8f9a62a9e43ed55f0fa810737facc6460dc89c41f16f4d610debc8a35babe6b9

Analysis

max time kernel
132s
max time network
142s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
25/04/2023, 17:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Trojan-Ransom.Win32.Snocry.exe
Size

84KB
MD5

420b2f010edbc63a68b2cce2cdf1e5e9
SHA1

4cf5072cfe0eb42d387713067e2706902c89b294
SHA256

8f9a62a9e43ed55f0fa810737facc6460dc89c41f16f4d610debc8a35babe6b9
SHA512

de85edb0217c3d1e615e81154831fe0f3f7c7514f843f253eecf38da09895558b4dc71c1e4141dd196bda7aa75d2c14c85658355a834f98238370df0bea46f35
SSDEEP

1536:cYYxci1ZP39zud52ilpPXvlMq12Kpuyjg1kF3mI:+xFyd52ilpPX6q2y8kF3j

Score

10^/10

persistence ransomware

Malware Config

Extracted

Path

C:\PerfLogs\HELP_DECRYPT_YOUR_FILES.TXT

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-2048. More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-2048 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start send email now for more specific instructions! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions: Contact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 24 hours. For you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. Please do not waste your time! You have 72 hours only! After that The Main Server will double your price! So right now You have a chance to buy your individual private softWare with a low price! E-MAIL1: [email protected] E-MAIL2: [email protected] Spare email: E-MAIL1: [email protected] E-MAIL2: [email protected]

Emails

[email protected]

Extracted

Path

C:\PerfLogs\HELP_DECRYPT_YOUR_FILES.TXT

Ransom Note

Emails

[email protected]

Extracted

Path

C:\PerfLogs\HELP_DECRYPT_YOUR_FILES.HTML

Ransom Note

<!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>HELP_DECRYPT_YOUR_FILES</title> <style> .text { text-align: center; } </style> </head> <body> <div class="text"> NOT YOUR LANGUAGE? USE <a href="https://translate.google.com">https://translate.google.com</a> What happened to your files ? All of your files were protected by a strong encryption with RSA-2048. More information about the encryption keys using RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a> How did this happen ? !!! Specially for your PC was generated personal RSA-2048 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start send email now for more specific instructions! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions: Contact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 24 hours. For you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. Please do not waste your time! You have 72 hours only! After that The Main Server will double your price! So right now You have a chance to buy your individual private softWare with a low price! E-MAIL1: [email protected] E-MAIL2: [email protected] Spare email if we do not respond within 24 hours: E-MAIL1: [email protected] E-MAIL2: [email protected] YOUR_ID: 2013d4951c9b74ea </div> </body> </html>

Emails

[email protected]

Extracted

Path

C:\Users\Admin\Documents\HELP_DECRYPT_YOUR_FILES.HTML

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-2048. More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-2048 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start send email now for more specific instructions! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions: Contact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 24 hours. For you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. Please do not waste your time! You have 72 hours only! After that The Main Server will double your price! So right now You have a chance to buy your individual private softWare with a low price! E-MAIL1: [email protected] E-MAIL2: [email protected] Spare email if we do not respond within 24 hours: E-MAIL1: [email protected] E-MAIL2: [email protected] YOUR_ID: 2013d4951c9b74ea

Emails

[email protected]

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	\??\c:\users\admin\pictures\readbackup.tiff	Trojan-Ransom.Win32.Snocry.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome Reader UpdateHardWare = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan-Ransom.Win32.Snocry.exe\""	Trojan-Ransom.Win32.Snocry.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*Chrome Reader Update32 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan-Ransom.Win32.Snocry.exe\""	Trojan-Ransom.Win32.Snocry.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeFlashPlayersHardWare = "\"C:\\Users\\Admin\\AppData\\Roaming\\ChromeFlashPlayer_2013d4951c9b74ea.exe\""	Trojan-Ransom.Win32.Snocry.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*ChromeFlashPlayers32 = "\"C:\\Users\\Admin\\AppData\\Roaming\\ChromeFlashPlayer_2013d4951c9b74ea.exe\""	Trojan-Ransom.Win32.Snocry.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	Trojan-Ransom.Win32.Snocry.exe
File opened (read-only)	\??\Q:	Trojan-Ransom.Win32.Snocry.exe
File opened (read-only)	\??\T:	Trojan-Ransom.Win32.Snocry.exe
File opened (read-only)	\??\W:	Trojan-Ransom.Win32.Snocry.exe
File opened (read-only)	\??\R:	Trojan-Ransom.Win32.Snocry.exe
File opened (read-only)	\??\U:	Trojan-Ransom.Win32.Snocry.exe
File opened (read-only)	\??\V:	Trojan-Ransom.Win32.Snocry.exe
File opened (read-only)	\??\B:	Trojan-Ransom.Win32.Snocry.exe
File opened (read-only)	\??\F:	Trojan-Ransom.Win32.Snocry.exe
File opened (read-only)	\??\K:	Trojan-Ransom.Win32.Snocry.exe
File opened (read-only)	\??\L:	Trojan-Ransom.Win32.Snocry.exe
File opened (read-only)	\??\O:	Trojan-Ransom.Win32.Snocry.exe
File opened (read-only)	\??\X:	Trojan-Ransom.Win32.Snocry.exe
File opened (read-only)	\??\Z:	Trojan-Ransom.Win32.Snocry.exe
File opened (read-only)	\??\A:	Trojan-Ransom.Win32.Snocry.exe
File opened (read-only)	\??\G:	Trojan-Ransom.Win32.Snocry.exe
File opened (read-only)	\??\H:	Trojan-Ransom.Win32.Snocry.exe
File opened (read-only)	\??\J:	Trojan-Ransom.Win32.Snocry.exe
File opened (read-only)	\??\S:	Trojan-Ransom.Win32.Snocry.exe
File opened (read-only)	\??\Y:	Trojan-Ransom.Win32.Snocry.exe
File opened (read-only)	\??\I:	Trojan-Ransom.Win32.Snocry.exe
File opened (read-only)	\??\M:	Trojan-Ransom.Win32.Snocry.exe
File opened (read-only)	\??\N:	Trojan-Ransom.Win32.Snocry.exe
File opened (read-only)	\??\P:	Trojan-Ransom.Win32.Snocry.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\HELP_DECRYPT_YOUR_FILES.TXT	Trojan-Ransom.Win32.Snocry.exe
File created	C:\Program Files\HELP_DECRYPT_YOUR_FILES.HTML	Trojan-Ransom.Win32.Snocry.exe
File opened for modification	C:\Program Files\HELP_DECRYPT_YOUR_FILES.HTML	Trojan-Ransom.Win32.Snocry.exe
File created	C:\Program Files (x86)\HELP_DECRYPT_YOUR_FILES.TXT	Trojan-Ransom.Win32.Snocry.exe
File opened for modification	C:\Program Files (x86)\HELP_DECRYPT_YOUR_FILES.TXT	Trojan-Ransom.Win32.Snocry.exe
File created	C:\Program Files (x86)\HELP_DECRYPT_YOUR_FILES.HTML	Trojan-Ransom.Win32.Snocry.exe
File opened for modification	C:\Program Files (x86)\HELP_DECRYPT_YOUR_FILES.HTML	Trojan-Ransom.Win32.Snocry.exe
File created	C:\Program Files\HELP_DECRYPT_YOUR_FILES.TXT	Trojan-Ransom.Win32.Snocry.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\HELP_DECRYPT_YOUR_FILES.TXT	Trojan-Ransom.Win32.Snocry.exe
File created	C:\Windows\HELP_DECRYPT_YOUR_FILES.HTML	Trojan-Ransom.Win32.Snocry.exe
File opened for modification	C:\Windows\HELP_DECRYPT_YOUR_FILES.HTML	Trojan-Ransom.Win32.Snocry.exe
File created	C:\Windows\HELP_DECRYPT_YOUR_FILES.TXT	Trojan-Ransom.Win32.Snocry.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 27 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
996	vssadmin.exe
1656	vssadmin.exe
1104	vssadmin.exe
2840	vssadmin.exe
2100	vssadmin.exe
2488	vssadmin.exe
2540	vssadmin.exe
2976	vssadmin.exe
912	vssadmin.exe
2116	vssadmin.exe
2656	vssadmin.exe
2740	vssadmin.exe
1948	vssadmin.exe
2324	vssadmin.exe
2672	vssadmin.exe
1136	vssadmin.exe
2420	vssadmin.exe
1364	vssadmin.exe
2172	vssadmin.exe
2524	vssadmin.exe
2944	vssadmin.exe
2044	vssadmin.exe
1588	vssadmin.exe
364	vssadmin.exe
2088	vssadmin.exe
2080	vssadmin.exe
2604	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "389215884"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007837404bb2ac374381d657b4bfd4f9e200000000020000000000106600000001000020000000154b2fc6403abd3b80facf5c8c7e98effcc3790dfa91a8edf204d709e6552cee000000000e800000000200002000000097e6b999a8144612dc0e4986a92422062806a8b282d3bf51176b7dc4e3cb8668200000000561aa58e4379e2dd942e88e1e96d4cef8a33c8b5f5463ea94297b45d0c059f3400000005a7509ce981a91656cd6be6184375973fcc07bc1188d3b9d84de74e5dbcae37a08a674623a1a23c3885fde75db06c8ad9175ccc70f381f89acd7bc96e71e2ca1	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0c11531ac77d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5B2ADB91-E39F-11ED-AC6A-6E0AA2656971} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007837404bb2ac374381d657b4bfd4f9e200000000020000000000106600000001000020000000aef86376d87ded6a0e018c7a4a21972eae196ce3eb21c8616d067a713ea7c7bb000000000e80000000020000200000002c73051a01493d02a174d4fd1fe4e6942b798b6a2cb9d5d50a23c0bfc883ef4c9000000066e3ba7b40e94ba10bbe840778b7ad1d6784d2a89f6280e7bfc4c52d9e8d13ec4e7ed55e4f2487001e98811eb0fd2db0978a04ac02745c476308a079bedc80266b3d7a8381c5e7b52dd88bb8929b6835a9caf90d7f4744cd812a1625fb2d3a4f26a921c0c47964319e93d317d509b79e5a35ee1ec051b2f714adef79b74957b17e91b71dcb236ef74e7064fa8d7dcec740000000e706571d8414d8b309b777975dbecdbde5f2015412adccc4197f90d3bc1ba7101ed9193a34b14a8648de3ed8e48f4d34d564fa9599605962965e8b8942b78ade	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Trojan-Ransom.Win32.Snocry.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	Trojan-Ransom.Win32.Snocry.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	Trojan-Ransom.Win32.Snocry.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Trojan-Ransom.Win32.Snocry.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Trojan-Ransom.Win32.Snocry.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3256	NOTEPAD.EXE

Runs net.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1312	WMIC.exe
Token: SeSecurityPrivilege	1312	WMIC.exe
Token: SeTakeOwnershipPrivilege	1312	WMIC.exe
Token: SeLoadDriverPrivilege	1312	WMIC.exe
Token: SeSystemProfilePrivilege	1312	WMIC.exe
Token: SeSystemtimePrivilege	1312	WMIC.exe
Token: SeProfSingleProcessPrivilege	1312	WMIC.exe
Token: SeIncBasePriorityPrivilege	1312	WMIC.exe
Token: SeCreatePagefilePrivilege	1312	WMIC.exe
Token: SeBackupPrivilege	1312	WMIC.exe
Token: SeRestorePrivilege	1312	WMIC.exe
Token: SeShutdownPrivilege	1312	WMIC.exe
Token: SeDebugPrivilege	1312	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1312	WMIC.exe
Token: SeRemoteShutdownPrivilege	1312	WMIC.exe
Token: SeUndockPrivilege	1312	WMIC.exe
Token: SeManageVolumePrivilege	1312	WMIC.exe
Token: 33	1312	WMIC.exe
Token: 34	1312	WMIC.exe
Token: 35	1312	WMIC.exe
Token: SeBackupPrivilege	2724	vssvc.exe
Token: SeRestorePrivilege	2724	vssvc.exe
Token: SeAuditPrivilege	2724	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1312	WMIC.exe
Token: SeSecurityPrivilege	1312	WMIC.exe
Token: SeTakeOwnershipPrivilege	1312	WMIC.exe
Token: SeLoadDriverPrivilege	1312	WMIC.exe
Token: SeSystemProfilePrivilege	1312	WMIC.exe
Token: SeSystemtimePrivilege	1312	WMIC.exe
Token: SeProfSingleProcessPrivilege	1312	WMIC.exe
Token: SeIncBasePriorityPrivilege	1312	WMIC.exe
Token: SeCreatePagefilePrivilege	1312	WMIC.exe
Token: SeBackupPrivilege	1312	WMIC.exe
Token: SeRestorePrivilege	1312	WMIC.exe
Token: SeShutdownPrivilege	1312	WMIC.exe
Token: SeDebugPrivilege	1312	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1312	WMIC.exe
Token: SeRemoteShutdownPrivilege	1312	WMIC.exe
Token: SeUndockPrivilege	1312	WMIC.exe
Token: SeManageVolumePrivilege	1312	WMIC.exe
Token: 33	1312	WMIC.exe
Token: 34	1312	WMIC.exe
Token: 35	1312	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3236	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3236	iexplore.exe
3236	iexplore.exe
3472	IEXPLORE.EXE
3472	IEXPLORE.EXE
3472	IEXPLORE.EXE
3472	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 1972	1244	Trojan-Ransom.Win32.Snocry.exe	31
PID 1244 wrote to memory of 1972	1244	Trojan-Ransom.Win32.Snocry.exe	31
PID 1244 wrote to memory of 1972	1244	Trojan-Ransom.Win32.Snocry.exe	31
PID 1244 wrote to memory of 1972	1244	Trojan-Ransom.Win32.Snocry.exe	31
PID 1244 wrote to memory of 1648	1244	Trojan-Ransom.Win32.Snocry.exe	33
PID 1244 wrote to memory of 1648	1244	Trojan-Ransom.Win32.Snocry.exe	33
PID 1244 wrote to memory of 1648	1244	Trojan-Ransom.Win32.Snocry.exe	33
PID 1244 wrote to memory of 1648	1244	Trojan-Ransom.Win32.Snocry.exe	33
PID 1972 wrote to memory of 2044	1972	cmd.exe	35
PID 1972 wrote to memory of 2044	1972	cmd.exe	35
PID 1972 wrote to memory of 2044	1972	cmd.exe	35
PID 1972 wrote to memory of 2044	1972	cmd.exe	35
PID 1244 wrote to memory of 1608	1244	Trojan-Ransom.Win32.Snocry.exe	36
PID 1244 wrote to memory of 1608	1244	Trojan-Ransom.Win32.Snocry.exe	36
PID 1244 wrote to memory of 1608	1244	Trojan-Ransom.Win32.Snocry.exe	36
PID 1244 wrote to memory of 1608	1244	Trojan-Ransom.Win32.Snocry.exe	36
PID 1244 wrote to memory of 1736	1244	Trojan-Ransom.Win32.Snocry.exe	38
PID 1244 wrote to memory of 1736	1244	Trojan-Ransom.Win32.Snocry.exe	38
PID 1244 wrote to memory of 1736	1244	Trojan-Ransom.Win32.Snocry.exe	38
PID 1244 wrote to memory of 1736	1244	Trojan-Ransom.Win32.Snocry.exe	38
PID 1244 wrote to memory of 1844	1244	Trojan-Ransom.Win32.Snocry.exe	39
PID 1244 wrote to memory of 1844	1244	Trojan-Ransom.Win32.Snocry.exe	39
PID 1244 wrote to memory of 1844	1244	Trojan-Ransom.Win32.Snocry.exe	39
PID 1244 wrote to memory of 1844	1244	Trojan-Ransom.Win32.Snocry.exe	39
PID 1608 wrote to memory of 996	1608	cmd.exe	45
PID 1608 wrote to memory of 996	1608	cmd.exe	45
PID 1608 wrote to memory of 996	1608	cmd.exe	45
PID 1608 wrote to memory of 996	1608	cmd.exe	45
PID 1244 wrote to memory of 1860	1244	Trojan-Ransom.Win32.Snocry.exe	44
PID 1244 wrote to memory of 1860	1244	Trojan-Ransom.Win32.Snocry.exe	44
PID 1244 wrote to memory of 1860	1244	Trojan-Ransom.Win32.Snocry.exe	44
PID 1244 wrote to memory of 1860	1244	Trojan-Ransom.Win32.Snocry.exe	44
PID 1244 wrote to memory of 1744	1244	Trojan-Ransom.Win32.Snocry.exe	43
PID 1244 wrote to memory of 1744	1244	Trojan-Ransom.Win32.Snocry.exe	43
PID 1244 wrote to memory of 1744	1244	Trojan-Ransom.Win32.Snocry.exe	43
PID 1244 wrote to memory of 1744	1244	Trojan-Ransom.Win32.Snocry.exe	43
PID 1648 wrote to memory of 1312	1648	cmd.exe	48
PID 1648 wrote to memory of 1312	1648	cmd.exe	48
PID 1648 wrote to memory of 1312	1648	cmd.exe	48
PID 1648 wrote to memory of 1312	1648	cmd.exe	48
PID 1736 wrote to memory of 1588	1736	cmd.exe	46
PID 1736 wrote to memory of 1588	1736	cmd.exe	46
PID 1736 wrote to memory of 1588	1736	cmd.exe	46
PID 1736 wrote to memory of 1588	1736	cmd.exe	46
PID 1244 wrote to memory of 1604	1244	Trojan-Ransom.Win32.Snocry.exe	49
PID 1244 wrote to memory of 1604	1244	Trojan-Ransom.Win32.Snocry.exe	49
PID 1244 wrote to memory of 1604	1244	Trojan-Ransom.Win32.Snocry.exe	49
PID 1244 wrote to memory of 1604	1244	Trojan-Ransom.Win32.Snocry.exe	49
PID 1244 wrote to memory of 1324	1244	Trojan-Ransom.Win32.Snocry.exe	51
PID 1244 wrote to memory of 1324	1244	Trojan-Ransom.Win32.Snocry.exe	51
PID 1244 wrote to memory of 1324	1244	Trojan-Ransom.Win32.Snocry.exe	51
PID 1244 wrote to memory of 1324	1244	Trojan-Ransom.Win32.Snocry.exe	51
PID 1244 wrote to memory of 820	1244	Trojan-Ransom.Win32.Snocry.exe	53
PID 1244 wrote to memory of 820	1244	Trojan-Ransom.Win32.Snocry.exe	53
PID 1244 wrote to memory of 820	1244	Trojan-Ransom.Win32.Snocry.exe	53
PID 1244 wrote to memory of 820	1244	Trojan-Ransom.Win32.Snocry.exe	53
PID 1844 wrote to memory of 1104	1844	cmd.exe	52
PID 1844 wrote to memory of 1104	1844	cmd.exe	52
PID 1844 wrote to memory of 1104	1844	cmd.exe	52
PID 1844 wrote to memory of 1104	1844	cmd.exe	52
PID 1244 wrote to memory of 1040	1244	Trojan-Ransom.Win32.Snocry.exe	54
PID 1244 wrote to memory of 1040	1244	Trojan-Ransom.Win32.Snocry.exe	54
PID 1244 wrote to memory of 1040	1244	Trojan-Ransom.Win32.Snocry.exe	54
PID 1244 wrote to memory of 1040	1244	Trojan-Ransom.Win32.Snocry.exe	54

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Snocry.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Snocry.exe"
1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2044
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1312
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Z: /All /Quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=Z: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:996
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Y: /All /Quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=Y: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1588
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=X: /All /Quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=X: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1104
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=V: /All /Quiet
  2⤵
  PID:1744
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=V: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:912
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=W: /All /Quiet
  2⤵
  PID:1860
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=W: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1656
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=U: /All /Quiet
  2⤵
  PID:1604
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=U: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:364
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=T: /All /Quiet
  2⤵
  PID:1324
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=T: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1136
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=S: /All /Quiet
  2⤵
  PID:820
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=S: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1364
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=R: /All /Quiet
  2⤵
  PID:1040
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=R: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Q: /All /Quiet
  2⤵
  PID:760
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=Q: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2100
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=P: /All /Quiet
  2⤵
  PID:944
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=P: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2080
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=O: /All /Quiet
  2⤵
  PID:1028
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=O: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2116
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=N: /All /Quiet
  2⤵
  PID:1004
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=N: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2088
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=M: /All /Quiet
  2⤵
  PID:1572
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=M: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2172
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=L: /All /Quiet
  2⤵
  PID:2068
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=L: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2420
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=K: /All /Quiet
  2⤵
  PID:2124
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=K: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2324
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=J: /All /Quiet
  2⤵
  PID:2164
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=J: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2524
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=I: /All /Quiet
  2⤵
  PID:2200
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=I: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2488
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=H: /All /Quiet
  2⤵
  PID:2256
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=H: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2540
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=F: /All /Quiet
  2⤵
  PID:2332
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=F: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2656
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=G: /All /Quiet
  2⤵
  PID:2304
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=G: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2604
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=D: /All /Quiet
  2⤵
  PID:2428
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=D: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2944
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=E: /All /Quiet
  2⤵
  PID:2384
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=E: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2672
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=C: /All /Quiet
  2⤵
  PID:2496
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=C: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2740
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=B: /All /Quiet
  2⤵
  PID:2616
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=B: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2840
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=A: /All /Quiet
  2⤵
  PID:2752
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=A: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2976
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop vss
  2⤵
  PID:2828
- - C:\Windows\SysWOW64\net.exe
    net stop vss
    3⤵
    PID:3028
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vss
      4⤵
      PID:2112
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled No
  2⤵
  PID:2856
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:2928
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" bcdedit /set {default} recoveryenabled No
  2⤵
  PID:2964
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:3012
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" bcdedit /set bootstatuspolicy ignoreallfailures
  2⤵
  PID:3040
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set bootstatuspolicy ignoreallfailures
  2⤵
  PID:2056
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" bcdedit /set recoveryenabled NO
  2⤵
  PID:2268
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set recoveryenabled NO
  2⤵
  PID:2556
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
  2⤵
  PID:3000
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" wbadmin delete catalog -quiet
  2⤵
  PID:2508
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Documents\HELP_DECRYPT_YOUR_FILES.HTML
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:3236
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3236 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3472
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\HELP_DECRYPT_YOUR_FILES.TXT
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3256

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\HELP_DECRYPT_YOUR_FILES.HTML

Filesize
2KB

MD5
d175e42465a984a3cc28e95b619eec5c

SHA1
92095f59940373cfb8053155d40ff9edfa94d143

SHA256
cba43aa87be7c1255da20188286eb9c848ec67ef5a6d1584651e9740824e346e

SHA512
f2db0b4b8bc2be4f03d419e9ec38cb7e10bc2c4e5c012d172bedb08f42d855c073ed6ff9a86612988ea89b9054f476397b5750d45623da505007e5409884fe05

Download Submit
C:\PerfLogs\HELP_DECRYPT_YOUR_FILES.HTML

Filesize
2KB

MD5
d175e42465a984a3cc28e95b619eec5c

SHA1
92095f59940373cfb8053155d40ff9edfa94d143

SHA256
cba43aa87be7c1255da20188286eb9c848ec67ef5a6d1584651e9740824e346e

SHA512
f2db0b4b8bc2be4f03d419e9ec38cb7e10bc2c4e5c012d172bedb08f42d855c073ed6ff9a86612988ea89b9054f476397b5750d45623da505007e5409884fe05

Download Submit
C:\PerfLogs\HELP_DECRYPT_YOUR_FILES.TXT

Filesize
3KB

MD5
972f9c7ca92bdd403211c676f58ec04e

SHA1
5c55e21f43c2679723a8f12ccb62513d0de8e65c

SHA256
4cf3e907cfd20fa534421e0dc3ae894d24cae11051fe4281b9696bb91af00e58

SHA512
6d04a6b40a2d39a864200eb5a60813de0e11fb9aadbeecfbbbf98181fe5e7dc686d347f77e5464b9ead7b8f023431b59e2b5ed52b635ea66014241f1178a7170

Download Submit
C:\PerfLogs\HELP_DECRYPT_YOUR_FILES.TXT

Filesize
3KB

MD5
f540e5601278f50ba986fe0b533814e9

SHA1
cad728110b888945a94332a85c74abcc059b978d

SHA256
ba4ccf2b8c80ef90227850a25383b531603c97b545bc27386c10b3f8e3d1a3a1

SHA512
803b626c3e3d8bde4b583d7a74b877b0005a69dfa13d1e35c915450aa8b6c9a50180879a70465aaffc98412c07e821cbd0fb8b0ba6d7b95658c8769b1726e221

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
a0921d1308ccf111866cb5e795568992

SHA1
161a71b921ba63808c7b72800a0e513a27832076

SHA256
03d774c4587c281aef4de0ef66366c5d1ddc38de25c6d7d8ff83f7350915a9d9

SHA512
6cf33f2ce81ade1e71d4e311e90dfbc992bc3548c5eb3d4b460c48d56c8786f145617649c95889aff4446ca88c1fea101712b322c03a778bbbc0c608e126c222

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
114d7aecb87dc65245619f9a95d56ce7

SHA1
27f7bbe592d64fea355c0c973da52813910ca891

SHA256
45354d2f603b002422aeed30f32e476ac3253ec3498cb0499f4f5b46a6f0eb81

SHA512
fee5a29d85ccf4e21c00aaf89b5c724fbd949c3fff7518346d92cecf3268626ade11f6704e0ee2944b3bef4a4dade5aaf7286da4e0cd306e105a9b3e19943311

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b76f3c30118f7c78199117be5c8b45f

SHA1
c61d851105abf2843d25ecd60a6b99924552b66c

SHA256
c12c2e8ec69d63d8517c7852125c9e0980d094c5ae042342ea644cf2c1ea5ac9

SHA512
e0c46ccdde086a6aac1b09ffd6eb62f458ab83ee1c455fd1437ebf0d35920c8a1cb700e3a4e0eed1cf918557ca0ef9d97ce8b97f5c47c060a6e5eda37df63f46

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0b85099d6d07ddfd73ca37d0ef8380f3

SHA1
cf79c79b3d28c15f4aa6980c2c95ba81616a06d8

SHA256
6d3d68b21288e9675b60ea523e84b6ed22b4d610d992293632f1c2b9f5e54baf

SHA512
2d95bed3763c25e1db56f2f3ff21536bef53e86a0afaa3a06b93f92ed6c85c81e6ba2fcff82925d283288ca31983a5ad28de0028660fea21777beffcf915535a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3ceb8bacc89df2ceabecdfa39ec8365c

SHA1
d8198242cedf3629f4a1fc12f1a8141614207fbf

SHA256
510d99a7ba4302e3cdb6e2aef37b820536543033416fde451509d80e2728b189

SHA512
57838d6ee88a6551b25ae01947bff328c9e8b7675faa52711eb23fc9cf01a00357a587a4cb6817f5130ddb7469424d7f36d1acf50ab9af0d59754b9eb7c21863

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e817f90850791503466cc776ff2aeec7

SHA1
507a5cb85ccd6ce2b50b1b6143f28e0f03d1c458

SHA256
be5178c17e208214ad3066f9e1d1688a49c4559b73f7948238d6c27f24473465

SHA512
a66588e77686341bf628400648712c827cc937fa3ee676ff8b39a5f0ac3a7f3618795a894bf2827304e973789d7a488d937f34e82e7d572f301a11d9993b56a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c9a95ac1e6c129bb30d35c2653f0fa1e

SHA1
6a053a4d0b73b267b3acdc19d931ed0b82c246ee

SHA256
4b97675b1798cf24b4d50d5e1cfc24d5e57ac274856f090d54c91566fe8bc41c

SHA512
5d370d1f06386b3d136c54a70cfcdfe757e5f85b73333c94fac3884d23d9bf1de1c71dbc3fda2a17c99c7a1f47f2a1f0ae3c286060ef009c2948713652707616

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a32fd2d3b64968c976a330453de9e8d9

SHA1
52e0836a0af1a603ef531d6c071eb152c3bab626

SHA256
007c32f9fbd8520248b730e6b5894be00d2b7a47fc70a06b3a75b537a2b1292d

SHA512
a82ad11b2b191b5fa5305953362f5332468a242031dc30144a88a29f2458ed08dc344c2cf4cd72958c013a0819bac02395f29b86480e7908904f8c430f83d755

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab12ec6d27c8e0087d56851512178b2a

SHA1
db661bfbaefe0b89ea8a941af673871f2af322e2

SHA256
5d8f80230a00fc8499a3b7221723d54ddc86bc2ad982c79184ca9f8c043e9ba4

SHA512
b8ab9a355aaa00a6f43f56843512dea3a7d7f0c80ccc20946f82d5631d799d376427cddb59bf269f714f1d69a54b9372fbe2edded305fd609817f481f52194ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab15b30a16cace4867e95312c1e1eebc

SHA1
f737cddc6cb5885308e96804c3a962e179ee3361

SHA256
6918e42a188a920fcb5b43811a6ad174c9804108e34a7efbd44bce8347226c8c

SHA512
2e09ab99be5968d7802206eea858f2d3bcb922640b5f349e964b5d2352ea941b474fa381055e6479fffa49748f3f36029202a5c742b805260c3d7e71cc17afdd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5cdefc42abc8a3ccde2d9826669f7d79

SHA1
b09247f06447cdf814229b34344feb84574ef459

SHA256
2f50063f8463da5bd628569ff0ef2765ddac2dd990a94683108841462a116a93

SHA512
1db7f1ef9f6e0a5cce4f8af0216400fa07c75c8a393c4897ac3e8e617b3accddf8e20a2a20727752fdbb5e399a23129e18b251b6f60498767085ce955b181b0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
c89e9b9716563482f0bbda3814522631

SHA1
4ce64bef7cea01e4207a51253f2e59dcc0265f11

SHA256
5d5154e1e3890a0027c5029e27be054226ddf5d7f9e1ae48ba9752c08e47c4c2

SHA512
95a54f28d1ae67fdac120d2c8338ddd86a8931fa94e4a628408f58cf17eab1a974d9ce34dca4d81130f2388796bea130ac1c47de746539ade85a344a7791f8ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KTB503AZ\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4DCA.tmp

Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\VW34LDDW.txt

Filesize
605B

MD5
90b4208f967b2fa42ff2d157002b9e68

SHA1
3279a7d1db3f9f0771d9fcccf15aa14c1b735aa2

SHA256
09e515f3e7f481f0c8fd9a5d7ac076f91191925ad5d4f0657a95fa204c962114

SHA512
761de938403e867481b0b71f395e55878dd30ea513680ec3f4c89138ab9311bd5d366dba0b00b8ce005f7896dc654af8c9243d0be27210a29d354ab768a3be8e

Download Submit
C:\Users\Admin\Documents\HELP_DECRYPT_YOUR_FILES.HTML

Filesize
2KB

MD5
d175e42465a984a3cc28e95b619eec5c

SHA1
92095f59940373cfb8053155d40ff9edfa94d143

SHA256
cba43aa87be7c1255da20188286eb9c848ec67ef5a6d1584651e9740824e346e

SHA512
f2db0b4b8bc2be4f03d419e9ec38cb7e10bc2c4e5c012d172bedb08f42d855c073ed6ff9a86612988ea89b9054f476397b5750d45623da505007e5409884fe05

Download Submit
C:\Users\Admin\Documents\HELP_DECRYPT_YOUR_FILES.TXT

Filesize
3KB

MD5
f540e5601278f50ba986fe0b533814e9

SHA1
cad728110b888945a94332a85c74abcc059b978d

SHA256
ba4ccf2b8c80ef90227850a25383b531603c97b545bc27386c10b3f8e3d1a3a1

SHA512
803b626c3e3d8bde4b583d7a74b877b0005a69dfa13d1e35c915450aa8b6c9a50180879a70465aaffc98412c07e821cbd0fb8b0ba6d7b95658c8769b1726e221

Download Submit
memory/1244-54-0x00000000001D0000-0x00000000001DB000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads