83f549e4db93384add65c4203bf80d1eb9b7b5272b9636e77532284d8b760928

Analysis

max time kernel
129s
max time network
67s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
25-04-2023 17:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HEUR-Trojan.Win32.exe
Size

76KB
MD5

56895d0a3d6b6f9107448c4c94c8608e
SHA1

cf0243d461f1b820df9861ea5930a02c211d8ef6
SHA256

83f549e4db93384add65c4203bf80d1eb9b7b5272b9636e77532284d8b760928
SHA512

d8893fb5b7ddf854f85a3196d2d2b9ea6807ea9c1937b7a7fcfae2261ba9eaab2d18b66646e93ffec21d64caccdba9e2b1f3fc4e0be006c837c3df8493ec4b49
SSDEEP

1536:dPpMF9fS4PUP511AtDxD93D+e+xKiSUrJTsD:za4P511INpCe2LrJTs

Score

10^/10

persistence ransomware

Malware Config

Extracted

Path

C:\PerfLogs\HELP_DECRYPT_YOUR_FILES.TXT

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files protected by a strong encryption with RSA-2048. More information about the encryption keys using RSA-2048 can be found here: https://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-2048 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start send email now for more specific instructions! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions: Contact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 24 hours. For you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. Please do not waste your time! You have 72 hours only! After that The Main Server will double your price! So right now You have a chance to buy your individual private softWare with a low price! E-MAIL1: [email protected] E-MAIL2: [email protected] Spare email: E-MAIL1: [email protected] E-MAIL2: [email protected] YOUR_ID: db1583f91c9b74ea

Emails

[email protected]

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\Security Reader UpdateHardWare = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HEUR-Trojan.Win32.exe\""	HEUR-Trojan.Win32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*Security Reader Update32 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HEUR-Trojan.Win32.exe\""	HEUR-Trojan.Win32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityFlashPlayersHardWare = "\"C:\\Users\\Admin\\AppData\\Roaming\\ChromeFlashPlayer_db1583f91c9b74ea.exe\""	HEUR-Trojan.Win32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*SecurityFlashPlayers32 = "\"C:\\Users\\Admin\\AppData\\Roaming\\ChromeFlashPlayer_db1583f91c9b74ea.exe\""	HEUR-Trojan.Win32.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	HEUR-Trojan.Win32.exe
File opened (read-only)	\??\E:	HEUR-Trojan.Win32.exe
File opened (read-only)	\??\F:	HEUR-Trojan.Win32.exe
File opened (read-only)	\??\G:	HEUR-Trojan.Win32.exe
File opened (read-only)	\??\O:	HEUR-Trojan.Win32.exe
File opened (read-only)	\??\P:	HEUR-Trojan.Win32.exe
File opened (read-only)	\??\T:	HEUR-Trojan.Win32.exe
File opened (read-only)	\??\X:	HEUR-Trojan.Win32.exe
File opened (read-only)	\??\A:	HEUR-Trojan.Win32.exe
File opened (read-only)	\??\H:	HEUR-Trojan.Win32.exe
File opened (read-only)	\??\I:	HEUR-Trojan.Win32.exe
File opened (read-only)	\??\S:	HEUR-Trojan.Win32.exe
File opened (read-only)	\??\U:	HEUR-Trojan.Win32.exe
File opened (read-only)	\??\V:	HEUR-Trojan.Win32.exe
File opened (read-only)	\??\J:	HEUR-Trojan.Win32.exe
File opened (read-only)	\??\K:	HEUR-Trojan.Win32.exe
File opened (read-only)	\??\M:	HEUR-Trojan.Win32.exe
File opened (read-only)	\??\N:	HEUR-Trojan.Win32.exe
File opened (read-only)	\??\Q:	HEUR-Trojan.Win32.exe
File opened (read-only)	\??\Z:	HEUR-Trojan.Win32.exe
File opened (read-only)	\??\L:	HEUR-Trojan.Win32.exe
File opened (read-only)	\??\R:	HEUR-Trojan.Win32.exe
File opened (read-only)	\??\W:	HEUR-Trojan.Win32.exe
File opened (read-only)	\??\Y:	HEUR-Trojan.Win32.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\HELP_DECRYPT_YOUR_FILES.TXT	HEUR-Trojan.Win32.exe
File opened for modification	C:\Program Files\HELP_DECRYPT_YOUR_FILES.TXT	HEUR-Trojan.Win32.exe
File created	C:\Program Files (x86)\HELP_DECRYPT_YOUR_FILES.TXT	HEUR-Trojan.Win32.exe
File opened for modification	C:\Program Files (x86)\HELP_DECRYPT_YOUR_FILES.TXT	HEUR-Trojan.Win32.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\HELP_DECRYPT_YOUR_FILES.TXT	HEUR-Trojan.Win32.exe
File opened for modification	C:\Windows\HELP_DECRYPT_YOUR_FILES.TXT	HEUR-Trojan.Win32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 27 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1652	vssadmin.exe
1232	vssadmin.exe
1336	vssadmin.exe
1732	vssadmin.exe
948	vssadmin.exe
860	vssadmin.exe
1700	vssadmin.exe
2604	vssadmin.exe
2672	vssadmin.exe
1752	vssadmin.exe
2084	vssadmin.exe
2576	vssadmin.exe
2276	vssadmin.exe
2292	vssadmin.exe
2452	vssadmin.exe
2484	vssadmin.exe
2944	vssadmin.exe
2616	vssadmin.exe
956	vssadmin.exe
868	vssadmin.exe
748	vssadmin.exe
1532	vssadmin.exe
2268	vssadmin.exe
2396	vssadmin.exe
2568	vssadmin.exe
2788	vssadmin.exe
2908	vssadmin.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2580	NOTEPAD.EXE

Runs net.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1344	WMIC.exe
Token: SeSecurityPrivilege	1344	WMIC.exe
Token: SeTakeOwnershipPrivilege	1344	WMIC.exe
Token: SeLoadDriverPrivilege	1344	WMIC.exe
Token: SeSystemProfilePrivilege	1344	WMIC.exe
Token: SeSystemtimePrivilege	1344	WMIC.exe
Token: SeProfSingleProcessPrivilege	1344	WMIC.exe
Token: SeIncBasePriorityPrivilege	1344	WMIC.exe
Token: SeCreatePagefilePrivilege	1344	WMIC.exe
Token: SeBackupPrivilege	1344	WMIC.exe
Token: SeRestorePrivilege	1344	WMIC.exe
Token: SeShutdownPrivilege	1344	WMIC.exe
Token: SeDebugPrivilege	1344	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1344	WMIC.exe
Token: SeRemoteShutdownPrivilege	1344	WMIC.exe
Token: SeUndockPrivilege	1344	WMIC.exe
Token: SeManageVolumePrivilege	1344	WMIC.exe
Token: 33	1344	WMIC.exe
Token: 34	1344	WMIC.exe
Token: 35	1344	WMIC.exe
Token: SeBackupPrivilege	2192	vssvc.exe
Token: SeRestorePrivilege	2192	vssvc.exe
Token: SeAuditPrivilege	2192	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1344	WMIC.exe
Token: SeSecurityPrivilege	1344	WMIC.exe
Token: SeTakeOwnershipPrivilege	1344	WMIC.exe
Token: SeLoadDriverPrivilege	1344	WMIC.exe
Token: SeSystemProfilePrivilege	1344	WMIC.exe
Token: SeSystemtimePrivilege	1344	WMIC.exe
Token: SeProfSingleProcessPrivilege	1344	WMIC.exe
Token: SeIncBasePriorityPrivilege	1344	WMIC.exe
Token: SeCreatePagefilePrivilege	1344	WMIC.exe
Token: SeBackupPrivilege	1344	WMIC.exe
Token: SeRestorePrivilege	1344	WMIC.exe
Token: SeShutdownPrivilege	1344	WMIC.exe
Token: SeDebugPrivilege	1344	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1344	WMIC.exe
Token: SeRemoteShutdownPrivilege	1344	WMIC.exe
Token: SeUndockPrivilege	1344	WMIC.exe
Token: SeManageVolumePrivilege	1344	WMIC.exe
Token: 33	1344	WMIC.exe
Token: 34	1344	WMIC.exe
Token: 35	1344	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 1980	1704	HEUR-Trojan.Win32.exe	30
PID 1704 wrote to memory of 1980	1704	HEUR-Trojan.Win32.exe	30
PID 1704 wrote to memory of 1980	1704	HEUR-Trojan.Win32.exe	30
PID 1704 wrote to memory of 1980	1704	HEUR-Trojan.Win32.exe	30
PID 1704 wrote to memory of 608	1704	HEUR-Trojan.Win32.exe	32
PID 1704 wrote to memory of 608	1704	HEUR-Trojan.Win32.exe	32
PID 1704 wrote to memory of 608	1704	HEUR-Trojan.Win32.exe	32
PID 1704 wrote to memory of 608	1704	HEUR-Trojan.Win32.exe	32
PID 1704 wrote to memory of 1924	1704	HEUR-Trojan.Win32.exe	34
PID 1704 wrote to memory of 1924	1704	HEUR-Trojan.Win32.exe	34
PID 1704 wrote to memory of 1924	1704	HEUR-Trojan.Win32.exe	34
PID 1704 wrote to memory of 1924	1704	HEUR-Trojan.Win32.exe	34
PID 1704 wrote to memory of 1376	1704	HEUR-Trojan.Win32.exe	36
PID 1704 wrote to memory of 1376	1704	HEUR-Trojan.Win32.exe	36
PID 1704 wrote to memory of 1376	1704	HEUR-Trojan.Win32.exe	36
PID 1704 wrote to memory of 1376	1704	HEUR-Trojan.Win32.exe	36
PID 1980 wrote to memory of 1652	1980	cmd.exe	37
PID 1980 wrote to memory of 1652	1980	cmd.exe	37
PID 1980 wrote to memory of 1652	1980	cmd.exe	37
PID 1980 wrote to memory of 1652	1980	cmd.exe	37
PID 1704 wrote to memory of 1948	1704	HEUR-Trojan.Win32.exe	39
PID 1704 wrote to memory of 1948	1704	HEUR-Trojan.Win32.exe	39
PID 1704 wrote to memory of 1948	1704	HEUR-Trojan.Win32.exe	39
PID 1704 wrote to memory of 1948	1704	HEUR-Trojan.Win32.exe	39
PID 608 wrote to memory of 1344	608	cmd.exe	41
PID 608 wrote to memory of 1344	608	cmd.exe	41
PID 608 wrote to memory of 1344	608	cmd.exe	41
PID 608 wrote to memory of 1344	608	cmd.exe	41
PID 1704 wrote to memory of 1364	1704	HEUR-Trojan.Win32.exe	42
PID 1704 wrote to memory of 1364	1704	HEUR-Trojan.Win32.exe	42
PID 1704 wrote to memory of 1364	1704	HEUR-Trojan.Win32.exe	42
PID 1704 wrote to memory of 1364	1704	HEUR-Trojan.Win32.exe	42
PID 1924 wrote to memory of 1752	1924	cmd.exe	43
PID 1924 wrote to memory of 1752	1924	cmd.exe	43
PID 1924 wrote to memory of 1752	1924	cmd.exe	43
PID 1924 wrote to memory of 1752	1924	cmd.exe	43
PID 1704 wrote to memory of 1552	1704	HEUR-Trojan.Win32.exe	44
PID 1704 wrote to memory of 1552	1704	HEUR-Trojan.Win32.exe	44
PID 1704 wrote to memory of 1552	1704	HEUR-Trojan.Win32.exe	44
PID 1704 wrote to memory of 1552	1704	HEUR-Trojan.Win32.exe	44
PID 1376 wrote to memory of 860	1376	cmd.exe	46
PID 1376 wrote to memory of 860	1376	cmd.exe	46
PID 1376 wrote to memory of 860	1376	cmd.exe	46
PID 1376 wrote to memory of 860	1376	cmd.exe	46
PID 1704 wrote to memory of 1996	1704	HEUR-Trojan.Win32.exe	48
PID 1704 wrote to memory of 1996	1704	HEUR-Trojan.Win32.exe	48
PID 1704 wrote to memory of 1996	1704	HEUR-Trojan.Win32.exe	48
PID 1704 wrote to memory of 1996	1704	HEUR-Trojan.Win32.exe	48
PID 1948 wrote to memory of 956	1948	cmd.exe	49
PID 1948 wrote to memory of 956	1948	cmd.exe	49
PID 1948 wrote to memory of 956	1948	cmd.exe	49
PID 1948 wrote to memory of 956	1948	cmd.exe	49
PID 1704 wrote to memory of 840	1704	HEUR-Trojan.Win32.exe	50
PID 1704 wrote to memory of 840	1704	HEUR-Trojan.Win32.exe	50
PID 1704 wrote to memory of 840	1704	HEUR-Trojan.Win32.exe	50
PID 1704 wrote to memory of 840	1704	HEUR-Trojan.Win32.exe	50
PID 1704 wrote to memory of 1728	1704	HEUR-Trojan.Win32.exe	52
PID 1704 wrote to memory of 1728	1704	HEUR-Trojan.Win32.exe	52
PID 1704 wrote to memory of 1728	1704	HEUR-Trojan.Win32.exe	52
PID 1704 wrote to memory of 1728	1704	HEUR-Trojan.Win32.exe	52
PID 1364 wrote to memory of 1700	1364	cmd.exe	54
PID 1364 wrote to memory of 1700	1364	cmd.exe	54
PID 1364 wrote to memory of 1700	1364	cmd.exe	54
PID 1364 wrote to memory of 1700	1364	cmd.exe	54

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1652
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:608
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1344
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Z: /All /Quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=Z: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1752
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Y: /All /Quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1376
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=Y: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:860
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=X: /All /Quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=X: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:956
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=W: /All /Quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=W: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1700
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=V: /All /Quiet
  2⤵
  PID:1552
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=V: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1532
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=U: /All /Quiet
  2⤵
  PID:1996
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=U: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:868
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=T: /All /Quiet
  2⤵
  PID:840
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=T: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1336
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=S: /All /Quiet
  2⤵
  PID:1728
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=S: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1732
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=R: /All /Quiet
  2⤵
  PID:1740
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=R: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1232
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Q: /All /Quiet
  2⤵
  PID:1648
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=Q: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:748
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=P: /All /Quiet
  2⤵
  PID:560
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=P: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:948
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=O: /All /Quiet
  2⤵
  PID:532
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=O: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2084
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=N: /All /Quiet
  2⤵
  PID:1212
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=N: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2268
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=M: /All /Quiet
  2⤵
  PID:1404
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=M: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2292
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=L: /All /Quiet
  2⤵
  PID:2092
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=L: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2276
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=K: /All /Quiet
  2⤵
  PID:2244
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=K: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2396
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=J: /All /Quiet
  2⤵
  PID:2328
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=J: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2452
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=I: /All /Quiet
  2⤵
  PID:2352
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=I: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2484
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=H: /All /Quiet
  2⤵
  PID:2384
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=H: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2568
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=G: /All /Quiet
  2⤵
  PID:2424
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=G: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2604
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=F: /All /Quiet
  2⤵
  PID:2460
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=F: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2576
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=E: /All /Quiet
  2⤵
  PID:2492
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=E: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2616
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=D: /All /Quiet
  2⤵
  PID:2524
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=D: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2672
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=C: /All /Quiet
  2⤵
  PID:2588
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=C: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2788
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=B: /All /Quiet
  2⤵
  PID:2648
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=B: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2944
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=A: /All /Quiet
  2⤵
  PID:2728
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=A: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2908
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled No
  2⤵
  PID:2796
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop vss
  2⤵
  PID:2764
- - C:\Windows\SysWOW64\net.exe
    net stop vss
    3⤵
    PID:2992
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vss
      4⤵
      PID:3040
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:2880
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" bcdedit /set {default} recoveryenabled No
  2⤵
  PID:2956
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:2984
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" bcdedit /set bootstatuspolicy ignoreallfailures
  2⤵
  PID:3028
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set bootstatuspolicy ignoreallfailures
  2⤵
  PID:3060
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" bcdedit /set recoveryenabled NO
  2⤵
  PID:2340
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set recoveryenabled NO
  2⤵
  PID:3036
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
  2⤵
  PID:2504
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" wbadmin delete catalog -quiet
  2⤵
  PID:3060
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\HELP_DECRYPT_YOUR_FILES.TXT
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2580

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2192

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-123240953182850162812487041801571282077-8286666711485676090-17992087321973256177"
1⤵
PID:2880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact