bitrat | af2a46b92d79251d328392ce1241fffc25acd6e797ff1e64859938e03c1e593b

pid	Process
6276	bcdedit.exe
4440	bcdedit.exe

Renames multiple (1994) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Vanilla Rat payload 2 IoCs

rat

resource	yara_rule
behavioral1/files/0x0008000000023bec-312.dat	vanillarat
behavioral1/memory/4928-316-0x0000000000F00000-0x0000000000F22000-memory.dmp	vanillarat

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

pid	Process
2832	wbadmin.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.MSIL.Blocker.gen-0b5bf824615068b40c84f4d32187348d1db9e2732a01077a7e8ed7b595c16ca4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.MSIL.Blocker.gen-413806335478be174de0001def0b0c9635ba437fd5a7d66527c90cf9f35f1262.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.MSIL.Blocker.gen-8ee7ec743243b12d48e2ce24b14cfb475d9cd9bb03eccbfc7c8cd7a2c0582d0e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.MSIL.Blocker.gen-41a9129aecf7445340cf5d4db80c09e3fdc2516e49eb1d394d3ebc4ca18b6edb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.MSIL.Foreign.gen-be8ad3c1c5d51fb5d29815a1b589f821ccb079649e4921c5925393c5a71b4540.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.Win32.Generic-7089e02c28f8fa84309b4538545cef44b167076ece4a433d0dce56e5a95671aa.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	HEUR-Trojan-Ransom.MSIL.Encoder.gen-c3cf385ef511782be2ab8c5347db1833555d446edf71cb3b8ffbb01d5d44083d.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9d9b89bfce6c6b32110ce93187434a498d0b9dab95f4802cb427d73a89392568.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9d9b89bfce6c6b32110ce93187434a498d0b9dab95f4802cb427d73a89392568.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-bf47fd8112e6b1bc72f28e2fc3917616ecb2e1849c9a05d9d521f0fef08349b8.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\firefox.exe	HEUR-Trojan-Ransom.Win32.Generic-7089e02c28f8fa84309b4538545cef44b167076ece4a433d0dce56e5a95671aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\firefox.exe	HEUR-Trojan-Ransom.Win32.Generic-7089e02c28f8fa84309b4538545cef44b167076ece4a433d0dce56e5a95671aa.exe

Executes dropped EXE 31 IoCs

pid	Process
1968	HEUR-Trojan-Ransom.MSIL.Blocker.gen-0b5bf824615068b40c84f4d32187348d1db9e2732a01077a7e8ed7b595c16ca4.exe
3348	HEUR-Trojan-Ransom.MSIL.Blocker.gen-413806335478be174de0001def0b0c9635ba437fd5a7d66527c90cf9f35f1262.exe
4244	HEUR-Trojan-Ransom.MSIL.Blocker.gen-41a9129aecf7445340cf5d4db80c09e3fdc2516e49eb1d394d3ebc4ca18b6edb.exe
3520	HEUR-Trojan-Ransom.MSIL.Blocker.gen-7a3ec0235f9c26bb8fd1502574ed67eaab479fa81e5d80d7b6f5b5cc230ec7f4.exe
2652	HEUR-Trojan-Ransom.MSIL.Blocker.gen-8ee7ec743243b12d48e2ce24b14cfb475d9cd9bb03eccbfc7c8cd7a2c0582d0e.exe
4928	HEUR-Trojan-Ransom.MSIL.Blocker.gen-92d129825bda8b18723026a90fcc19bed5614c7ba17b1a50e1ed91518fc93752.exe
432	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9d9b89bfce6c6b32110ce93187434a498d0b9dab95f4802cb427d73a89392568.exe
2796	HEUR-Trojan-Ransom.MSIL.Blocker.gen-ae83d5c45126fde095a3f0cf169c92da5ca0492c28d081aa80a7dc8872428f61.exe
4140	HEUR-Trojan-Ransom.MSIL.Blocker.gen-bf47fd8112e6b1bc72f28e2fc3917616ecb2e1849c9a05d9d521f0fef08349b8.exe
396	HEUR-Trojan-Ransom.MSIL.Encoder.gen-a1d5392103e9d83a618cfd0db7d62d2870e1ecf8cddc730322afa4e7db22fc67.exe
4280	HEUR-Trojan-Ransom.MSIL.Encoder.gen-c3cf385ef511782be2ab8c5347db1833555d446edf71cb3b8ffbb01d5d44083d.exe
5052	HEUR-Trojan-Ransom.MSIL.Foreign.gen-67a225feedc5ce4adf75acb41e8b0e746e7daaec779225cd72f860a263b92a6e.exe
4496	HEUR-Trojan-Ransom.MSIL.Foreign.gen-be8ad3c1c5d51fb5d29815a1b589f821ccb079649e4921c5925393c5a71b4540.exe
5500	HEUR-Trojan-Ransom.MSIL.Gen.gen-30083b7c6d8fe87351cb941c9ce718d2316436b93f4a5a7c7369787bf2c72d83.exe
3640	HEUR-Trojan-Ransom.MSIL.PolyRansom.gen-5126cfd21aeccb996cbaa5d7e4e418675ce1962cff65c5705691eb31d0df0aa5.exe
5344	Client.exe
7032	HEUR-Trojan-Ransom.Win32.Crypmod.gen-fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.exe
5244	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-b18d0862487a22e2b286d0a695368811cc7f6bd4b9a216184061a927e41a4459.exe
6156	trbgertrnion.exe
6240	HEUR-Trojan-Ransom.Win32.Encoder.gen-f7591ba2cf971a823996eadf8d1fc1c98c22b0cc2dfe571f78f89faf3632d9aa.exe
6492	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
6516	HEUR-Trojan-Ransom.Win32.Generic-7089e02c28f8fa84309b4538545cef44b167076ece4a433d0dce56e5a95671aa.exe
6552	HEUR-Trojan-Ransom.Win32.Makop.vho-c648f1cae038bc878bc5f41fc7696112dcdb953cc2af59235c3c9708bd562f7a.exe
6564	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-f1e6bc8fe038f830ddc353139f3bf0ca840f879c7ef45a9fafcf1e75a8c03e9d.exe
5444	o.exe
5552	firefox.exe
1932	HEUR-Trojan-Ransom.Win32.Sodin.vho-d68a553bdc49920a0442ddb71f84d46f5274d15a3174bdc08940de2e27e663ea.exe
6292	o.exe
6284	HEUR-Trojan-Ransom.Win32.Stop.gen-09df08b715bf11a0bc6cb5cdc5cd724927ba6c6a18ca2896f153d9b424196767.exe
1488	HEUR-Trojan-Ransom.Win32.Stop.gen-09df08b715bf11a0bc6cb5cdc5cd724927ba6c6a18ca2896f153d9b424196767.exe
6012	route.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/memory/3520-1391-0x0000000007110000-0x0000000007138000-memory.dmp	agile_net
behavioral1/memory/5500-1658-0x0000024F9E4F0000-0x0000024F9E580000-memory.dmp	agile_net

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	HEUR-Trojan-Ransom.Win32.Makop.vho-c648f1cae038bc878bc5f41fc7696112dcdb953cc2af59235c3c9708bd562f7a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\11f86284 = "C:\\Users\\Admin\\AppData\\Local\\Route0\\route.exe"	HEUR-Trojan-Ransom.Win32.Sodin.vho-d68a553bdc49920a0442ddb71f84d46f5274d15a3174bdc08940de2e27e663ea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client = "C:\\Users\\Admin\\Desktop\\00458\\HEUR-Trojan-Ransom.MSIL.Blocker.gen-9d9b89bfce6c6b32110ce93187434a498d0b9dab95f4802cb427d73a89392568.exe"	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9d9b89bfce6c6b32110ce93187434a498d0b9dab95f4802cb427d73a89392568.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client = "C:\\Users\\Admin\\Desktop\\00458\\HEUR-Trojan-Ransom.MSIL.Blocker.gen-bf47fd8112e6b1bc72f28e2fc3917616ecb2e1849c9a05d9d521f0fef08349b8.exe"	HEUR-Trojan-Ransom.MSIL.Blocker.gen-bf47fd8112e6b1bc72f28e2fc3917616ecb2e1849c9a05d9d521f0fef08349b8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{D26B2595-1212-A79E-D1C9-D1E22F5CBDA3} = "\"C:\\Users\\Admin\\Desktop\\00458\\HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe\""	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe

Drops desktop.ini file(s) 25 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	HEUR-Trojan-Ransom.MSIL.Encoder.gen-c3cf385ef511782be2ab8c5347db1833555d446edf71cb3b8ffbb01d5d44083d.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	HEUR-Trojan-Ransom.MSIL.Encoder.gen-c3cf385ef511782be2ab8c5347db1833555d446edf71cb3b8ffbb01d5d44083d.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	HEUR-Trojan-Ransom.MSIL.Encoder.gen-c3cf385ef511782be2ab8c5347db1833555d446edf71cb3b8ffbb01d5d44083d.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	HEUR-Trojan-Ransom.MSIL.Encoder.gen-c3cf385ef511782be2ab8c5347db1833555d446edf71cb3b8ffbb01d5d44083d.exe
File created	C:\Users\Admin\Documents\desktop.ini	HEUR-Trojan-Ransom.MSIL.Encoder.gen-c3cf385ef511782be2ab8c5347db1833555d446edf71cb3b8ffbb01d5d44083d.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	HEUR-Trojan-Ransom.MSIL.Encoder.gen-c3cf385ef511782be2ab8c5347db1833555d446edf71cb3b8ffbb01d5d44083d.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	HEUR-Trojan-Ransom.MSIL.Encoder.gen-c3cf385ef511782be2ab8c5347db1833555d446edf71cb3b8ffbb01d5d44083d.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	HEUR-Trojan-Ransom.MSIL.Encoder.gen-c3cf385ef511782be2ab8c5347db1833555d446edf71cb3b8ffbb01d5d44083d.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	HEUR-Trojan-Ransom.MSIL.Encoder.gen-c3cf385ef511782be2ab8c5347db1833555d446edf71cb3b8ffbb01d5d44083d.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	HEUR-Trojan-Ransom.MSIL.Encoder.gen-c3cf385ef511782be2ab8c5347db1833555d446edf71cb3b8ffbb01d5d44083d.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	HEUR-Trojan-Ransom.MSIL.Encoder.gen-c3cf385ef511782be2ab8c5347db1833555d446edf71cb3b8ffbb01d5d44083d.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	HEUR-Trojan-Ransom.MSIL.Encoder.gen-c3cf385ef511782be2ab8c5347db1833555d446edf71cb3b8ffbb01d5d44083d.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	HEUR-Trojan-Ransom.MSIL.Encoder.gen-c3cf385ef511782be2ab8c5347db1833555d446edf71cb3b8ffbb01d5d44083d.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	HEUR-Trojan-Ransom.MSIL.Encoder.gen-c3cf385ef511782be2ab8c5347db1833555d446edf71cb3b8ffbb01d5d44083d.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	HEUR-Trojan-Ransom.MSIL.Encoder.gen-c3cf385ef511782be2ab8c5347db1833555d446edf71cb3b8ffbb01d5d44083d.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	HEUR-Trojan-Ransom.MSIL.Encoder.gen-c3cf385ef511782be2ab8c5347db1833555d446edf71cb3b8ffbb01d5d44083d.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	HEUR-Trojan-Ransom.MSIL.Encoder.gen-c3cf385ef511782be2ab8c5347db1833555d446edf71cb3b8ffbb01d5d44083d.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	HEUR-Trojan-Ransom.MSIL.Encoder.gen-c3cf385ef511782be2ab8c5347db1833555d446edf71cb3b8ffbb01d5d44083d.exe
File created	C:\Users\Admin\Desktop\desktop.ini	HEUR-Trojan-Ransom.MSIL.Encoder.gen-c3cf385ef511782be2ab8c5347db1833555d446edf71cb3b8ffbb01d5d44083d.exe
File created	C:\Users\Admin\3D Objects\desktop.ini	HEUR-Trojan-Ransom.MSIL.Encoder.gen-c3cf385ef511782be2ab8c5347db1833555d446edf71cb3b8ffbb01d5d44083d.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	HEUR-Trojan-Ransom.MSIL.Encoder.gen-c3cf385ef511782be2ab8c5347db1833555d446edf71cb3b8ffbb01d5d44083d.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	HEUR-Trojan-Ransom.MSIL.Encoder.gen-c3cf385ef511782be2ab8c5347db1833555d446edf71cb3b8ffbb01d5d44083d.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	HEUR-Trojan-Ransom.MSIL.Encoder.gen-c3cf385ef511782be2ab8c5347db1833555d446edf71cb3b8ffbb01d5d44083d.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	HEUR-Trojan-Ransom.MSIL.Encoder.gen-c3cf385ef511782be2ab8c5347db1833555d446edf71cb3b8ffbb01d5d44083d.exe
File created	C:\Users\Admin\Contacts\desktop.ini	HEUR-Trojan-Ransom.MSIL.Encoder.gen-c3cf385ef511782be2ab8c5347db1833555d446edf71cb3b8ffbb01d5d44083d.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\F:	o.exe
File opened (read-only)	\??\F:	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
289	0.tcp.ngrok.io
6620	raw.githubusercontent.com
6635	raw.githubusercontent.com
9928	0.tcp.sa.ngrok.io
10627	0.tcp.ngrok.io
33	0.tcp.ngrok.io
37	0.tcp.sa.ngrok.io
62	0.tcp.ngrok.io

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\B76B8F.ico	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs

pid	Process
6492	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
6492	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
6492	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
6492	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
6492	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
6492	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
6492	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
1488	HEUR-Trojan-Ransom.Win32.Stop.gen-09df08b715bf11a0bc6cb5cdc5cd724927ba6c6a18ca2896f153d9b424196767.exe
1488	HEUR-Trojan-Ransom.Win32.Stop.gen-09df08b715bf11a0bc6cb5cdc5cd724927ba6c6a18ca2896f153d9b424196767.exe
1488	HEUR-Trojan-Ransom.Win32.Stop.gen-09df08b715bf11a0bc6cb5cdc5cd724927ba6c6a18ca2896f153d9b424196767.exe
1488	HEUR-Trojan-Ransom.Win32.Stop.gen-09df08b715bf11a0bc6cb5cdc5cd724927ba6c6a18ca2896f153d9b424196767.exe
6492	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
6492	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
6492	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
6492	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
6492	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
6492	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 6284 set thread context of 1488	6284	HEUR-Trojan-Ransom.Win32.Stop.gen-09df08b715bf11a0bc6cb5cdc5cd724927ba6c6a18ca2896f153d9b424196767.exe	164

UPX packed file 34 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000023c11-3146.dat	upx
behavioral1/memory/5244-3213-0x0000000000400000-0x00000000005BB000-memory.dmp	upx
behavioral1/files/0x0008000000023cc4-3416.dat	upx
behavioral1/memory/5244-4156-0x0000000000400000-0x00000000005BB000-memory.dmp	upx
behavioral1/memory/1488-7480-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1488-7482-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1488-7624-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1488-7474-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1488-9258-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1488-9241-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1488-10508-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1488-10524-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1488-15802-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1488-15801-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1488-17763-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1488-17779-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1488-18028-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1488-18064-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1488-18300-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1488-18320-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1488-18397-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1488-18421-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1488-18445-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1488-18516-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1488-18518-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1488-18497-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1488-19034-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1488-19036-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1488-19037-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1488-19039-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1488-19044-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1488-19088-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1488-19089-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1488-19098-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\program files\java\jdk-1.8\jre\lib\deploy\messages_it.properties	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File opened for modification	C:\program files\microsoft office\root\licenses16\homebusinessr_oem_perp4-ul-phn.xrm-ms	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File opened for modification	C:\program files\microsoft office\root\licenses16\professional2019r_oem_perp-pl.xrm-ms	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File opened for modification	C:\program files\microsoft office\root\licenses16\visiostdvl_mak-ul-oob.xrm-ms	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\combinepdf\images\themes\dark\rhp_world_icon_2x.png	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\home\images\files_icons2x.png	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File created	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-recent-files\js\nls\fr-ma\Restore-My-Files.txt	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File opened for modification	C:\program files\java\jre-1.8\lib\images\cursors\win32_linkdrop32x32.gif	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File opened for modification	C:\program files\microsoft office\root\integration\c2rmanifest.shared.office.x-none.msi.16.x-none.xml	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File opened for modification	C:\program files\videolan\vlc\locale\si\lc_messages\vlc.mo	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\on-boarding\images\themeless\en_get.svg	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File opened for modification	C:\program files\microsoft office\root\licenses16\personalr_grace-ul-oob.xrm-ms	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File opened for modification	C:\program files\microsoft office\root\vfs\common appdata\microsoft help\ms.excel.16.1033.hxn	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File created	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\uss-search\js\nls\eu-es\Restore-My-Files.txt	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File opened for modification	C:\program files\microsoft office\root\office16\msipc\sr-latn-rs\msipc.dll.mui	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File opened for modification	C:\program files\microsoft office\root\vfs\programfilesx86\microsoft analysis services\as oledb\140\resources\1033\msolui.rll	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\idtemplates\enu\defaultid.pdf	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File opened for modification	C:\program files\java\jdk-1.8\lib\tools.jar	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File opened for modification	C:\program files\microsoft office\root\licenses16\visiopro2019vl_mak_ae-ul-oob.xrm-ms	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File created	C:\program files\microsoft office\root\office16\bibliography\style\Restore-My-Files.txt	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File opened for modification	C:\program files\microsoft office\root\office16\logoimages\onenotelogo.contrast-black_scale-180.png	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\activity-badge\js\nls\fr-ma\ui-strings.js	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File created	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-computer-select\js\nls\fr-ma\Restore-My-Files.txt	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File opened for modification	C:\program files\java\jdk-1.8\jre\lib\jfxswt.jar	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\plug_ins3d\3difr.x3d	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\add-account\js\nls\ko-kr\ui-strings.js	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File created	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\on-boarding\js\nls\fi-fi\Restore-My-Files.txt	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\walk-through\images\themes\dark\checkmark-2x.png	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File opened for modification	C:\program files\microsoft office\root\office16\logoimages\onenotelogo.contrast-black_scale-80.png	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File created	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\ob-preview\js\nls\pt-br\Restore-My-Files.txt	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File opened for modification	C:\program files\microsoft office\root\templates\1033\adjacencyletter.dotx	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\activity-badge\js\nls\de-de\ui-strings.js	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File opened for modification	C:\program files\microsoft office\root\licenses16\visiopro2019r_retail-pl.xrm-ms	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File created	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\createpdfupsell-app\js\nls\de-de\Restore-My-Files.txt	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-computer-select\js\nls\es-es\ui-strings.js	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File opened for modification	C:\program files\microsoft office\root\office16\installermainshell.tlb	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\digsig\js\nls\fr-ma\ui-strings.js	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\sample-files\js\nls\fr-fr\ui-strings.js	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File opened for modification	C:\program files\microsoft office\root\integration\c2rmanifest.onenote.onenote.x-none.msi.16.x-none.xml	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File opened for modification	C:\program files\videolan\vlc\locale\lg\lc_messages\vlc.mo	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\images\move.svg	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File created	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\reviews\css\Restore-My-Files.txt	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File opened for modification	C:\program files\videolan\vlc\lua\http\dialogs\stream_window.html	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\digsig\images\s_radio_selected_18.svg	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon_2x.png	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File opened for modification	C:\program files\java\jre-1.8\lib\flavormap.properties	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File created	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\home\js\nls\root\Restore-My-Files.txt	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File opened for modification	C:\program files\7-zip\lang\ar.txt	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File created	C:\program files\microsoft office\root\office16\addins\microsoft power query for excel integrated\bin\Restore-My-Files.txt	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\on-boarding\images\themeless\localized_images\da-dk\playstore_icon.svg	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\walk-through\js\selector.js	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File opened for modification	C:\program files\microsoft office\root\office16\1033\prottplv.xls	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File created	C:\program files\microsoft office\root\office16\msipc\sv\Restore-My-Files.txt	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\images\file_types\hi_contrast\aic_file_icons_hicontrast_wob.png	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\images\themes\dark\s_invite_24.svg	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File created	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\pages-app\js\nls\ja-jp\Restore-My-Files.txt	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File opened for modification	C:\program files\microsoft office\root\licenses16\homebusinesspipcr_oem_perp-ppd.xrm-ms	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File opened for modification	C:\program files\microsoft office\root\office16\pagesize\pgmn082.xml	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\images\themes\dark\s_filter-hover_32.svg	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\pt-br\ui-strings.js	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File created	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\walk-through\js\nls\it-it\Restore-My-Files.txt	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File opened for modification	C:\program files\microsoft office\root\licenses16\visioprovl_mak-ul-phn.xrm-ms	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File opened for modification	C:\program files\microsoft office\root\office16\proof\msgr8fr.dub	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
File opened for modification	C:\program files\videolan\vlc\lua\playlist\cue.luac	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4144	sc.exe
6632	sc.exe
3836	sc.exe
2032	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
6848	6564	WerFault.exe	139
6344	7216	WerFault.exe	284
5208	7208	WerFault.exe	291
388	4048	WerFault.exe	302

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.PolyRansom.gen-5126cfd21aeccb996cbaa5d7e4e418675ce1962cff65c5705691eb31d0df0aa5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Blocker.gen-92d129825bda8b18723026a90fcc19bed5614c7ba17b1a50e1ed91518fc93752.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9d9b89bfce6c6b32110ce93187434a498d0b9dab95f4802cb427d73a89392568.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Crypmod.gen-fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-f1e6bc8fe038f830ddc353139f3bf0ca840f879c7ef45a9fafcf1e75a8c03e9d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Blocker.gen-41a9129aecf7445340cf5d4db80c09e3fdc2516e49eb1d394d3ebc4ca18b6edb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Blocker.gen-7a3ec0235f9c26bb8fd1502574ed67eaab479fa81e5d80d7b6f5b5cc230ec7f4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Blocker.gen-8ee7ec743243b12d48e2ce24b14cfb475d9cd9bb03eccbfc7c8cd7a2c0582d0e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	route.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Blocker.gen-bf47fd8112e6b1bc72f28e2fc3917616ecb2e1849c9a05d9d521f0fef08349b8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Encoder.gen-f7591ba2cf971a823996eadf8d1fc1c98c22b0cc2dfe571f78f89faf3632d9aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	o.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Sodin.vho-d68a553bdc49920a0442ddb71f84d46f5274d15a3174bdc08940de2e27e663ea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	o.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Stop.gen-09df08b715bf11a0bc6cb5cdc5cd724927ba6c6a18ca2896f153d9b424196767.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Stop.gen-09df08b715bf11a0bc6cb5cdc5cd724927ba6c6a18ca2896f153d9b424196767.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2752	cmd.exe
3932	PING.EXE

Checks SCSI registry key(s) 3 TTPs 10 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	vds.exe

Interacts with shadow copies 3 TTPs 16 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

Direct Volume Access

T1006

pid	Process
5464	vssadmin.exe
7916	vssadmin.exe
6956	vssadmin.exe
6600	vssadmin.exe
1368	vssadmin.exe
5320	vssadmin.exe
4572	vssadmin.exe
4496	vssadmin.exe
7296	vssadmin.exe
3052	vssadmin.exe
2168	vssadmin.exe
7672	vssadmin.exe
8000	vssadmin.exe
7904	vssadmin.exe
5800	vssadmin.exe
6676	vssadmin.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
5776	taskkill.exe
6520	taskkill.exe
6860	taskkill.exe
5812	taskkill.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\Registry\Machine\Software\Classes\.lockbit	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
Key created	\Registry\Machine\Software\Classes\.lockbit\DefaultIcon	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lockbit\DefaultIcon\ = "C:\\windows\\SysWow64\\B76B8F.ico"	HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5148	notepad.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3932	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
5848	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4156	powershell.exe
4156	powershell.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2184	7zFM.exe
2188	taskmgr.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4280	HEUR-Trojan-Ransom.MSIL.Encoder.gen-c3cf385ef511782be2ab8c5347db1833555d446edf71cb3b8ffbb01d5d44083d.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2184	7zFM.exe
Token: 35	2184	7zFM.exe
Token: SeSecurityPrivilege	2184	7zFM.exe
Token: SeDebugPrivilege	4156	powershell.exe
Token: SeDebugPrivilege	2712	taskmgr.exe
Token: SeSystemProfilePrivilege	2712	taskmgr.exe
Token: SeCreateGlobalPrivilege	2712	taskmgr.exe
Token: SeDebugPrivilege	2188	taskmgr.exe
Token: SeSystemProfilePrivilege	2188	taskmgr.exe
Token: SeCreateGlobalPrivilege	2188	taskmgr.exe
Token: 33	2712	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2712	taskmgr.exe
Token: SeDebugPrivilege	4244	HEUR-Trojan-Ransom.MSIL.Blocker.gen-41a9129aecf7445340cf5d4db80c09e3fdc2516e49eb1d394d3ebc4ca18b6edb.exe
Token: SeDebugPrivilege	988	powershell.exe
Token: SeDebugPrivilege	3520	HEUR-Trojan-Ransom.MSIL.Blocker.gen-7a3ec0235f9c26bb8fd1502574ed67eaab479fa81e5d80d7b6f5b5cc230ec7f4.exe
Token: SeDebugPrivilege	4272	powershell.exe
Token: SeDebugPrivilege	432	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9d9b89bfce6c6b32110ce93187434a498d0b9dab95f4802cb427d73a89392568.exe
Token: SeDebugPrivilege	2796	HEUR-Trojan-Ransom.MSIL.Blocker.gen-ae83d5c45126fde095a3f0cf169c92da5ca0492c28d081aa80a7dc8872428f61.exe
Token: SeDebugPrivilege	4140	HEUR-Trojan-Ransom.MSIL.Blocker.gen-bf47fd8112e6b1bc72f28e2fc3917616ecb2e1849c9a05d9d521f0fef08349b8.exe
Token: SeIncreaseQuotaPrivilege	4272	powershell.exe
Token: SeSecurityPrivilege	4272	powershell.exe
Token: SeTakeOwnershipPrivilege	4272	powershell.exe
Token: SeLoadDriverPrivilege	4272	powershell.exe
Token: SeSystemProfilePrivilege	4272	powershell.exe
Token: SeSystemtimePrivilege	4272	powershell.exe
Token: SeProfSingleProcessPrivilege	4272	powershell.exe
Token: SeIncBasePriorityPrivilege	4272	powershell.exe
Token: SeCreatePagefilePrivilege	4272	powershell.exe
Token: SeBackupPrivilege	4272	powershell.exe
Token: SeRestorePrivilege	4272	powershell.exe
Token: SeShutdownPrivilege	4272	powershell.exe
Token: SeDebugPrivilege	4272	powershell.exe
Token: SeSystemEnvironmentPrivilege	4272	powershell.exe
Token: SeRemoteShutdownPrivilege	4272	powershell.exe
Token: SeUndockPrivilege	4272	powershell.exe
Token: SeManageVolumePrivilege	4272	powershell.exe
Token: 33	4272	powershell.exe
Token: 34	4272	powershell.exe
Token: 35	4272	powershell.exe
Token: 36	4272	powershell.exe
Token: SeIncreaseQuotaPrivilege	4272	powershell.exe
Token: SeSecurityPrivilege	4272	powershell.exe
Token: SeTakeOwnershipPrivilege	4272	powershell.exe
Token: SeLoadDriverPrivilege	4272	powershell.exe
Token: SeSystemProfilePrivilege	4272	powershell.exe
Token: SeSystemtimePrivilege	4272	powershell.exe
Token: SeProfSingleProcessPrivilege	4272	powershell.exe
Token: SeIncBasePriorityPrivilege	4272	powershell.exe
Token: SeCreatePagefilePrivilege	4272	powershell.exe
Token: SeBackupPrivilege	4272	powershell.exe
Token: SeRestorePrivilege	4272	powershell.exe
Token: SeShutdownPrivilege	4272	powershell.exe
Token: SeDebugPrivilege	4272	powershell.exe
Token: SeSystemEnvironmentPrivilege	4272	powershell.exe
Token: SeRemoteShutdownPrivilege	4272	powershell.exe
Token: SeUndockPrivilege	4272	powershell.exe
Token: SeManageVolumePrivilege	4272	powershell.exe
Token: 33	4272	powershell.exe
Token: 34	4272	powershell.exe
Token: 35	4272	powershell.exe
Token: 36	4272	powershell.exe
Token: SeIncreaseQuotaPrivilege	988	powershell.exe
Token: SeSecurityPrivilege	988	powershell.exe
Token: SeTakeOwnershipPrivilege	988	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2184	7zFM.exe
2184	7zFM.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2188	taskmgr.exe
2712	taskmgr.exe
2188	taskmgr.exe
2712	taskmgr.exe
2188	taskmgr.exe
2712	taskmgr.exe
2188	taskmgr.exe
2712	taskmgr.exe
2188	taskmgr.exe
2712	taskmgr.exe
2188	taskmgr.exe
2712	taskmgr.exe
2188	taskmgr.exe
2712	taskmgr.exe
2188	taskmgr.exe
2712	taskmgr.exe
2188	taskmgr.exe
2712	taskmgr.exe
2188	taskmgr.exe
2712	taskmgr.exe
2188	taskmgr.exe
2712	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2712	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2188	taskmgr.exe
2712	taskmgr.exe
2188	taskmgr.exe
2712	taskmgr.exe
2188	taskmgr.exe
2712	taskmgr.exe
2188	taskmgr.exe
2712	taskmgr.exe
2188	taskmgr.exe
2712	taskmgr.exe
2188	taskmgr.exe
2712	taskmgr.exe
2188	taskmgr.exe
2712	taskmgr.exe
2188	taskmgr.exe
2712	taskmgr.exe
2188	taskmgr.exe
2712	taskmgr.exe
2188	taskmgr.exe
2712	taskmgr.exe
2188	taskmgr.exe
2712	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2712	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe
2188	taskmgr.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
5500	HEUR-Trojan-Ransom.MSIL.Gen.gen-30083b7c6d8fe87351cb941c9ce718d2316436b93f4a5a7c7369787bf2c72d83.exe
5500	HEUR-Trojan-Ransom.MSIL.Gen.gen-30083b7c6d8fe87351cb941c9ce718d2316436b93f4a5a7c7369787bf2c72d83.exe
1932	HEUR-Trojan-Ransom.Win32.Sodin.vho-d68a553bdc49920a0442ddb71f84d46f5274d15a3174bdc08940de2e27e663ea.exe
1488	HEUR-Trojan-Ransom.Win32.Stop.gen-09df08b715bf11a0bc6cb5cdc5cd724927ba6c6a18ca2896f153d9b424196767.exe
1488	HEUR-Trojan-Ransom.Win32.Stop.gen-09df08b715bf11a0bc6cb5cdc5cd724927ba6c6a18ca2896f153d9b424196767.exe
6012	route.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 2188	2712	taskmgr.exe	91
PID 2712 wrote to memory of 2188	2712	taskmgr.exe	91
PID 4156 wrote to memory of 2524	4156	powershell.exe	96
PID 4156 wrote to memory of 2524	4156	powershell.exe	96
PID 2524 wrote to memory of 1968	2524	cmd.exe	97
PID 2524 wrote to memory of 1968	2524	cmd.exe	97
PID 2524 wrote to memory of 3348	2524	cmd.exe	98
PID 2524 wrote to memory of 3348	2524	cmd.exe	98
PID 2524 wrote to memory of 4244	2524	cmd.exe	99
PID 2524 wrote to memory of 4244	2524	cmd.exe	99
PID 2524 wrote to memory of 4244	2524	cmd.exe	99
PID 2524 wrote to memory of 3520	2524	cmd.exe	100
PID 2524 wrote to memory of 3520	2524	cmd.exe	100
PID 2524 wrote to memory of 3520	2524	cmd.exe	100
PID 2524 wrote to memory of 2652	2524	cmd.exe	101
PID 2524 wrote to memory of 2652	2524	cmd.exe	101
PID 2524 wrote to memory of 2652	2524	cmd.exe	101
PID 1968 wrote to memory of 988	1968	HEUR-Trojan-Ransom.MSIL.Blocker.gen-0b5bf824615068b40c84f4d32187348d1db9e2732a01077a7e8ed7b595c16ca4.exe	102
PID 1968 wrote to memory of 988	1968	HEUR-Trojan-Ransom.MSIL.Blocker.gen-0b5bf824615068b40c84f4d32187348d1db9e2732a01077a7e8ed7b595c16ca4.exe	102
PID 3348 wrote to memory of 4272	3348	HEUR-Trojan-Ransom.MSIL.Blocker.gen-413806335478be174de0001def0b0c9635ba437fd5a7d66527c90cf9f35f1262.exe	104
PID 3348 wrote to memory of 4272	3348	HEUR-Trojan-Ransom.MSIL.Blocker.gen-413806335478be174de0001def0b0c9635ba437fd5a7d66527c90cf9f35f1262.exe	104
PID 2524 wrote to memory of 4928	2524	cmd.exe	106
PID 2524 wrote to memory of 4928	2524	cmd.exe	106
PID 2524 wrote to memory of 4928	2524	cmd.exe	106
PID 2524 wrote to memory of 432	2524	cmd.exe	107
PID 2524 wrote to memory of 432	2524	cmd.exe	107
PID 2524 wrote to memory of 432	2524	cmd.exe	107
PID 2524 wrote to memory of 2796	2524	cmd.exe	108
PID 2524 wrote to memory of 2796	2524	cmd.exe	108
PID 2524 wrote to memory of 4140	2524	cmd.exe	110
PID 2524 wrote to memory of 4140	2524	cmd.exe	110
PID 2524 wrote to memory of 4140	2524	cmd.exe	110
PID 2652 wrote to memory of 3288	2652	HEUR-Trojan-Ransom.MSIL.Blocker.gen-8ee7ec743243b12d48e2ce24b14cfb475d9cd9bb03eccbfc7c8cd7a2c0582d0e.exe	111
PID 2652 wrote to memory of 3288	2652	HEUR-Trojan-Ransom.MSIL.Blocker.gen-8ee7ec743243b12d48e2ce24b14cfb475d9cd9bb03eccbfc7c8cd7a2c0582d0e.exe	111
PID 2652 wrote to memory of 3288	2652	HEUR-Trojan-Ransom.MSIL.Blocker.gen-8ee7ec743243b12d48e2ce24b14cfb475d9cd9bb03eccbfc7c8cd7a2c0582d0e.exe	111
PID 2524 wrote to memory of 396	2524	cmd.exe	112
PID 2524 wrote to memory of 396	2524	cmd.exe	112
PID 2524 wrote to memory of 4280	2524	cmd.exe	114
PID 2524 wrote to memory of 4280	2524	cmd.exe	114
PID 2524 wrote to memory of 5052	2524	cmd.exe	115
PID 2524 wrote to memory of 5052	2524	cmd.exe	115
PID 2524 wrote to memory of 4496	2524	cmd.exe	238
PID 2524 wrote to memory of 4496	2524	cmd.exe	238
PID 3520 wrote to memory of 5320	3520	HEUR-Trojan-Ransom.MSIL.Blocker.gen-7a3ec0235f9c26bb8fd1502574ed67eaab479fa81e5d80d7b6f5b5cc230ec7f4.exe	240
PID 3520 wrote to memory of 5320	3520	HEUR-Trojan-Ransom.MSIL.Blocker.gen-7a3ec0235f9c26bb8fd1502574ed67eaab479fa81e5d80d7b6f5b5cc230ec7f4.exe	240
PID 3520 wrote to memory of 5320	3520	HEUR-Trojan-Ransom.MSIL.Blocker.gen-7a3ec0235f9c26bb8fd1502574ed67eaab479fa81e5d80d7b6f5b5cc230ec7f4.exe	240
PID 2524 wrote to memory of 5500	2524	cmd.exe	118
PID 2524 wrote to memory of 5500	2524	cmd.exe	118
PID 2524 wrote to memory of 3640	2524	cmd.exe	120
PID 2524 wrote to memory of 3640	2524	cmd.exe	120
PID 2524 wrote to memory of 3640	2524	cmd.exe	120
PID 5320 wrote to memory of 5904	5320	cmd.exe	121
PID 5320 wrote to memory of 5904	5320	cmd.exe	121
PID 5320 wrote to memory of 5904	5320	cmd.exe	121
PID 4244 wrote to memory of 5344	4244	HEUR-Trojan-Ransom.MSIL.Blocker.gen-41a9129aecf7445340cf5d4db80c09e3fdc2516e49eb1d394d3ebc4ca18b6edb.exe	122
PID 4244 wrote to memory of 5344	4244	HEUR-Trojan-Ransom.MSIL.Blocker.gen-41a9129aecf7445340cf5d4db80c09e3fdc2516e49eb1d394d3ebc4ca18b6edb.exe	122
PID 4244 wrote to memory of 5344	4244	HEUR-Trojan-Ransom.MSIL.Blocker.gen-41a9129aecf7445340cf5d4db80c09e3fdc2516e49eb1d394d3ebc4ca18b6edb.exe	122
PID 432 wrote to memory of 5848	432	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9d9b89bfce6c6b32110ce93187434a498d0b9dab95f4802cb427d73a89392568.exe	123
PID 432 wrote to memory of 5848	432	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9d9b89bfce6c6b32110ce93187434a498d0b9dab95f4802cb427d73a89392568.exe	123
PID 432 wrote to memory of 5848	432	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9d9b89bfce6c6b32110ce93187434a498d0b9dab95f4802cb427d73a89392568.exe	123
PID 2524 wrote to memory of 7032	2524	cmd.exe	125
PID 2524 wrote to memory of 7032	2524	cmd.exe	125
PID 2524 wrote to memory of 7032	2524	cmd.exe	125
PID 2524 wrote to memory of 5244	2524	cmd.exe	127

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00458.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2184

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4156
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Users\Admin\Desktop\00458\HEUR-Trojan-Ransom.MSIL.Blocker.gen-0b5bf824615068b40c84f4d32187348d1db9e2732a01077a7e8ed7b595c16ca4.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-0b5bf824615068b40c84f4d32187348d1db9e2732a01077a7e8ed7b595c16ca4.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1968
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:988
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection google.com
      4⤵
      PID:6980
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
      4⤵
      PID:276
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection google.com
      4⤵
      PID:6276
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
      4⤵
      PID:7952
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
      4⤵
      PID:5964
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
      4⤵
      PID:5232
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
      4⤵
      PID:5248
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
      4⤵
      PID:6380
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection google.com
      4⤵
      PID:7480
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
      4⤵
      PID:5568
- - C:\Users\Admin\Desktop\00458\HEUR-Trojan-Ransom.MSIL.Blocker.gen-413806335478be174de0001def0b0c9635ba437fd5a7d66527c90cf9f35f1262.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-413806335478be174de0001def0b0c9635ba437fd5a7d66527c90cf9f35f1262.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3348
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection google.com
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4272
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
      4⤵
      PID:5160
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
      4⤵
      PID:7612
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection google.com
      4⤵
      PID:7148
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
      4⤵
      PID:7860
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
      4⤵
      PID:7440
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection google.com
      4⤵
      PID:6832
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
      4⤵
      PID:7672
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection google.com
      4⤵
      PID:5984
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection google.com
      4⤵
      PID:2420
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection google.com
      4⤵
      PID:6628
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
      4⤵
      PID:2944
- - C:\Users\Admin\Desktop\00458\HEUR-Trojan-Ransom.MSIL.Blocker.gen-41a9129aecf7445340cf5d4db80c09e3fdc2516e49eb1d394d3ebc4ca18b6edb.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-41a9129aecf7445340cf5d4db80c09e3fdc2516e49eb1d394d3ebc4ca18b6edb.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4244
  - - C:\Users\Admin\AppData\Roaming\Client.exe
      "C:\Users\Admin\AppData\Roaming\Client.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5344
- - C:\Users\Admin\Desktop\00458\HEUR-Trojan-Ransom.MSIL.Blocker.gen-7a3ec0235f9c26bb8fd1502574ed67eaab479fa81e5d80d7b6f5b5cc230ec7f4.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-7a3ec0235f9c26bb8fd1502574ed67eaab479fa81e5d80d7b6f5b5cc230ec7f4.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3520
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\tglbin.exe,"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5320
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\tglbin.exe,"
        5⤵
        Modifies WinLogon for persistence
        System Location Discovery: System Language Discovery
        
        PID:5904
  - - C:\Users\Admin\AppData\Roaming\tglbin.exe
      "C:\Users\Admin\AppData\Roaming\tglbin.exe"
      4⤵
      PID:2912
    - - C:\Users\Admin\AppData\Local\Temp\AppLaunch.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AppLaunch.exe"
        5⤵
        
        PID:7216
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7216 -s 640
        6⤵
        Program crash
        
        PID:6344
    - - C:\Users\Admin\AppData\Local\Temp\AppLaunch.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AppLaunch.exe"
        5⤵
        
        PID:7208
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7208 -s 628
        6⤵
        Program crash
        
        PID:5208
    - - C:\Users\Admin\AppData\Local\Temp\bvt55.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bvt55.exe"
        5⤵
        
        PID:8076
      - C:\Users\Admin\AppData\Local\Temp\bvt55.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bvt55.exe"
        6⤵
        
        PID:7364
- - C:\Users\Admin\Desktop\00458\HEUR-Trojan-Ransom.MSIL.Blocker.gen-8ee7ec743243b12d48e2ce24b14cfb475d9cd9bb03eccbfc7c8cd7a2c0582d0e.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-8ee7ec743243b12d48e2ce24b14cfb475d9cd9bb03eccbfc7c8cd7a2c0582d0e.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      4⤵
      System Location Discovery: System Language Discovery
      PID:3288
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      4⤵
      PID:4748
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      4⤵
      PID:6412
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      4⤵
      PID:2136
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      4⤵
      PID:7732
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      4⤵
      PID:3124
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      4⤵
      PID:6396
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      4⤵
      PID:6188
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      4⤵
      PID:5932
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      4⤵
      PID:112
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      4⤵
      PID:3684
- - C:\Users\Admin\Desktop\00458\HEUR-Trojan-Ransom.MSIL.Blocker.gen-92d129825bda8b18723026a90fcc19bed5614c7ba17b1a50e1ed91518fc93752.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-92d129825bda8b18723026a90fcc19bed5614c7ba17b1a50e1ed91518fc93752.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4928
- - C:\Users\Admin\Desktop\00458\HEUR-Trojan-Ransom.MSIL.Blocker.gen-9d9b89bfce6c6b32110ce93187434a498d0b9dab95f4802cb427d73a89392568.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-9d9b89bfce6c6b32110ce93187434a498d0b9dab95f4802cb427d73a89392568.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:432
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 60 /tn "Client" /tr "C:\Users\Admin\Desktop\00458\HEUR-Trojan-Ransom.MSIL.Blocker.gen-9d9b89bfce6c6b32110ce93187434a498d0b9dab95f4802cb427d73a89392568.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:5848
- - C:\Users\Admin\Desktop\00458\HEUR-Trojan-Ransom.MSIL.Blocker.gen-ae83d5c45126fde095a3f0cf169c92da5ca0492c28d081aa80a7dc8872428f61.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-ae83d5c45126fde095a3f0cf169c92da5ca0492c28d081aa80a7dc8872428f61.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2796
- - C:\Users\Admin\Desktop\00458\HEUR-Trojan-Ransom.MSIL.Blocker.gen-bf47fd8112e6b1bc72f28e2fc3917616ecb2e1849c9a05d9d521f0fef08349b8.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-bf47fd8112e6b1bc72f28e2fc3917616ecb2e1849c9a05d9d521f0fef08349b8.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4140
- - C:\Users\Admin\Desktop\00458\HEUR-Trojan-Ransom.MSIL.Encoder.gen-a1d5392103e9d83a618cfd0db7d62d2870e1ecf8cddc730322afa4e7db22fc67.exe
    HEUR-Trojan-Ransom.MSIL.Encoder.gen-a1d5392103e9d83a618cfd0db7d62d2870e1ecf8cddc730322afa4e7db22fc67.exe
    3⤵
    - Executes dropped EXE
    PID:396
- - C:\Users\Admin\Desktop\00458\HEUR-Trojan-Ransom.MSIL.Encoder.gen-c3cf385ef511782be2ab8c5347db1833555d446edf71cb3b8ffbb01d5d44083d.exe
    HEUR-Trojan-Ransom.MSIL.Encoder.gen-c3cf385ef511782be2ab8c5347db1833555d446edf71cb3b8ffbb01d5d44083d.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - Suspicious behavior: RenamesItself
    PID:4280
- - C:\Users\Admin\Desktop\00458\HEUR-Trojan-Ransom.MSIL.Foreign.gen-67a225feedc5ce4adf75acb41e8b0e746e7daaec779225cd72f860a263b92a6e.exe
    HEUR-Trojan-Ransom.MSIL.Foreign.gen-67a225feedc5ce4adf75acb41e8b0e746e7daaec779225cd72f860a263b92a6e.exe
    3⤵
    - Executes dropped EXE
    PID:5052
- - C:\Users\Admin\Desktop\00458\HEUR-Trojan-Ransom.MSIL.Foreign.gen-be8ad3c1c5d51fb5d29815a1b589f821ccb079649e4921c5925393c5a71b4540.exe
    HEUR-Trojan-Ransom.MSIL.Foreign.gen-be8ad3c1c5d51fb5d29815a1b589f821ccb079649e4921c5925393c5a71b4540.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:4496
  - - C:\ProgramData\Hithviwia\trbgertrnion.exe
      "C:\ProgramData\Hithviwia\trbgertrnion.exe"
      4⤵
      Executes dropped EXE
      PID:6156
- - C:\Users\Admin\Desktop\00458\HEUR-Trojan-Ransom.MSIL.Gen.gen-30083b7c6d8fe87351cb941c9ce718d2316436b93f4a5a7c7369787bf2c72d83.exe
    HEUR-Trojan-Ransom.MSIL.Gen.gen-30083b7c6d8fe87351cb941c9ce718d2316436b93f4a5a7c7369787bf2c72d83.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5500
- - C:\Users\Admin\Desktop\00458\HEUR-Trojan-Ransom.MSIL.PolyRansom.gen-5126cfd21aeccb996cbaa5d7e4e418675ce1962cff65c5705691eb31d0df0aa5.exe
    HEUR-Trojan-Ransom.MSIL.PolyRansom.gen-5126cfd21aeccb996cbaa5d7e4e418675ce1962cff65c5705691eb31d0df0aa5.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3640
- - C:\Users\Admin\Desktop\00458\HEUR-Trojan-Ransom.Win32.Crypmod.gen-fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.exe
    HEUR-Trojan-Ransom.Win32.Crypmod.gen-fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:7032
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{58CC7F70-8E97-4893-889A-A699EF3C11A2}'" delete
      4⤵
      PID:6184
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{58CC7F70-8E97-4893-889A-A699EF3C11A2}'" delete
        5⤵
        
        PID:6520
- - C:\Users\Admin\Desktop\00458\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-b18d0862487a22e2b286d0a695368811cc7f6bd4b9a216184061a927e41a4459.exe
    HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-b18d0862487a22e2b286d0a695368811cc7f6bd4b9a216184061a927e41a4459.exe
    3⤵
    - Executes dropped EXE
    PID:5244
- - C:\Users\Admin\Desktop\00458\HEUR-Trojan-Ransom.Win32.Encoder.gen-f7591ba2cf971a823996eadf8d1fc1c98c22b0cc2dfe571f78f89faf3632d9aa.exe
    HEUR-Trojan-Ransom.Win32.Encoder.gen-f7591ba2cf971a823996eadf8d1fc1c98c22b0cc2dfe571f78f89faf3632d9aa.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6240
- - C:\Users\Admin\Desktop\00458\HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
    HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Enumerates connected drives
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:6492
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
      4⤵
      PID:2340
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:1368
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        
        PID:6964
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:6276
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} recoveryenabled no
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:4440
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\LockBit_Ransomware.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
      4⤵
      PID:4048
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 1716
        5⤵
        Program crash
        
        PID:388
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\Desktop\00458\HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe" & Del /f /q "C:\Users\Admin\Desktop\00458\HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe"
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:2752
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.7 -n 3
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3932
    - - C:\Windows\SysWOW64\fsutil.exe
        
        fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\Desktop\00458\HEUR-Trojan-Ransom.Win32.Generic-0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049.exe"
        5⤵
        
        PID:6184
- - C:\Users\Admin\Desktop\00458\HEUR-Trojan-Ransom.Win32.Generic-7089e02c28f8fa84309b4538545cef44b167076ece4a433d0dce56e5a95671aa.exe
    HEUR-Trojan-Ransom.Win32.Generic-7089e02c28f8fa84309b4538545cef44b167076ece4a433d0dce56e5a95671aa.exe
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    PID:6516
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\firefox.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\firefox.exe"
      4⤵
      Executes dropped EXE
      PID:5552
    - - C:\Windows\SYSTEM32\net.exe
        
        "net.exe" stop avpsus /y
        5⤵
        
        PID:1712
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop avpsus /y
        6⤵
        
        PID:5788
    - - C:\Windows\SYSTEM32\net.exe
        
        "net.exe" stop McAfeeDLPAgentService /y
        5⤵
        
        PID:2148
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
        6⤵
        
        PID:964
    - - C:\Windows\SYSTEM32\net.exe
        
        "net.exe" stop mfewc /y
        5⤵
        
        PID:6884
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop mfewc /y
        6⤵
        
        PID:5576
    - - C:\Windows\SYSTEM32\net.exe
        
        "net.exe" stop BMR Boot Service /y
        5⤵
        
        PID:5920
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop BMR Boot Service /y
        6⤵
        
        PID:6996
    - - C:\Windows\SYSTEM32\net.exe
        
        "net.exe" stop NetBackup BMR MTFTP Service /y
        5⤵
        
        PID:3192
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
        6⤵
        
        PID:7064
    - - C:\Windows\SYSTEM32\sc.exe
        
        "sc.exe" config SQLTELEMETRY start= disabled
        5⤵
        Launches sc.exe
        
        PID:2032
    - - C:\Windows\SYSTEM32\sc.exe
        
        "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
        5⤵
        Launches sc.exe
        
        PID:4144
    - - C:\Windows\SYSTEM32\sc.exe
        
        "sc.exe" config SQLWriter start= disabled
        5⤵
        Launches sc.exe
        
        PID:6632
    - - C:\Windows\SYSTEM32\sc.exe
        
        "sc.exe" config SstpSvc start= disabled
        5⤵
        Launches sc.exe
        
        PID:3836
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        "taskkill.exe" /IM mspub.exe /F
        5⤵
        Kills process with taskkill
        
        PID:5776
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        "taskkill.exe" /IM mydesktopqos.exe /F
        5⤵
        Kills process with taskkill
        
        PID:6520
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        "taskkill.exe" /IM mydesktopservice.exe /F
        5⤵
        Kills process with taskkill
        
        PID:6860
    - - C:\Windows\SYSTEM32\vssadmin.exe
        
        "vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:6676
    - - C:\Windows\SYSTEM32\vssadmin.exe
        
        "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
        5⤵
        Interacts with shadow copies
        
        PID:7296
    - - C:\Windows\SYSTEM32\vssadmin.exe
        
        "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
        5⤵
        Interacts with shadow copies
        
        PID:3052
    - - C:\Windows\SYSTEM32\vssadmin.exe
        
        "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
        5⤵
        Interacts with shadow copies
        
        PID:2168
    - - C:\Windows\SYSTEM32\vssadmin.exe
        
        "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
        5⤵
        Interacts with shadow copies
        
        PID:7672
    - - C:\Windows\SYSTEM32\vssadmin.exe
        
        "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
        5⤵
        Interacts with shadow copies
        
        PID:7904
    - - C:\Windows\SYSTEM32\vssadmin.exe
        
        "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
        5⤵
        Interacts with shadow copies
        
        PID:6600
    - - C:\Windows\SYSTEM32\vssadmin.exe
        
        "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
        5⤵
        Interacts with shadow copies
        
        PID:6956
    - - C:\Windows\SYSTEM32\vssadmin.exe
        
        "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
        5⤵
        Interacts with shadow copies
        
        PID:7916
    - - C:\Windows\SYSTEM32\vssadmin.exe
        
        "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
        5⤵
        Interacts with shadow copies
        
        PID:5464
    - - C:\Windows\SYSTEM32\vssadmin.exe
        
        "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
        5⤵
        Interacts with shadow copies
        
        PID:8000
    - - C:\Windows\SYSTEM32\vssadmin.exe
        
        "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
        5⤵
        Interacts with shadow copies
        
        PID:4496
    - - C:\Windows\SYSTEM32\vssadmin.exe
        
        "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
        5⤵
        Interacts with shadow copies
        
        PID:5320
    - - C:\Windows\SYSTEM32\vssadmin.exe
        
        "vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:4572
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:5148
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\firefox.exe
        5⤵
        
        PID:6416
      - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:7384
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Desktop\00458\HEUR-Trojan-Ransom.Win32.Generic-7089e02c28f8fa84309b4538545cef44b167076ece4a433d0dce56e5a95671aa.exe
      4⤵
      PID:5412
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:3684
- - C:\Users\Admin\Desktop\00458\HEUR-Trojan-Ransom.Win32.Makop.vho-c648f1cae038bc878bc5f41fc7696112dcdb953cc2af59235c3c9708bd562f7a.exe
    HEUR-Trojan-Ransom.Win32.Makop.vho-c648f1cae038bc878bc5f41fc7696112dcdb953cc2af59235c3c9708bd562f7a.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:6552
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\o.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\o.exe
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      System Location Discovery: System Language Discovery
      PID:5444
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\o.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\o.exe" n5444
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6292
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe"
        5⤵
        
        PID:5672
      - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        6⤵
        Interacts with shadow copies
        
        PID:5800
      - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete catalog -quiet
        6⤵
        Deletes backup catalog
        
        PID:2832
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        
        PID:5176
- - C:\Users\Admin\Desktop\00458\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-f1e6bc8fe038f830ddc353139f3bf0ca840f879c7ef45a9fafcf1e75a8c03e9d.exe
    HEUR-Trojan-Ransom.Win32.PolyRansom.gen-f1e6bc8fe038f830ddc353139f3bf0ca840f879c7ef45a9fafcf1e75a8c03e9d.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6564
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6564 -s 236
      4⤵
      Program crash
      PID:6848
- - C:\Users\Admin\Desktop\00458\HEUR-Trojan-Ransom.Win32.Sodin.vho-d68a553bdc49920a0442ddb71f84d46f5274d15a3174bdc08940de2e27e663ea.exe
    HEUR-Trojan-Ransom.Win32.Sodin.vho-d68a553bdc49920a0442ddb71f84d46f5274d15a3174bdc08940de2e27e663ea.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1932
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c type "C:\Users\Admin\Desktop\00458\HEUR-Trojan-Ransom.Win32.Sodin.vho-d68a553bdc49920a0442ddb71f84d46f5274d15a3174bdc08940de2e27e663ea.exe" > "C:\Users\Admin\AppData\Local\Route0\route.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5124
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c type "C:\Users\Admin\Desktop\00458\HEUR-Trojan-Ransom.Win32.Sodin.vho-d68a553bdc49920a0442ddb71f84d46f5274d15a3174bdc08940de2e27e663ea.exe" > "C:\Users\Admin\AppData\Local\Route0\zroute.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:6812
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c pushd C:\Users\Admin\AppData\Local\Route0 & start route.exe & popd
      4⤵
      System Location Discovery: System Language Discovery
      PID:2988
    - - C:\Users\Admin\AppData\Local\Route0\route.exe
        
        route.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:6012
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM zroute.exe
        6⤵
        Kills process with taskkill
        
        PID:5812
- - C:\Users\Admin\Desktop\00458\HEUR-Trojan-Ransom.Win32.Stop.gen-09df08b715bf11a0bc6cb5cdc5cd724927ba6c6a18ca2896f153d9b424196767.exe
    HEUR-Trojan-Ransom.Win32.Stop.gen-09df08b715bf11a0bc6cb5cdc5cd724927ba6c6a18ca2896f153d9b424196767.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:6284
  - - C:\Users\Admin\Desktop\00458\HEUR-Trojan-Ransom.Win32.Stop.gen-09df08b715bf11a0bc6cb5cdc5cd724927ba6c6a18ca2896f153d9b424196767.exe
      HEUR-Trojan-Ransom.Win32.Stop.gen-09df08b715bf11a0bc6cb5cdc5cd724927ba6c6a18ca2896f153d9b424196767.exe
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1488

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /1
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2188

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:6008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 6564 -ip 6564
1⤵
PID:6768

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:6340

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:6240

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:3780

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:7072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:7820

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
PID:7164
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{AA3F4B4F-016F-447E-93F8-DD9328E64652}.xps" 133731201211410000
  2⤵
  PID:5592
- - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
    OfficeC2RClient.exe /error PID=5592 ProcessName="Microsoft OneNote" UIType=3 ErrorSource=0x8b10082a ErrorCode=0x80004005 ShowUI=1
    3⤵
    - Process spawned unexpected child process
    PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 7216 -ip 7216
1⤵
PID:316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 7208 -ip 7208
1⤵
PID:7012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4048 -ip 4048
1⤵
PID:5884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery