| FILE_PATH |
C:\Windows\System32\vssadmin.exe |
Suspicious when vssadmin.exe is executed by non-system processes (cmd.exe, powershell.exe, WMI, or scripts) with "delete shadows" parameters, as attackers use this to destroy volume shadow copies and prevent recovery after ransomware encryption; legitimate administrative use runs directly under SYSTEM context for scheduled maintenance without shadow deletion commands, never spawned from user shells or applications, typically spawned by malicious parent processes or scripts. |
high |
| FILE_PATH |
C:\Windows\System32\wbem\wmic.exe |
wmic.exe spawned by non-system processes (macro, script, or shell) to enumerate system information or disable Windows Defender/backup services; legitimate usage typically originates from System or Administrator-initiated WMI queries, whereas malicious variants execute suspicious WMI namespaces (e.g., Win32_SystemRestore, Win32_Service) without user interaction. |
medium |
| FILE_PATH |
C:\Windows\System32\bcdedit.exe |
This is suspicious when bcdedit.exe is executed by non-system processes such as Office macros, scripts, rundll32.exe, or command interpreters (cmd.exe, powershell.exe) to disable Windows recovery options, boot configuration data integrity checks, or code integrity enforcement, as legitimate use is restricted to manual administrator execution or Windows Update and never spawned from user applications or scripting engines. Detection should monitor for bcdedit.exe child processes originating from WINWORD.EXE, EXCEL.EXE, cscript.exe, powershell.exe, or rundll32.exe with command-line arguments containing /set, /bootdebug, /recoveryenabled off, or /integrityservices disable, which never occur in legitimate administrative workflows where bcdedit is invoked interactively by administrators from elevated command prompts without parent process ancestry from interpreters or office applications. |
high |
| FILE_PATH |
C:\Windows\System32\cmd.exe |
Command shell spawned by non-system process (e.g., Word, Excel, PowerPoint, or script interpreter) to execute encoded/obfuscated commands or suspicious scripts; legitimate cmd.exe typically invoked by user or system services directly, not by document macros or scripting engines, and legitimate administrative use shows predictable command patterns rather than rapid-fire execution of net, wmic, powershell, or copy commands targeting network shares. |
medium |
| FILE_PATH |
C:\Windows\System32\net.exe |
Used to enumerate network shares and disable security services when spawned by non-system processes (e.g., cmd.exe, powershell.exe, or Office applications); legitimate use is restricted to interactive administrator sessions or scheduled tasks under SYSTEM context, so look for command-line arguments containing "net share", "net stop", or "net disable-server-auth" paired with parent process anomalies or execution from user-writable directories in EDR/Sysmon logs. |
medium |
| FILE_PATH |
C:\Windows\System32\taskkill.exe |
Suspicious when taskkill.exe is invoked by non-system processes (macros, scripts, or suspicious parent processes) to terminate security software (defender, antivirus) or database services before ransomware encryption; legitimate use typically originates from System, Administrator console sessions, or known management tools with specific service names, whereas malicious activity shows rapid successive terminations of multiple security/backup services with /f (force) flags and no administrative logging context. |
high |
| FILE_PATH |
C:\Windows\System32\sc.exe |
Suspicious when sc.exe is executed by non-system processes (macro applications, scripts, or unusual parent processes) to disable or stop security services (Windows Defender, backup agents, EDR); legitimate use occurs only when invoked directly by administrators or system processes for service management, whereas malware abuse involves stopping protective services before encryption or lateral movement. |
high |
| FILE_PATH |
C:\Users\Public\ |
Common staging directory for ransomware payloads and tools dropped on compromised systems |
medium |
| FILE_PATH |
C:\ProgramData\ |
Used as staging area for ransomware binaries and configuration files when accessed by unusual processes (non-system services) or when executable files are written there by Office macros, scripts, or unsigned binaries; legitimate use is restricted to Windows updates and security software, so monitor for file write events from user applications, cmd.exe, PowerShell, or WMI in this directory combined with subsequent execution from ProgramData or lateral movement attempts. |
medium |
| FILE_PATH |
C:\Windows\Temp\ |
Suspicious when executable files are written and immediately executed from C:\Windows\Temp\ by non-system processes (especially Office, scripts, or LOLBins), as legitimate applications rarely stage execution there; hunt for process creation events with parent processes like winword.exe, powershell.exe, or cscript.exe spawning children from this path, or file write events followed by execution within seconds - contrast with normal temp file cleanup and cache operations which occur without subsequent execution chains. |
medium |
| FILE_PATH |
C:\Windows\System32\wevtutil.exe |
Suspicious when wevtutil.exe is spawned by non-system processes (cmd.exe, powershell.exe, Office macros, or scripting engines) to clear Security, System, or Application event logs, as attackers use this technique post-compromise to destroy forensic evidence; detection should focus on process parent-child relationships showing unsigned or user-context parents, command-line arguments containing "clear-log" or "cl" without corresponding change management tickets, and rapid sequential execution. Legitimate administrative use is typically scheduled through Windows Task Scheduler or Group Policy with documented maintenance windows, executes from System or Administrator contexts, and targets specific retention policies rather than complete log deletion. |
high |
| FILE_PATH |
C:\Windows\System32\cipher.exe |
Suspicious when spawned by non-native processes (PowerShell, WMI, macro applications) or executed from unusual directories, as legitimate cipher.exe usage is rare in typical enterprise environments and the advisory links this to ransomware operations; search EDR/logs for cipher.exe with command-line arguments like /w (wiping free space) or /e (encryption), parent process chains from Office/scripting engines, and execution outside System32 context. |
low |
| FILE_PATH |
\\UMMC-fileserver\shared\ |
Network share path typical of hospital file servers targeted for encryption in healthcare ransomware incidents |
low |
| FILE_PATH |
C:\Windows\System32\rundll32.exe |
rundll32.exe execution spawned by Office macros or script interpreters (PowerShell, cmd.exe, WScript) with DLL arguments pointing to temporary directories (%TEMP%, %APPDATA%) or unusual UNC paths, indicating malicious DLL loading; legitimate rundll32.exe typically executes from user-initiated actions with system DLL arguments and parent processes originating from explorer.exe or legitimate applications, not script engines. |
medium |
| FILE_PATH |
C:\Windows\System32\powershell.exe |
PowerShell execution suspicious when spawned by Office macros, WMI processes, or scheduled tasks with obfuscated command-line arguments (encoded payloads, -EncodedCommand flags, or suspicious module imports like Invoke-WebRequest for credential harvesting); legitimate admin use typically originates from user-initiated console launches or documented automation scripts with readable parameters, whereas ransomware chains show parent process anomalies, network connections to external C2, and rapid lateral movement commands targeting multiple remote systems. |
high |
