8f9a62a9e43ed55f0fa810737facc6460dc89c41f16f4d610debc8a35babe6b9

Extracted

Path

C:\odt\HELP_DECRYPT_YOUR_FILES.TXT

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-2048. More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-2048 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start send email now for more specific instructions! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions: Contact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 24 hours. For you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. Please do not waste your time! You have 72 hours only! After that The Main Server will double your price! So right now You have a chance to buy your individual private softWare with a low price! E-MAIL1: [email protected] E-MAIL2: [email protected] Spare email: E-MAIL1: [email protected] E-MAIL2: [email protected] YOUR_ID: 6edc00431c9b74ea

Emails

Extracted

Path

C:\Program Files\HELP_DECRYPT_YOUR_FILES.TXT

Ransom Note

Emails

Extracted

Path

C:\Users\Admin\Documents\HELP_DECRYPT_YOUR_FILES.HTML

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-2048. More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-2048 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start send email now for more specific instructions! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions: Contact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 24 hours. For you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. Please do not waste your time! You have 72 hours only! After that The Main Server will double your price! So right now You have a chance to buy your individual private softWare with a low price! E-MAIL1: [email protected] E-MAIL2: [email protected] Spare email if we do not respond within 24 hours: E-MAIL1: [email protected] E-MAIL2: [email protected] YOUR_ID: 6edc00431c9b74ea

Emails

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	\??\c:\users\admin\pictures\unprotectstart.tiff	Trojan-Ransom.Win32.Snocry.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	Trojan-Ransom.Win32.Snocry.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*ChromeFlashPlayers32 = "\"C:\\Users\\Admin\\AppData\\Roaming\\ChromeFlashPlayer_6edc00431c9b74ea.exe\""	Trojan-Ransom.Win32.Snocry.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Chrome Reader UpdateHardWare = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan-Ransom.Win32.Snocry.exe\""	Trojan-Ransom.Win32.Snocry.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*Chrome Reader Update32 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan-Ransom.Win32.Snocry.exe\""	Trojan-Ransom.Win32.Snocry.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ChromeFlashPlayersHardWare = "\"C:\\Users\\Admin\\AppData\\Roaming\\ChromeFlashPlayer_6edc00431c9b74ea.exe\""	Trojan-Ransom.Win32.Snocry.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\V:	Trojan-Ransom.Win32.Snocry.exe
File opened (read-only)	\??\W:	Trojan-Ransom.Win32.Snocry.exe
File opened (read-only)	\??\K:	Trojan-Ransom.Win32.Snocry.exe
File opened (read-only)	\??\L:	Trojan-Ransom.Win32.Snocry.exe
File opened (read-only)	\??\R:	Trojan-Ransom.Win32.Snocry.exe
File opened (read-only)	\??\T:	Trojan-Ransom.Win32.Snocry.exe
File opened (read-only)	\??\N:	Trojan-Ransom.Win32.Snocry.exe
File opened (read-only)	\??\Z:	Trojan-Ransom.Win32.Snocry.exe
File opened (read-only)	\??\E:	Trojan-Ransom.Win32.Snocry.exe
File opened (read-only)	\??\G:	Trojan-Ransom.Win32.Snocry.exe
File opened (read-only)	\??\I:	Trojan-Ransom.Win32.Snocry.exe
File opened (read-only)	\??\M:	Trojan-Ransom.Win32.Snocry.exe
File opened (read-only)	\??\P:	Trojan-Ransom.Win32.Snocry.exe
File opened (read-only)	\??\X:	Trojan-Ransom.Win32.Snocry.exe
File opened (read-only)	\??\A:	Trojan-Ransom.Win32.Snocry.exe
File opened (read-only)	\??\B:	Trojan-Ransom.Win32.Snocry.exe
File opened (read-only)	\??\F:	Trojan-Ransom.Win32.Snocry.exe
File opened (read-only)	\??\H:	Trojan-Ransom.Win32.Snocry.exe
File opened (read-only)	\??\U:	Trojan-Ransom.Win32.Snocry.exe
File opened (read-only)	\??\Y:	Trojan-Ransom.Win32.Snocry.exe
File opened (read-only)	\??\J:	Trojan-Ransom.Win32.Snocry.exe
File opened (read-only)	\??\O:	Trojan-Ransom.Win32.Snocry.exe
File opened (read-only)	\??\Q:	Trojan-Ransom.Win32.Snocry.exe
File opened (read-only)	\??\S:	Trojan-Ransom.Win32.Snocry.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\HELP_DECRYPT_YOUR_FILES.HTML	Trojan-Ransom.Win32.Snocry.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230425192815.pma	setup.exe
File created	C:\Program Files\HELP_DECRYPT_YOUR_FILES.TXT	Trojan-Ransom.Win32.Snocry.exe
File created	C:\Program Files\HELP_DECRYPT_YOUR_FILES.HTML	Trojan-Ransom.Win32.Snocry.exe
File created	C:\Program Files (x86)\HELP_DECRYPT_YOUR_FILES.TXT	Trojan-Ransom.Win32.Snocry.exe
File opened for modification	C:\Program Files (x86)\HELP_DECRYPT_YOUR_FILES.TXT	Trojan-Ransom.Win32.Snocry.exe
File opened for modification	C:\Program Files (x86)\HELP_DECRYPT_YOUR_FILES.HTML	Trojan-Ransom.Win32.Snocry.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\ad635342-3779-44ea-a4a9-5cdc54718752.tmp	setup.exe
File opened for modification	C:\Program Files\HELP_DECRYPT_YOUR_FILES.TXT	Trojan-Ransom.Win32.Snocry.exe
File opened for modification	C:\Program Files\HELP_DECRYPT_YOUR_FILES.HTML	Trojan-Ransom.Win32.Snocry.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\HELP_DECRYPT_YOUR_FILES.TXT	Trojan-Ransom.Win32.Snocry.exe
File opened for modification	C:\Windows\HELP_DECRYPT_YOUR_FILES.TXT	Trojan-Ransom.Win32.Snocry.exe
File created	C:\Windows\HELP_DECRYPT_YOUR_FILES.HTML	Trojan-Ransom.Win32.Snocry.exe
File opened for modification	C:\Windows\HELP_DECRYPT_YOUR_FILES.HTML	Trojan-Ransom.Win32.Snocry.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	Trojan-Ransom.Win32.Snocry.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1720	NOTEPAD.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1920	msedge.exe
1920	msedge.exe
1084	msedge.exe
1084	msedge.exe
3580	identity_helper.exe
3580	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2776	WMIC.exe
Token: SeSecurityPrivilege	2776	WMIC.exe
Token: SeTakeOwnershipPrivilege	2776	WMIC.exe
Token: SeLoadDriverPrivilege	2776	WMIC.exe
Token: SeSystemProfilePrivilege	2776	WMIC.exe
Token: SeSystemtimePrivilege	2776	WMIC.exe
Token: SeProfSingleProcessPrivilege	2776	WMIC.exe
Token: SeIncBasePriorityPrivilege	2776	WMIC.exe
Token: SeCreatePagefilePrivilege	2776	WMIC.exe
Token: SeBackupPrivilege	2776	WMIC.exe
Token: SeRestorePrivilege	2776	WMIC.exe
Token: SeShutdownPrivilege	2776	WMIC.exe
Token: SeDebugPrivilege	2776	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2776	WMIC.exe
Token: SeRemoteShutdownPrivilege	2776	WMIC.exe
Token: SeUndockPrivilege	2776	WMIC.exe
Token: SeManageVolumePrivilege	2776	WMIC.exe
Token: 33	2776	WMIC.exe
Token: 34	2776	WMIC.exe
Token: 35	2776	WMIC.exe
Token: 36	2776	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2776	WMIC.exe
Token: SeSecurityPrivilege	2776	WMIC.exe
Token: SeTakeOwnershipPrivilege	2776	WMIC.exe
Token: SeLoadDriverPrivilege	2776	WMIC.exe
Token: SeSystemProfilePrivilege	2776	WMIC.exe
Token: SeSystemtimePrivilege	2776	WMIC.exe
Token: SeProfSingleProcessPrivilege	2776	WMIC.exe
Token: SeIncBasePriorityPrivilege	2776	WMIC.exe
Token: SeCreatePagefilePrivilege	2776	WMIC.exe
Token: SeBackupPrivilege	2776	WMIC.exe
Token: SeRestorePrivilege	2776	WMIC.exe
Token: SeShutdownPrivilege	2776	WMIC.exe
Token: SeDebugPrivilege	2776	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2776	WMIC.exe
Token: SeRemoteShutdownPrivilege	2776	WMIC.exe
Token: SeUndockPrivilege	2776	WMIC.exe
Token: SeManageVolumePrivilege	2776	WMIC.exe
Token: 33	2776	WMIC.exe
Token: 34	2776	WMIC.exe
Token: 35	2776	WMIC.exe
Token: 36	2776	WMIC.exe
Token: SeBackupPrivilege	2428	vssvc.exe
Token: SeRestorePrivilege	2428	vssvc.exe
Token: SeAuditPrivilege	2428	vssvc.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 448 wrote to memory of 3636	448	Trojan-Ransom.Win32.Snocry.exe	92
PID 448 wrote to memory of 3636	448	Trojan-Ransom.Win32.Snocry.exe	92
PID 448 wrote to memory of 3636	448	Trojan-Ransom.Win32.Snocry.exe	92
PID 448 wrote to memory of 4668	448	Trojan-Ransom.Win32.Snocry.exe	94
PID 448 wrote to memory of 4668	448	Trojan-Ransom.Win32.Snocry.exe	94
PID 448 wrote to memory of 4668	448	Trojan-Ransom.Win32.Snocry.exe	94
PID 448 wrote to memory of 1388	448	Trojan-Ransom.Win32.Snocry.exe	96
PID 448 wrote to memory of 1388	448	Trojan-Ransom.Win32.Snocry.exe	96
PID 448 wrote to memory of 1388	448	Trojan-Ransom.Win32.Snocry.exe	96
PID 448 wrote to memory of 3660	448	Trojan-Ransom.Win32.Snocry.exe	98
PID 448 wrote to memory of 3660	448	Trojan-Ransom.Win32.Snocry.exe	98
PID 448 wrote to memory of 3660	448	Trojan-Ransom.Win32.Snocry.exe	98
PID 448 wrote to memory of 4512	448	Trojan-Ransom.Win32.Snocry.exe	99
PID 448 wrote to memory of 4512	448	Trojan-Ransom.Win32.Snocry.exe	99
PID 448 wrote to memory of 4512	448	Trojan-Ransom.Win32.Snocry.exe	99
PID 448 wrote to memory of 1208	448	Trojan-Ransom.Win32.Snocry.exe	102
PID 448 wrote to memory of 1208	448	Trojan-Ransom.Win32.Snocry.exe	102
PID 448 wrote to memory of 1208	448	Trojan-Ransom.Win32.Snocry.exe	102
PID 448 wrote to memory of 3596	448	Trojan-Ransom.Win32.Snocry.exe	163
PID 448 wrote to memory of 3596	448	Trojan-Ransom.Win32.Snocry.exe	163
PID 448 wrote to memory of 3596	448	Trojan-Ransom.Win32.Snocry.exe	163
PID 448 wrote to memory of 3968	448	Trojan-Ransom.Win32.Snocry.exe	106
PID 448 wrote to memory of 3968	448	Trojan-Ransom.Win32.Snocry.exe	106
PID 448 wrote to memory of 3968	448	Trojan-Ransom.Win32.Snocry.exe	106
PID 4668 wrote to memory of 2776	4668	cmd.exe	108
PID 4668 wrote to memory of 2776	4668	cmd.exe	108
PID 4668 wrote to memory of 2776	4668	cmd.exe	108
PID 448 wrote to memory of 4372	448	Trojan-Ransom.Win32.Snocry.exe	109
PID 448 wrote to memory of 4372	448	Trojan-Ransom.Win32.Snocry.exe	109
PID 448 wrote to memory of 4372	448	Trojan-Ransom.Win32.Snocry.exe	109
PID 448 wrote to memory of 3576	448	Trojan-Ransom.Win32.Snocry.exe	111
PID 448 wrote to memory of 3576	448	Trojan-Ransom.Win32.Snocry.exe	111
PID 448 wrote to memory of 3576	448	Trojan-Ransom.Win32.Snocry.exe	111
PID 448 wrote to memory of 4472	448	Trojan-Ransom.Win32.Snocry.exe	113
PID 448 wrote to memory of 4472	448	Trojan-Ransom.Win32.Snocry.exe	113
PID 448 wrote to memory of 4472	448	Trojan-Ransom.Win32.Snocry.exe	113
PID 448 wrote to memory of 4100	448	Trojan-Ransom.Win32.Snocry.exe	115
PID 448 wrote to memory of 4100	448	Trojan-Ransom.Win32.Snocry.exe	115
PID 448 wrote to memory of 4100	448	Trojan-Ransom.Win32.Snocry.exe	115
PID 448 wrote to memory of 1864	448	Trojan-Ransom.Win32.Snocry.exe	184
PID 448 wrote to memory of 1864	448	Trojan-Ransom.Win32.Snocry.exe	184
PID 448 wrote to memory of 1864	448	Trojan-Ransom.Win32.Snocry.exe	184
PID 448 wrote to memory of 2052	448	Trojan-Ransom.Win32.Snocry.exe	119
PID 448 wrote to memory of 2052	448	Trojan-Ransom.Win32.Snocry.exe	119
PID 448 wrote to memory of 2052	448	Trojan-Ransom.Win32.Snocry.exe	119
PID 448 wrote to memory of 424	448	Trojan-Ransom.Win32.Snocry.exe	122
PID 448 wrote to memory of 424	448	Trojan-Ransom.Win32.Snocry.exe	122
PID 448 wrote to memory of 424	448	Trojan-Ransom.Win32.Snocry.exe	122
PID 448 wrote to memory of 1292	448	Trojan-Ransom.Win32.Snocry.exe	124
PID 448 wrote to memory of 1292	448	Trojan-Ransom.Win32.Snocry.exe	124
PID 448 wrote to memory of 1292	448	Trojan-Ransom.Win32.Snocry.exe	124
PID 448 wrote to memory of 1720	448	Trojan-Ransom.Win32.Snocry.exe	178
PID 448 wrote to memory of 1720	448	Trojan-Ransom.Win32.Snocry.exe	178
PID 448 wrote to memory of 1720	448	Trojan-Ransom.Win32.Snocry.exe	178
PID 448 wrote to memory of 4680	448	Trojan-Ransom.Win32.Snocry.exe	129
PID 448 wrote to memory of 4680	448	Trojan-Ransom.Win32.Snocry.exe	129
PID 448 wrote to memory of 4680	448	Trojan-Ransom.Win32.Snocry.exe	129
PID 448 wrote to memory of 4428	448	Trojan-Ransom.Win32.Snocry.exe	131
PID 448 wrote to memory of 4428	448	Trojan-Ransom.Win32.Snocry.exe	131
PID 448 wrote to memory of 4428	448	Trojan-Ransom.Win32.Snocry.exe	131
PID 448 wrote to memory of 4420	448	Trojan-Ransom.Win32.Snocry.exe	133
PID 448 wrote to memory of 4420	448	Trojan-Ransom.Win32.Snocry.exe	133
PID 448 wrote to memory of 4420	448	Trojan-Ransom.Win32.Snocry.exe	133
PID 448 wrote to memory of 2708	448	Trojan-Ransom.Win32.Snocry.exe	135

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Snocry.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Snocry.exe"
1⤵
- Modifies extensions of user files
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:448
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  PID:3636
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4668
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2776
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Z: /All /Quiet
  2⤵
  PID:1388
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Y: /All /Quiet
  2⤵
  PID:3660
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=X: /All /Quiet
  2⤵
  PID:4512
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=W: /All /Quiet
  2⤵
  PID:1208
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=V: /All /Quiet
  2⤵
  PID:3596
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=U: /All /Quiet
  2⤵
  PID:3968
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=T: /All /Quiet
  2⤵
  PID:4372
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=S: /All /Quiet
  2⤵
  PID:3576
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=R: /All /Quiet
  2⤵
  PID:4472
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Q: /All /Quiet
  2⤵
  PID:4100
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=P: /All /Quiet
  2⤵
  PID:1864
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=O: /All /Quiet
  2⤵
  PID:2052
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=N: /All /Quiet
  2⤵
  PID:424
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=M: /All /Quiet
  2⤵
  PID:1292
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=L: /All /Quiet
  2⤵
  PID:1720
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=K: /All /Quiet
  2⤵
  PID:4680
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=J: /All /Quiet
  2⤵
  PID:4428
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=I: /All /Quiet
  2⤵
  PID:4420
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=H: /All /Quiet
  2⤵
  PID:2708
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=G: /All /Quiet
  2⤵
  PID:4464
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=F: /All /Quiet
  2⤵
  PID:4748
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=E: /All /Quiet
  2⤵
  PID:672
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=D: /All /Quiet
  2⤵
  PID:1336
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=C: /All /Quiet
  2⤵
  PID:3140
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=B: /All /Quiet
  2⤵
  PID:4836
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=A: /All /Quiet
  2⤵
  PID:3568
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop vss
  2⤵
  PID:4808
- - C:\Windows\SysWOW64\net.exe
    net stop vss
    3⤵
    PID:4324
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vss
      4⤵
      PID:2920
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled No
  2⤵
  PID:1792
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:3496
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" bcdedit /set {default} recoveryenabled No
  2⤵
  PID:1684
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:2808
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" bcdedit /set recoveryenabled NO
  2⤵
  PID:3596
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set bootstatuspolicy ignoreallfailures
  2⤵
  PID:3896
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" bcdedit /set bootstatuspolicy ignoreallfailures
  2⤵
  PID:2460
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set recoveryenabled NO
  2⤵
  PID:2220
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
  2⤵
  PID:2308
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" wbadmin delete catalog -quiet
  2⤵
  PID:2088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Documents\HELP_DECRYPT_YOUR_FILES.HTML
  2⤵
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  PID:1084
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd8,0x104,0x7ffa2ac646f8,0x7ffa2ac64708,0x7ffa2ac64718
    3⤵
    PID:3788
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,3498995679266141244,12202238015322808790,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1920
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,3498995679266141244,12202238015322808790,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
    3⤵
    PID:3220
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,3498995679266141244,12202238015322808790,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
    3⤵
    PID:4832
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3498995679266141244,12202238015322808790,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:1
    3⤵
    PID:3140
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3498995679266141244,12202238015322808790,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:1
    3⤵
    PID:1864
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3498995679266141244,12202238015322808790,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
    3⤵
    PID:4132
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3498995679266141244,12202238015322808790,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
    3⤵
    PID:2180
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,3498995679266141244,12202238015322808790,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3596 /prefetch:8
    3⤵
    PID:4800
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    - Drops file in Program Files directory
    PID:4868
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x7ff6b1a95460,0x7ff6b1a95470,0x7ff6b1a95480
      4⤵
      PID:4808
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,3498995679266141244,12202238015322808790,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3596 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3580
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3498995679266141244,12202238015322808790,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
    3⤵
    PID:1936
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3498995679266141244,12202238015322808790,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
    3⤵
    PID:2868
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\HELP_DECRYPT_YOUR_FILES.TXT
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1720

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery