3876 wrote to memory of 1072 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 87 PID 3876 wrote to memory of 1072 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 87 PID 3876 wrote to memory of 1072 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 87 PID 1072 wrote to memory of 2408 1072 cmd.exe 89 PID 1072 wrote to memory of 2408 1072 cmd.exe 89 PID 3876 wrote to memory of 440 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 90 PID 3876 wrote to memory of 440 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 90 PID 3876 wrote to memory of 440 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 90 PID 440 wrote to memory of 1040 440 cmd.exe 92 PID 440 wrote to memory of 1040 440 cmd.exe 92 PID 1040 wrote to memory of 4992 1040 cmd.exe 93 PID 1040 wrote to memory of 4992 1040 cmd.exe 93 PID 3876 wrote to memory of 768 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 96 PID 3876 wrote to memory of 768 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 96 PID 3876 wrote to memory of 768 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 96 PID 768 wrote to memory of 2412 768 cmd.exe 99 PID 768 wrote to memory of 2412 768 cmd.exe 99 PID 2412 wrote to memory of 2440 2412 cmd.exe 100 PID 2412 wrote to memory of 2440 2412 cmd.exe 100 PID 3876 wrote to memory of 2468 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 101 PID 3876 wrote to memory of 2468 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 101 PID 3876 wrote to memory of 2468 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 101 PID 2468 wrote to memory of 3188 2468 cmd.exe 104 PID 2468 wrote to memory of 3188 2468 cmd.exe 104 PID 3188 wrote to memory of 4792 3188 cmd.exe 105 PID 3188 wrote to memory of 4792 3188 cmd.exe 105 PID 3876 wrote to memory of 1616 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 106 PID 3876 wrote to memory of 1616 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 106 PID 3876 wrote to memory of 1616 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 106 PID 1616 wrote to memory of 4300 1616 cmd.exe 108 PID 1616 wrote to memory of 4300 1616 cmd.exe 108 PID 4300 wrote to memory of 2920 4300 cmd.exe 109 PID 4300 wrote to memory of 2920 4300 cmd.exe 109 PID 3876 wrote to memory of 3600 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 110 PID 3876 wrote to memory of 3600 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 110 PID 3876 wrote to memory of 3600 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 110 PID 3600 wrote to memory of 3128 3600 cmd.exe 112 PID 3600 wrote to memory of 3128 3600 cmd.exe 112 PID 3128 wrote to memory of 1136 3128 cmd.exe 113 PID 3128 wrote to memory of 1136 3128 cmd.exe 113 PID 3876 wrote to memory of 1224 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 114 PID 3876 wrote to memory of 1224 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 114 PID 3876 wrote to memory of 1224 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 114 PID 1224 wrote to memory of 2644 1224 cmd.exe 116 PID 1224 wrote to memory of 2644 1224 cmd.exe 116 PID 2644 wrote to memory of 1508 2644 cmd.exe 117 PID 2644 wrote to memory of 1508 2644 cmd.exe 117 PID 3876 wrote to memory of 1424 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 118 PID 3876 wrote to memory of 1424 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 118 PID 3876 wrote to memory of 1424 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 118 PID 1424 wrote to memory of 1232 1424 cmd.exe 120 PID 1424 wrote to memory of 1232 1424 cmd.exe 120 PID 1232 wrote to memory of 1180 1232 cmd.exe 121 PID 1232 wrote to memory of 1180 1232 cmd.exe 121 PID 3876 wrote to memory of 2824 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 122 PID 3876 wrote to memory of 2824 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 122 PID 3876 wrote to memory of 2824 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 122 PID 2824 wrote to memory of 4072 2824 cmd.exe 124 PID 2824 wrote to memory of 4072 2824 cmd.exe 124 PID 4072 wrote to memory of 3680 4072 cmd.exe 125 PID 4072 wrote to memory of 3680 4072 cmd.exe 125 PID 3876 wrote to memory of 1800 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 126 PID 3876 wrote to memory of 1800 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 126 PID 3876 wrote to memory of 1800 3876 ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe 126 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3380
-
C:\Users\Admin\AppData\Local\Temp\ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe"C:\Users\Admin\AppData\Local\Temp\ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds Run key to start application
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c rem Kill "SQL"4⤵PID:2408
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\system32\taskkill.exetaskkill -f -im sqlbrowser.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4992
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\system32\taskkill.exetaskkill -f -im sql writer.exe5⤵
- Kills process with taskkill
PID:2440
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe4⤵
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\system32\taskkill.exetaskkill -f -im sqlserv.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4792
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe4⤵
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\system32\taskkill.exetaskkill -f -im msmdsrv.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe4⤵
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Windows\system32\taskkill.exetaskkill -f -im MsDtsSrvr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1136
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\system32\taskkill.exetaskkill -f -im sqlceip.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1508
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\system32\taskkill.exetaskkill -f -im fdlauncher.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1180
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe4⤵
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\system32\taskkill.exetaskkill -f -im Ssms.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3680
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE3⤵
- System Location Discovery: System Language Discovery
PID:1800 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE4⤵PID:2828
-
C:\Windows\system32\taskkill.exetaskkill -f -im SQLAGENT.EXE5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5036
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe3⤵
- System Location Discovery: System Language Discovery
PID:3656 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe4⤵PID:2848
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdhost.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5052
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe3⤵
- System Location Discovery: System Language Discovery
PID:4648 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe4⤵PID:1604
-
C:\Windows\system32\taskkill.exetaskkill -f -im ReportingServicesService.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:404
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe3⤵
- System Location Discovery: System Language Discovery
PID:3436 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe4⤵PID:3588
-
C:\Windows\system32\taskkill.exetaskkill -f -im msftesql.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe3⤵
- System Location Discovery: System Language Discovery
PID:4636 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe4⤵PID:2436
-
C:\Windows\system32\taskkill.exetaskkill -f -im pg_ctl.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2408
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe3⤵
- System Location Discovery: System Language Discovery
PID:3960 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe4⤵PID:3460
-
C:\Windows\system32\taskkill.exetaskkill -f -impostgres.exe5⤵
- Kills process with taskkill
PID:844
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper1003⤵
- System Location Discovery: System Language Discovery
PID:668 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper1004⤵PID:4928
-
C:\Windows\system32\net.exenet stop MSSQLServerADHelper1005⤵PID:3308
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper1006⤵PID:2840
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS3⤵
- System Location Discovery: System Language Discovery
PID:4536 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS4⤵PID:368
-
C:\Windows\system32\net.exenet stop MSSQL$ISARS5⤵PID:4808
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$ISARS6⤵PID:664
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW3⤵
- System Location Discovery: System Language Discovery
PID:5008 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW4⤵PID:2888
-
C:\Windows\system32\net.exenet stop MSSQL$MSFW5⤵PID:2752
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$MSFW6⤵PID:4872
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS3⤵
- System Location Discovery: System Language Discovery
PID:612 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS4⤵PID:1276
-
C:\Windows\system32\net.exenet stop SQLAgent$ISARS5⤵PID:3640
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$ISARS6⤵PID:4544
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW3⤵
- System Location Discovery: System Language Discovery
PID:1136 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW4⤵PID:1172
-
C:\Windows\system32\net.exenet stop SQLAgent$MSFW5⤵PID:992
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$MSFW6⤵PID:3452
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser3⤵
- System Location Discovery: System Language Discovery
PID:1224 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLBrowser4⤵PID:4380
-
C:\Windows\system32\net.exenet stop SQLBrowser5⤵PID:4780
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLBrowser6⤵PID:1212
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS3⤵
- System Location Discovery: System Language Discovery
PID:1424 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS4⤵PID:2024
-
C:\Windows\system32\net.exenet stop REportServer$ISARS5⤵PID:1832
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop REportServer$ISARS6⤵PID:860
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter3⤵
- System Location Discovery: System Language Discovery
PID:2824 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLWriter4⤵PID:3908
-
C:\Windows\system32\net.exenet stop SQLWriter5⤵PID:4264
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLWriter6⤵PID:1800
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet3⤵
- System Location Discovery: System Language Discovery
PID:1944 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet4⤵PID:2220
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet5⤵
- Interacts with shadow copies
PID:828
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet3⤵
- System Location Discovery: System Language Discovery
PID:556 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet4⤵PID:4000
-
C:\Windows\system32\wbadmin.exewbadmin delete backup -keepVersion:0 -quiet5⤵
- Deletes system backups
- Drops file in Windows directory
PID:2880
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP3⤵
- System Location Discovery: System Language Discovery
PID:2676 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP4⤵PID:3852
-
C:\Windows\system32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP5⤵
- Deletes System State backups
PID:1184
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest3⤵
- System Location Discovery: System Language Discovery
PID:4772 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest4⤵PID:1100
-
C:\Windows\system32\wbadmin.exewbadmin DELETE SYSTEMSTABACKUP -deleteOldest5⤵PID:924
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive3⤵
- System Location Discovery: System Language Discovery
PID:2848 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive4⤵PID:5112
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe SHADOWCOPY /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4284
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No3⤵
- System Location Discovery: System Language Discovery
PID:884 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No4⤵PID:624
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoverynabled No5⤵
- Modifies boot configuration data using bcdedit
PID:2804
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures3⤵
- System Location Discovery: System Language Discovery
PID:2280 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures4⤵PID:4968
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures5⤵
- Modifies boot configuration data using bcdedit
PID:2728
-
-
-
-
C:\Windows\SYSTEM32\cipher.execipher /w:\\?\A:3⤵
- Enumerates connected drives
PID:3524
-
-
C:\Windows\SYSTEM32\cipher.execipher /w:\\?\C:3⤵PID:4876
-
-
C:\Windows\SYSTEM32\cipher.execipher /w:\\?\F:3⤵
- Enumerates connected drives
PID:1148
-
-
-
C:\Users\Admin\AppData\Local\Temp\ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe\\?\C:\Users\Admin\AppData\Local\Temp\ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe -network2⤵
- Adds Run key to start application
PID:3168
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:800
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
4File Deletion
4Modify Registry
1