medusalocker | cb03c1677c165261557f0710ddc2e39790acac48ef038c71358ab5ad4f366cca

Analysis

max time kernel
149s
max time network
113s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
26-10-2024 16:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

recovery42.exe
Size

419KB
MD5

68e664c654bcf9d558fb7b4f8da1f28d
SHA1

9deb213f58e48725bcc7974460b5e22cc3866cc1
SHA256

cb03c1677c165261557f0710ddc2e39790acac48ef038c71358ab5ad4f366cca
SHA512

5099414230ceb6c2903085f83f0cd267d7d9362f3c591681979119e52add81c31b032d95f477f7dc503d25da10a9e486b430336a58289b8297e1d79d190ab596
SSDEEP

6144:4CmPvkrISw8ZMQsFMFEXmtT+n4CQi2oD9HoZwIYaTR/dXszI2lUC40:L3W6MoFlV+n4CQRoD9IygT/L+

Score

10^/10

medusalocker defense_evasion discovery evasion execution impact persistence ransomware

Malware Config

Extracted

Path

C:\USERS\PUBLIC\DESKTOP\HOW_TO_BACK_FILES.HTML

Family

medusalocker

Ransom Note

Your personal ID: Yu4S9Ld8euarCjmdGXLexQzRgUaK50iQ05SJb/Rtao4X3YAt97UmpzqhZhD6gV/dWoZSMuLgDbKt71IMod8GAYumdfYmTYa1E2Dkjk3Ie4wklhCpHuZqbPFJciDbeHjdbQiOpVpSjAHzRFlC4ic/M4IB9WenFGzTtyXo5Q0xJMOu8atKxf9ePJjNI4e48y9/9T4/pLi6/rphPF3A6usG8iLWil7hEB4aUvftepnr2rUK4f0Q9qdBaEo7yA1+i++oOfASvr7PMWlM1UwIUxf1Okdk+ZO95Z8IYjELqPs7HKu2wK4HhTZ9XHM4BwS8UY2piyS1PwOMnfs4Vuzhy3HzxcGHeZPeUD38OQ+SZA3Wn41+yIetk6STdAvMB+8zIHZKbjKpDjgFjlI1g0dFx23w29mCi5VsOYSG7oJVFQi3fZu0yYuUda3MRqyzMxh85bwhEsWE4AlPjY0GZITIC0dWLkT+xegHRTQkG/3bBYLivbLjikFVl3beuvvWMWFLnHZS/EK+Yxgg+JnNhKOk/COGH4j77jtQLQTmZSmm8V5+vXxMSLhTDLc4iyVjy2Um4psT5pEwBZDSEG8wU5Ec37xwqzV1wPuoF6s4Qpo/tbeYRw+jTdIN1G2ORE9kX9WrWBqLGVQ1ySPstk7V3E0hm2gNNZshFB9v7XUayGM4I/tUiWUF5UdCXGIo8c0zh3PBetDNmoYnmwBIy90w9cXKu1lSwNPqUw1FBGwcSAI7weqz4lX3rcPzCdGauKw49Ily2rLM3zU7u3MOoSs5Kw0Mpp87xqc1WO8WTOz17cykHhRXamem2blV7KJtov92MxUQBCTKKnFnE1v1SjF82MXDTkoL6/72wY3imtsPN6aSNTh14RNMT0y0v2HIXelJzo8SNJx9pCf+vv364Zra72suuF2YAK8CYGOCvJ3vkbV9vQR9HXTdfD9xZg2yjTd7p71CiBUuITuN+w92NftUn6IXSqLfmFvCjp7R4Ap0z0GWytzLQ4wsxyzwIxVRwf/9/nS0Eys1TiULxPv01kHzm1Kw36gA9RR1zMmJMP4aExX2TGOafX0Abh139DqWvDgdAxk652Bcd7WgNKQ7pJfhn4ip28oEci13sWYIKJYKjgFd2Hb8RXlnEtXLrpOwgommm0F6ueC1KgJYqS1cqE1UlzsmUlKAiGfI3SY36+a2Oy0Ez/eS0Qe07x/nxmPsKmdl7fSKyWffAh2vRTJwKjWfhTll/fhWTWJqhSl+s3CmOOvPP3uEff/qCEu5yS1Rcyroz+t0VV2J3EBVLmoBpwS+O2EU89nqKE5adtsJZROI8DdY5inLaPtBY2bie/tIMlFHxivPSjN95f0RqfHzf9hPKEzkwSoDiTZRguuYy5tc83bPQg4tafRVXaFlihOBHdbxgDFc7FE9mRgMjwvSgZQGtec0kV4XyNL+qlS5DSBmuxj6x9IxOH6ZoNSLtGD53WRtb1H6fRddXGx9YKH5yBZKCbe/LuEHtuEONejZ+8koYL34RJTQQGjGoEc9IRcLK1SqkscN28F2pyasOKYNMlgalAhuEjR4r8W71YlcygMToVObWYsQDQLkJLkOLcayLstThg6mHobRs2B3Ew/dX84RqlIt/CEI6VJMTRga+XrrozW3Lkj0sOd0nY8eJwH7WANgsdJ/uDp8ZSv/55I29q+j3J2Xl5EwKjcsYSlqmPLsNKY7SS+DZyc= /!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\ All your important files have been encrypted! Your files are safe! Only modified. (RSA+AES) ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT. DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES. No software available on internet can help you. We are the only ones able to solve your problem. We gathered highly confidential/personal data. These data are currently stored on a private server. This server will be immediately destroyed after your payment. If you decide to not pay, we will release your data to public or re-seller. So you can expect your data to be publicly available in the near future.. We only seek money and our goal is not to damage your reputation or prevent your business from running. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. Contact us for price and get decryption software. email: [email protected] [email protected] * To contact us, create a new free email account on the site: protonmail.com IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER. * Tor-chat to always be in touch: qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion

Emails

[email protected]

Signatures

MedusaLocker
Ransomware with several variants first seen in September 2019.
ransomware medusalocker
Medusalocker family
medusalocker

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

recovery42.exe

description	pid	Process	procid_target
PID 2192 created 3556	2192	recovery42.exe	57

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

Processes:

bcdedit.exebcdedit.exe

pid	Process
728	bcdedit.exe
4312	bcdedit.exe

Renames multiple (185) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

explorer.exeexplorer.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Deletes System State backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

Processes:

wbadmin.exe

pid	Process
1652	wbadmin.exe

Deletes system backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

Processes:

wbadmin.exe

pid	Process
1268	wbadmin.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

recovery42.exerecovery42.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\recovery42.exe\""	recovery42.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\recovery42.exe\""	recovery42.exe

Enumerates connected drives 3 TTPs 29 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

recovery42.exeexplorer.execipher.execipher.exe

description	ioc	Process
File opened (read-only)	\??\K:	recovery42.exe
File opened (read-only)	\??\T:	recovery42.exe
File opened (read-only)	\??\F:	recovery42.exe
File opened (read-only)	\??\G:	recovery42.exe
File opened (read-only)	\??\B:	recovery42.exe
File opened (read-only)	\??\P:	recovery42.exe
File opened (read-only)	\??\Z:	recovery42.exe
File opened (read-only)	\??\M:	recovery42.exe
File opened (read-only)	\??\U:	recovery42.exe
File opened (read-only)	\??\Y:	recovery42.exe
File opened (read-only)	\??\A:	explorer.exe
File opened (read-only)	\??\F:	cipher.exe
File opened (read-only)	\??\A:	recovery42.exe
File opened (read-only)	\??\R:	recovery42.exe
File opened (read-only)	\??\X:	recovery42.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\W:	recovery42.exe
File opened (read-only)	\??\A:	cipher.exe
File opened (read-only)	\??\E:	recovery42.exe
File opened (read-only)	\??\L:	recovery42.exe
File opened (read-only)	\??\N:	recovery42.exe
File opened (read-only)	\??\O:	recovery42.exe
File opened (read-only)	\??\H:	recovery42.exe
File opened (read-only)	\??\S:	recovery42.exe
File opened (read-only)	\??\V:	recovery42.exe
File opened (read-only)	\??\I:	recovery42.exe
File opened (read-only)	\??\J:	recovery42.exe
File opened (read-only)	\??\Q:	recovery42.exe
File opened (read-only)	\??\F:	explorer.exe

Drops file in Windows directory 3 IoCs

Processes:

wbadmin.exe

description	ioc	Process
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks SCSI registry key(s) 3 TTPs 36 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

Processes:

vssadmin.exe

pid	Process
5100	vssadmin.exe

Kills process with taskkill 14 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	Process
2632	taskkill.exe
2396	taskkill.exe
3624	taskkill.exe
4008	taskkill.exe
3980	taskkill.exe
3148	taskkill.exe
4076	taskkill.exe
3900	taskkill.exe
632	taskkill.exe
228	taskkill.exe
624	taskkill.exe
4840	taskkill.exe
2156	taskkill.exe
4472	taskkill.exe

Modifies registry class 10 IoCs

Processes:

explorer.exeexplorer.exeStartMenuExperienceHost.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1263212995-3575756360-1418101905-1000\{39546B26-7B61-45B9-A64E-8AA44C64C109}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1263212995-3575756360-1418101905-1000\{A50A3EAE-74F7-4882-BDDB-250F68143717}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

WMIC.exerecovery42.exe

pid	Process
4952	WMIC.exe
4952	WMIC.exe
4952	WMIC.exe
4952	WMIC.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe
2192	recovery42.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exevssvc.exeexplorer.exeexplorer.exe

description	pid	Process
Token: SeDebugPrivilege	2632	taskkill.exe
Token: SeDebugPrivilege	3980	taskkill.exe
Token: SeDebugPrivilege	3624	taskkill.exe
Token: SeDebugPrivilege	3900	taskkill.exe
Token: SeDebugPrivilege	3148	taskkill.exe
Token: SeDebugPrivilege	4076	taskkill.exe
Token: SeDebugPrivilege	4840	taskkill.exe
Token: SeDebugPrivilege	632	taskkill.exe
Token: SeDebugPrivilege	4008	taskkill.exe
Token: SeDebugPrivilege	228	taskkill.exe
Token: SeDebugPrivilege	624	taskkill.exe
Token: SeDebugPrivilege	2156	taskkill.exe
Token: SeIncreaseQuotaPrivilege	4952	WMIC.exe
Token: SeSecurityPrivilege	4952	WMIC.exe
Token: SeTakeOwnershipPrivilege	4952	WMIC.exe
Token: SeLoadDriverPrivilege	4952	WMIC.exe
Token: SeSystemProfilePrivilege	4952	WMIC.exe
Token: SeSystemtimePrivilege	4952	WMIC.exe
Token: SeProfSingleProcessPrivilege	4952	WMIC.exe
Token: SeIncBasePriorityPrivilege	4952	WMIC.exe
Token: SeCreatePagefilePrivilege	4952	WMIC.exe
Token: SeBackupPrivilege	4952	WMIC.exe
Token: SeRestorePrivilege	4952	WMIC.exe
Token: SeShutdownPrivilege	4952	WMIC.exe
Token: SeDebugPrivilege	4952	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4952	WMIC.exe
Token: SeRemoteShutdownPrivilege	4952	WMIC.exe
Token: SeUndockPrivilege	4952	WMIC.exe
Token: SeManageVolumePrivilege	4952	WMIC.exe
Token: 33	4952	WMIC.exe
Token: 34	4952	WMIC.exe
Token: 35	4952	WMIC.exe
Token: 36	4952	WMIC.exe
Token: SeBackupPrivilege	5056	vssvc.exe
Token: SeRestorePrivilege	5056	vssvc.exe
Token: SeAuditPrivilege	5056	vssvc.exe
Token: SeShutdownPrivilege	1532	explorer.exe
Token: SeCreatePagefilePrivilege	1532	explorer.exe
Token: SeShutdownPrivilege	1532	explorer.exe
Token: SeCreatePagefilePrivilege	1532	explorer.exe
Token: SeShutdownPrivilege	1532	explorer.exe
Token: SeCreatePagefilePrivilege	1532	explorer.exe
Token: SeShutdownPrivilege	1532	explorer.exe
Token: SeCreatePagefilePrivilege	1532	explorer.exe
Token: SeShutdownPrivilege	1532	explorer.exe
Token: SeCreatePagefilePrivilege	1532	explorer.exe
Token: SeShutdownPrivilege	1532	explorer.exe
Token: SeCreatePagefilePrivilege	1532	explorer.exe
Token: SeShutdownPrivilege	1532	explorer.exe
Token: SeCreatePagefilePrivilege	1532	explorer.exe
Token: SeShutdownPrivilege	1532	explorer.exe
Token: SeCreatePagefilePrivilege	1532	explorer.exe
Token: SeShutdownPrivilege	1532	explorer.exe
Token: SeCreatePagefilePrivilege	1532	explorer.exe
Token: SeShutdownPrivilege	1532	explorer.exe
Token: SeCreatePagefilePrivilege	1532	explorer.exe
Token: SeShutdownPrivilege	1532	explorer.exe
Token: SeCreatePagefilePrivilege	1532	explorer.exe
Token: SeShutdownPrivilege	1532	explorer.exe
Token: SeCreatePagefilePrivilege	1532	explorer.exe
Token: SeShutdownPrivilege	4700	explorer.exe
Token: SeCreatePagefilePrivilege	4700	explorer.exe
Token: SeShutdownPrivilege	4700	explorer.exe
Token: SeCreatePagefilePrivilege	4700	explorer.exe

Suspicious use of FindShellTrayWindow 28 IoCs

Processes:

explorer.exeexplorer.exe

pid	Process
1532	explorer.exe
1532	explorer.exe
1532	explorer.exe
1532	explorer.exe
1532	explorer.exe
1532	explorer.exe
1532	explorer.exe
1532	explorer.exe
1532	explorer.exe
1532	explorer.exe
1532	explorer.exe
1532	explorer.exe
1532	explorer.exe
1532	explorer.exe
1532	explorer.exe
1532	explorer.exe
1532	explorer.exe
1532	explorer.exe
1532	explorer.exe
1532	explorer.exe
4700	explorer.exe
4700	explorer.exe
4700	explorer.exe
4700	explorer.exe
4700	explorer.exe
4700	explorer.exe
4700	explorer.exe
4700	explorer.exe

Suspicious use of SendNotifyMessage 19 IoCs

Processes:

explorer.exeexplorer.exe

pid	Process
1532	explorer.exe
1532	explorer.exe
1532	explorer.exe
1532	explorer.exe
1532	explorer.exe
1532	explorer.exe
1532	explorer.exe
1532	explorer.exe
1532	explorer.exe
1532	explorer.exe
4700	explorer.exe
4700	explorer.exe
4700	explorer.exe
4700	explorer.exe
4700	explorer.exe
4700	explorer.exe
4700	explorer.exe
4700	explorer.exe
4700	explorer.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

StartMenuExperienceHost.exeTextInputHost.exe

pid	Process
5072	StartMenuExperienceHost.exe
5096	TextInputHost.exe
5096	TextInputHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

recovery42.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 2192 wrote to memory of 3340	2192	recovery42.exe	81
PID 2192 wrote to memory of 3340	2192	recovery42.exe	81
PID 2192 wrote to memory of 3340	2192	recovery42.exe	81
PID 3340 wrote to memory of 4496	3340	cmd.exe	83
PID 3340 wrote to memory of 4496	3340	cmd.exe	83
PID 2192 wrote to memory of 2984	2192	recovery42.exe	84
PID 2192 wrote to memory of 2984	2192	recovery42.exe	84
PID 2192 wrote to memory of 2984	2192	recovery42.exe	84
PID 2984 wrote to memory of 4792	2984	cmd.exe	86
PID 2984 wrote to memory of 4792	2984	cmd.exe	86
PID 4792 wrote to memory of 2632	4792	cmd.exe	87
PID 4792 wrote to memory of 2632	4792	cmd.exe	87
PID 2192 wrote to memory of 4896	2192	recovery42.exe	90
PID 2192 wrote to memory of 4896	2192	recovery42.exe	90
PID 2192 wrote to memory of 4896	2192	recovery42.exe	90
PID 4896 wrote to memory of 4740	4896	cmd.exe	92
PID 4896 wrote to memory of 4740	4896	cmd.exe	92
PID 4740 wrote to memory of 2396	4740	cmd.exe	93
PID 4740 wrote to memory of 2396	4740	cmd.exe	93
PID 2192 wrote to memory of 1576	2192	recovery42.exe	94
PID 2192 wrote to memory of 1576	2192	recovery42.exe	94
PID 2192 wrote to memory of 1576	2192	recovery42.exe	94
PID 1576 wrote to memory of 3712	1576	cmd.exe	96
PID 1576 wrote to memory of 3712	1576	cmd.exe	96
PID 3712 wrote to memory of 3980	3712	cmd.exe	97
PID 3712 wrote to memory of 3980	3712	cmd.exe	97
PID 2192 wrote to memory of 2776	2192	recovery42.exe	98
PID 2192 wrote to memory of 2776	2192	recovery42.exe	98
PID 2192 wrote to memory of 2776	2192	recovery42.exe	98
PID 2776 wrote to memory of 4876	2776	cmd.exe	100
PID 2776 wrote to memory of 4876	2776	cmd.exe	100
PID 4876 wrote to memory of 3624	4876	cmd.exe	101
PID 4876 wrote to memory of 3624	4876	cmd.exe	101
PID 2192 wrote to memory of 1536	2192	recovery42.exe	102
PID 2192 wrote to memory of 1536	2192	recovery42.exe	102
PID 2192 wrote to memory of 1536	2192	recovery42.exe	102
PID 1536 wrote to memory of 4708	1536	cmd.exe	105
PID 1536 wrote to memory of 4708	1536	cmd.exe	105
PID 4708 wrote to memory of 3900	4708	cmd.exe	106
PID 4708 wrote to memory of 3900	4708	cmd.exe	106
PID 2192 wrote to memory of 3976	2192	recovery42.exe	107
PID 2192 wrote to memory of 3976	2192	recovery42.exe	107
PID 2192 wrote to memory of 3976	2192	recovery42.exe	107
PID 3976 wrote to memory of 1500	3976	cmd.exe	109
PID 3976 wrote to memory of 1500	3976	cmd.exe	109
PID 1500 wrote to memory of 3148	1500	cmd.exe	110
PID 1500 wrote to memory of 3148	1500	cmd.exe	110
PID 2192 wrote to memory of 4732	2192	recovery42.exe	111
PID 2192 wrote to memory of 4732	2192	recovery42.exe	111
PID 2192 wrote to memory of 4732	2192	recovery42.exe	111
PID 4732 wrote to memory of 4812	4732	cmd.exe	113
PID 4732 wrote to memory of 4812	4732	cmd.exe	113
PID 4812 wrote to memory of 4076	4812	cmd.exe	114
PID 4812 wrote to memory of 4076	4812	cmd.exe	114
PID 2192 wrote to memory of 1740	2192	recovery42.exe	115
PID 2192 wrote to memory of 1740	2192	recovery42.exe	115
PID 2192 wrote to memory of 1740	2192	recovery42.exe	115
PID 1740 wrote to memory of 5100	1740	cmd.exe	117
PID 1740 wrote to memory of 5100	1740	cmd.exe	117
PID 5100 wrote to memory of 4840	5100	cmd.exe	118
PID 5100 wrote to memory of 4840	5100	cmd.exe	118
PID 2192 wrote to memory of 1412	2192	recovery42.exe	119
PID 2192 wrote to memory of 1412	2192	recovery42.exe	119
PID 2192 wrote to memory of 1412	2192	recovery42.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3556
- C:\Users\Admin\AppData\Local\Temp\recovery42.exe
  "C:\Users\Admin\AppData\Local\Temp\recovery42.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds Run key to start application
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3340
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c rem Kill "SQL"
      4⤵
      PID:4496
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4792
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlbrowser.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4896
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4740
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sql writer.exe
        5⤵
        Kills process with taskkill
        
        PID:2396
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1576
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3712
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlserv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3980
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4876
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msmdsrv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3624
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1536
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4708
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im MsDtsSrvr.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3900
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3976
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1500
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlceip.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3148
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4732
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4812
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdlauncher.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4076
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1740
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5100
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im Ssms.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4840
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1412
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
      4⤵
      PID:1480
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im SQLAGENT.EXE
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:632
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2680
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
      4⤵
      PID:3304
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdhost.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4008
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3168
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
      4⤵
      PID:2352
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im ReportingServicesService.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:228
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2324
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
      4⤵
      PID:4712
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msftesql.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:624
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4280
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
      4⤵
      PID:4928
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im pg_ctl.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3232
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe
      4⤵
      PID:2472
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -impostgres.exe
        5⤵
        Kills process with taskkill
        
        PID:4472
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1720
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
      4⤵
      PID:4620
    - - C:\Windows\system32\net.exe
        
        net stop MSSQLServerADHelper100
        5⤵
        
        PID:404
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLServerADHelper100
        6⤵
        
        PID:2476
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3524
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS
      4⤵
      PID:1116
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$ISARS
        5⤵
        
        PID:4936
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$ISARS
        6⤵
        
        PID:4468
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1016
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW
      4⤵
      PID:4448
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$MSFW
        5⤵
        
        PID:2092
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$MSFW
        6⤵
        
        PID:3116
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4292
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS
      4⤵
      PID:1840
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$ISARS
        5⤵
        
        PID:2076
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$ISARS
        6⤵
        
        PID:1244
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4224
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW
      4⤵
      PID:2828
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$MSFW
        5⤵
        
        PID:2340
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$MSFW
        6⤵
        
        PID:3272
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4740
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser
      4⤵
      PID:1248
    - - C:\Windows\system32\net.exe
        
        net stop SQLBrowser
        5⤵
        
        PID:3328
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLBrowser
        6⤵
        
        PID:4800
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3516
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS
      4⤵
      PID:2468
    - - C:\Windows\system32\net.exe
        
        net stop REportServer$ISARS
        5⤵
        
        PID:3612
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop REportServer$ISARS
        6⤵
        
        PID:3008
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3548
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLWriter
      4⤵
      PID:2592
    - - C:\Windows\system32\net.exe
        
        net stop SQLWriter
        5⤵
        
        PID:1012
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLWriter
        6⤵
        
        PID:2952
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1728
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      PID:3888
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin.exe Delete Shadows /All /Quiet
        5⤵
        Interacts with shadow copies
        
        PID:5100
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2028
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
      4⤵
      PID:940
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete backup -keepVersion:0 -quiet
        5⤵
        Deletes system backups
        Drops file in Windows directory
        
        PID:1268
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1536
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
      4⤵
      PID:4732
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin DELETE SYSTEMSTATEBACKUP
        5⤵
        Deletes System State backups
        
        PID:1652
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4332
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
      4⤵
      PID:2384
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
        5⤵
        
        PID:1912
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1556
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
      4⤵
      PID:2376
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic.exe SHADOWCOPY /nointeractive
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4952
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4988
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
      4⤵
      PID:2060
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} recoverynabled No
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:4312
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4020
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      PID:3636
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:728
- - C:\Windows\SYSTEM32\cipher.exe
    cipher /w:\\?\A:
    3⤵
    - Enumerates connected drives
    PID:2624
- - C:\Windows\SYSTEM32\cipher.exe
    cipher /w:\\?\C:
    3⤵
    PID:1168
- - C:\Windows\SYSTEM32\cipher.exe
    cipher /w:\\?\F:
    3⤵
    - Enumerates connected drives
    PID:3516
- C:\Users\Admin\AppData\Local\Temp\recovery42.exe
  \\?\C:\Users\Admin\AppData\Local\Temp\recovery42.exe -network
  2⤵
  - Adds Run key to start application
  PID:2232

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5056

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1532

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5072

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5096

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log

Filesize
1.3MB

MD5
6312484727c1a2cc412d9d93213d1e69

SHA1
0f1a39055b02a7aaa5de73f5429dcffac626b2cb

SHA256
567e1cec266d2f2c8bbe463113050c598b8d94b161ad96eb79eac298bbbbb734

SHA512
147d43b3546aa99951bbc9bb20790677693823c1482197debcfdfc1692ad891c9de4e3528d3c6125b2f9050b8d56389f7a20273510230dba1aeb3f932d975296

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{40EC8FAD-9E16-4C23-A833-25E4D6A5B736}.2.ver0x0000000000000001.db

Filesize
2KB

MD5
fbc86e54d9d2cbb70031b98cb3cbb445

SHA1
e4a5a64d0ad93c2542f51e79efc2112d0615f265

SHA256
2c9005fab70cece870b4ed1f1226d1abca4d004db1ef708f95d51ab174265f26

SHA512
15da94ef5a26e3f35c7b2e100a8bb1e8af14d9d020e899e3dd37d6c22ac02d450afc6b8e0e140613c289dbe49d7dddc3e25ed8dde218d0e5afa845080c3aef31

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{40EC8FAD-9E16-4C23-A833-25E4D6A5B736}.2.ver0x0000000000000001.db.recovery42

Filesize
2KB

MD5
0b195bebff1b9b99c258261d87a51a92

SHA1
164ffc0a8dd33fa19ecc2aff54da644f82aa47b7

SHA256
4236be2ed502e74437490ff44e4416de1a4a18df0c4c157e62d112403f81c21a

SHA512
21870544e6db50549686aa159b045beafd2d4a330dee3ac5b0d48dbed8267671695b734505e902e303a3a820c63f8aa116e1efbe564935129e96e99cfe787d69

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000003.db.recovery42

Filesize
290KB

MD5
37362912c8cce6cadb09bb293b65b090

SHA1
444fbdf6c4875d067642039e40df6a85ab000f7d

SHA256
007424cd5fe3c93c910736e2175f1f8334c261f7764707399b2527646bdd1f1d

SHA512
e4e9acecf344ce4ad49d2bc83de3011ae77e2b5b1852deb8b14bc3053c8b788f8dab13b8ede3f30c04bdb7c1b5b0ecd2b62b657a342f37ea9407508ae2d3f90f

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.recovery42

Filesize
624KB

MD5
7b27ab28b42bbac6edac3abd361c8e8a

SHA1
9100766dda15d456da834110e74a4bcdf3e6a04a

SHA256
a3b2048b7f237949c8504e11d9c1707c34f30c0e719d26c9e5687f0bfb6ee939

SHA512
22b5f8b04c1d0dc8666f7d88a92b49f39435f88e9c671877bb37936ec5cab91b7b501a868b9929efdc11e43e82bf87f844b7a6e0113349b8690ec5890ae148e3

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db.recovery42

Filesize
624KB

MD5
7c1551165e1631910e20ad6665f4750c

SHA1
1eebf54d4f2ec45069694225f02b287be326aaf9

SHA256
78fb5ffd3f13a8224652822d1f32e0d01e490b5984f6c3c1c12a87c754c561db

SHA512
0ac6e8d773dd41ecfb68fdbdcef104ee32a148bfe3a912257a2995c5ee9466dddd4cf887081a194624a0c0e6d60cbe9cf7bc9e5fabea58a6deb371cfa4dd4387

Download Submit
C:\USERS\PUBLIC\DESKTOP\HOW_TO_BACK_FILES.HTML

Filesize
5KB

MD5
af2c9b7a585cf856e31258cb5a0e6ab4

SHA1
e05e6fcb5012b3b6848d7c33113d2c5c9e06d54a

SHA256
e09e0334ee9412c636ccc16630a4fe6bb265a764f7ba70ef71e2b317c63f7046

SHA512
37b87d21d5dac7d3f655abe5e4ab9ea0a034a23777dde3a11f1cf1520243f845af09d13e4294e9170662d63a9d5fd034b7276cc19b28184929d930f57d194be4

Download Submit