avaddon | 637818d66515e2c06402e23fe770314f0776dfa9816c321722d01d36c84eb63e

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "1"	HEUR-Trojan-Ransom.MSIL.Agent.gen-adf8cbeca68a75ce767abc16dc4423ad413ca970d574a78be3426944c88d188a.exe

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	4024	wmic.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	4024	wmic.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	4024	wmic.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	15648	4024	wmic.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	17108	4024	wmic.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	14828	4024	wmic.exe	123

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/memory/6536-2861-0x0000000000400000-0x000000000041C000-memory.dmp	family_redline
behavioral1/memory/6564-15443-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 4 IoCs

resource	yara_rule
behavioral1/memory/4288-749-0x0000000000140000-0x0000000000B10000-memory.dmp	family_sectoprat
behavioral1/memory/4288-750-0x0000000000140000-0x0000000000B10000-memory.dmp	family_sectoprat
behavioral1/memory/6536-2861-0x0000000000400000-0x000000000041C000-memory.dmp	family_sectoprat
behavioral1/memory/6564-15443-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

VanillaRat
VanillaRat is an advanced remote administration tool coded in C#.
rat vanillarat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 3 IoCs

pid	Process
6572	bcdedit.exe
11040	bcdedit.exe
15120	bcdedit.exe

Vanilla Rat payload 2 IoCs

rat

resource	yara_rule
behavioral1/files/0x0007000000023cca-197.dat	vanillarat
behavioral1/memory/2152-203-0x0000000000920000-0x0000000000942000-memory.dmp	vanillarat

Modifies Windows Firewall 2 TTPs 8 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
15572	netsh.exe
14820	netsh.exe
5604	netsh.exe
5256	netsh.exe
5176	netsh.exe
6056	netsh.exe
12232	netsh.exe
13440	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.MSIL.Encoder.gen-e3ab6ef2d2631625350025edfddff2bab14265af2d5bd60df219fb06e9c45850.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.Win32.Blocker.gen-6ed03bf8b4ccac4ba927f7dcbe6b5e6385f9c4e47092f4fe3bc68ec11888be33.exe

Executes dropped EXE 13 IoCs

pid	Process
4108	HEUR-Trojan-Ransom.MSIL.Agent.gen-adf8cbeca68a75ce767abc16dc4423ad413ca970d574a78be3426944c88d188a.exe
4448	HEUR-Trojan-Ransom.MSIL.Blocker.gen-8ecd0b35c94d9e403f656a73bb102f21ce45eb5d4e400c05c436ebb91d4394f6.exe
2152	HEUR-Trojan-Ransom.MSIL.Blocker.gen-b3851e5c28e260637f2bb0d27bd956234053f958c19d044c30c87ff4b731caac.exe
4992	HEUR-Trojan-Ransom.MSIL.Blocker.gen-fe6a3a8aefd1f4d65f8a594eb1ca80908fb551daacbdb8f344720ef85b0c4fbe.exe
4540	HEUR-Trojan-Ransom.MSIL.Encoder.gen-e3ab6ef2d2631625350025edfddff2bab14265af2d5bd60df219fb06e9c45850.exe
1788	HEUR-Trojan-Ransom.MSIL.Foreign.gen-a0f6963845d7aeae328048da66059059fdbcb6cc30712fd10a34018caf0bd28a.exe
3540	HEUR-Trojan-Ransom.Win32.Blocker.gen-6ed03bf8b4ccac4ba927f7dcbe6b5e6385f9c4e47092f4fe3bc68ec11888be33.exe
372	HEUR-Trojan-Ransom.Win32.CryFile.gen-759a1edf26259c3bcddbbe4d9d15998ddcf948eecbfd368c46973700c2e59c18.exe
2200	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-ffa319009785e835d244f06d851637007c7b9fdb3680c473ed8739adb961a8e3.exe
3552	HEUR-Trojan-Ransom.Win32.Cryptor.gen-703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
4424	HEUR-Trojan-Ransom.Win32.Cuba.gen-d639bb64f11acc7320232966c0550a9d676485e42906132f6f6db82bb08149e1.exe
1020	1.exe
4288	d323f3fg32jh2uh8dhn2.exe

Modifies file permissions 1 TTPs 5 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3616	icacls.exe
4852	icacls.exe
4828	icacls.exe
5184	icacls.exe
6444	icacls.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000c000000023b8d-241.dat	themida
behavioral1/memory/4288-749-0x0000000000140000-0x0000000000B10000-memory.dmp	themida
behavioral1/memory/4288-750-0x0000000000140000-0x0000000000B10000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Updater = "C:\\Users\\Admin\\AppData\\Local\\Updater.exe"	HEUR-Trojan-Ransom.MSIL.Blocker.gen-fe6a3a8aefd1f4d65f8a594eb1ca80908fb551daacbdb8f344720ef85b0c4fbe.exe

Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

Clear artifacts associated with previously established persistence like scheduletasks on a host.

defense_evasion

Clear Persistence

T1070.009

pid	Process
1332	cmd.exe

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
645	api.2ip.ua
855	api.my-ip.io
860	api.my-ip.io
161	api.ipify.org
358	api.2ip.ua
359	api.2ip.ua
634	api.myip.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\img.jpg"	HEUR-Trojan-Ransom.MSIL.Encoder.gen-e3ab6ef2d2631625350025edfddff2bab14265af2d5bd60df219fb06e9c45850.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2200-222-0x0000000000400000-0x00000000005BB000-memory.dmp	upx
behavioral1/files/0x0007000000023cd0-221.dat	upx
behavioral1/files/0x0009000000023d24-279.dat	upx
behavioral1/memory/4940-326-0x00000000022A0000-0x000000000332E000-memory.dmp	upx
behavioral1/memory/4940-396-0x00000000022A0000-0x000000000332E000-memory.dmp	upx
behavioral1/memory/4940-324-0x00000000022A0000-0x000000000332E000-memory.dmp	upx
behavioral1/memory/4940-427-0x00000000022A0000-0x000000000332E000-memory.dmp	upx
behavioral1/memory/4940-475-0x00000000022A0000-0x000000000332E000-memory.dmp	upx
behavioral1/memory/4940-473-0x00000000022A0000-0x000000000332E000-memory.dmp	upx
behavioral1/memory/4940-454-0x00000000022A0000-0x000000000332E000-memory.dmp	upx
behavioral1/memory/4940-429-0x00000000022A0000-0x000000000332E000-memory.dmp	upx
behavioral1/memory/4940-428-0x00000000022A0000-0x000000000332E000-memory.dmp	upx
behavioral1/memory/4940-426-0x00000000022A0000-0x000000000332E000-memory.dmp	upx
behavioral1/memory/4940-397-0x00000000022A0000-0x000000000332E000-memory.dmp	upx
behavioral1/memory/2200-580-0x0000000000400000-0x00000000005BB000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
17088	14592	WerFault.exe	341

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Cuba.gen-d639bb64f11acc7320232966c0550a9d676485e42906132f6f6db82bb08149e1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Cryptor.gen-703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d323f3fg32jh2uh8dhn2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Blocker.gen-b3851e5c28e260637f2bb0d27bd956234053f958c19d044c30c87ff4b731caac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Blocker.gen-6ed03bf8b4ccac4ba927f7dcbe6b5e6385f9c4e47092f4fe3bc68ec11888be33.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.CryFile.gen-759a1edf26259c3bcddbbe4d9d15998ddcf948eecbfd368c46973700c2e59c18.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
16192	timeout.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

Command and Scripting Interpreter

T1059

pid	Process
15688	ipconfig.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
5760	vssadmin.EXE

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
916	NOTEPAD.EXE

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
6344	schtasks.exe
15060	schtasks.exe
16848	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4072	powershell.exe
4072	powershell.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3064	7zFM.exe
4368	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeRestorePrivilege	3064	7zFM.exe
Token: 35	3064	7zFM.exe
Token: SeSecurityPrivilege	3064	7zFM.exe
Token: SeDebugPrivilege	4072	powershell.exe
Token: SeDebugPrivilege	2868	taskmgr.exe
Token: SeSystemProfilePrivilege	2868	taskmgr.exe
Token: SeCreateGlobalPrivilege	2868	taskmgr.exe
Token: SeDebugPrivilege	4368	taskmgr.exe
Token: SeSystemProfilePrivilege	4368	taskmgr.exe
Token: SeCreateGlobalPrivilege	4368	taskmgr.exe
Token: 33	2868	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2868	taskmgr.exe
Token: SeDebugPrivilege	4992	HEUR-Trojan-Ransom.MSIL.Blocker.gen-fe6a3a8aefd1f4d65f8a594eb1ca80908fb551daacbdb8f344720ef85b0c4fbe.exe
Token: SeDebugPrivilege	4540	HEUR-Trojan-Ransom.MSIL.Encoder.gen-e3ab6ef2d2631625350025edfddff2bab14265af2d5bd60df219fb06e9c45850.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3064	7zFM.exe
3064	7zFM.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
4368	taskmgr.exe
2868	taskmgr.exe
4368	taskmgr.exe
2868	taskmgr.exe
4368	taskmgr.exe
2868	taskmgr.exe
4368	taskmgr.exe
2868	taskmgr.exe
4368	taskmgr.exe
2868	taskmgr.exe
4368	taskmgr.exe
2868	taskmgr.exe
4368	taskmgr.exe
2868	taskmgr.exe
4368	taskmgr.exe
2868	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
2868	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
4368	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
4368	taskmgr.exe
2868	taskmgr.exe
4368	taskmgr.exe
2868	taskmgr.exe
4368	taskmgr.exe
2868	taskmgr.exe
4368	taskmgr.exe
2868	taskmgr.exe
4368	taskmgr.exe
2868	taskmgr.exe
4368	taskmgr.exe
2868	taskmgr.exe
4368	taskmgr.exe
2868	taskmgr.exe
4368	taskmgr.exe
2868	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
2868	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 4368	2868	taskmgr.exe	106
PID 2868 wrote to memory of 4368	2868	taskmgr.exe	106
PID 4072 wrote to memory of 3520	4072	powershell.exe	114
PID 4072 wrote to memory of 3520	4072	powershell.exe	114
PID 3520 wrote to memory of 4108	3520	cmd.exe	115
PID 3520 wrote to memory of 4108	3520	cmd.exe	115
PID 3520 wrote to memory of 4448	3520	cmd.exe	117
PID 3520 wrote to memory of 4448	3520	cmd.exe	117
PID 3520 wrote to memory of 2152	3520	cmd.exe	118
PID 3520 wrote to memory of 2152	3520	cmd.exe	118
PID 3520 wrote to memory of 2152	3520	cmd.exe	118
PID 3520 wrote to memory of 4992	3520	cmd.exe	163
PID 3520 wrote to memory of 4992	3520	cmd.exe	163
PID 3520 wrote to memory of 4540	3520	cmd.exe	120
PID 3520 wrote to memory of 4540	3520	cmd.exe	120
PID 3520 wrote to memory of 1788	3520	cmd.exe	121
PID 3520 wrote to memory of 1788	3520	cmd.exe	121
PID 3520 wrote to memory of 3540	3520	cmd.exe	122
PID 3520 wrote to memory of 3540	3520	cmd.exe	122
PID 3520 wrote to memory of 3540	3520	cmd.exe	122
PID 3520 wrote to memory of 372	3520	cmd.exe	124
PID 3520 wrote to memory of 372	3520	cmd.exe	124
PID 3520 wrote to memory of 372	3520	cmd.exe	124
PID 3520 wrote to memory of 2200	3520	cmd.exe	125
PID 3520 wrote to memory of 2200	3520	cmd.exe	125
PID 3520 wrote to memory of 3552	3520	cmd.exe	126
PID 3520 wrote to memory of 3552	3520	cmd.exe	126
PID 3520 wrote to memory of 3552	3520	cmd.exe	126
PID 3520 wrote to memory of 4424	3520	cmd.exe	127
PID 3520 wrote to memory of 4424	3520	cmd.exe	127
PID 3520 wrote to memory of 4424	3520	cmd.exe	127
PID 4540 wrote to memory of 1020	4540	HEUR-Trojan-Ransom.MSIL.Encoder.gen-e3ab6ef2d2631625350025edfddff2bab14265af2d5bd60df219fb06e9c45850.exe	130
PID 4540 wrote to memory of 1020	4540	HEUR-Trojan-Ransom.MSIL.Encoder.gen-e3ab6ef2d2631625350025edfddff2bab14265af2d5bd60df219fb06e9c45850.exe	130
PID 4540 wrote to memory of 1020	4540	HEUR-Trojan-Ransom.MSIL.Encoder.gen-e3ab6ef2d2631625350025edfddff2bab14265af2d5bd60df219fb06e9c45850.exe	130
PID 3540 wrote to memory of 4288	3540	HEUR-Trojan-Ransom.Win32.Blocker.gen-6ed03bf8b4ccac4ba927f7dcbe6b5e6385f9c4e47092f4fe3bc68ec11888be33.exe	129
PID 3540 wrote to memory of 4288	3540	HEUR-Trojan-Ransom.Win32.Blocker.gen-6ed03bf8b4ccac4ba927f7dcbe6b5e6385f9c4e47092f4fe3bc68ec11888be33.exe	129
PID 3540 wrote to memory of 4288	3540	HEUR-Trojan-Ransom.Win32.Blocker.gen-6ed03bf8b4ccac4ba927f7dcbe6b5e6385f9c4e47092f4fe3bc68ec11888be33.exe	129

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00442.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4072
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3520
- - C:\Users\Admin\Desktop\00442\HEUR-Trojan-Ransom.MSIL.Agent.gen-adf8cbeca68a75ce767abc16dc4423ad413ca970d574a78be3426944c88d188a.exe
    HEUR-Trojan-Ransom.MSIL.Agent.gen-adf8cbeca68a75ce767abc16dc4423ad413ca970d574a78be3426944c88d188a.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    PID:4108
- - C:\Users\Admin\Desktop\00442\HEUR-Trojan-Ransom.MSIL.Blocker.gen-8ecd0b35c94d9e403f656a73bb102f21ce45eb5d4e400c05c436ebb91d4394f6.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-8ecd0b35c94d9e403f656a73bb102f21ce45eb5d4e400c05c436ebb91d4394f6.exe
    3⤵
    - Executes dropped EXE
    PID:4448
  - - C:\Users\Admin\AppData\Local\Temp\idman628build6.exe
      "C:\Users\Admin\AppData\Local\Temp\idman628build6.exe"
      4⤵
      PID:4940
    - - C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp" -d "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\"
        5⤵
        
        PID:1200
  - - C:\Users\Admin\AppData\Local\Temp\Windows_Firewall.exe
      "C:\Users\Admin\AppData\Local\Temp\Windows_Firewall.exe"
      4⤵
      PID:4640
    - - C:\Users\Admin\AppData\Local\Temp\Windows Firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Firewall.exe"
        5⤵
        
        PID:5316
      - C:\Windows\SYSTEM32\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Windows Firewall.exe" "Windows Firewall.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        
        PID:5256
- - C:\Users\Admin\Desktop\00442\HEUR-Trojan-Ransom.MSIL.Blocker.gen-b3851e5c28e260637f2bb0d27bd956234053f958c19d044c30c87ff4b731caac.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-b3851e5c28e260637f2bb0d27bd956234053f958c19d044c30c87ff4b731caac.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2152
- - C:\Users\Admin\Desktop\00442\HEUR-Trojan-Ransom.MSIL.Blocker.gen-fe6a3a8aefd1f4d65f8a594eb1ca80908fb551daacbdb8f344720ef85b0c4fbe.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-fe6a3a8aefd1f4d65f8a594eb1ca80908fb551daacbdb8f344720ef85b0c4fbe.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    PID:4992
  - - C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\P.txt
      4⤵
      Opens file in notepad (likely ransom note)
      PID:916
- - C:\Users\Admin\Desktop\00442\HEUR-Trojan-Ransom.MSIL.Encoder.gen-e3ab6ef2d2631625350025edfddff2bab14265af2d5bd60df219fb06e9c45850.exe
    HEUR-Trojan-Ransom.MSIL.Encoder.gen-e3ab6ef2d2631625350025edfddff2bab14265af2d5bd60df219fb06e9c45850.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4540
  - - C:\files\1.exe
      "C:\files\1.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1020
- - C:\Users\Admin\Desktop\00442\HEUR-Trojan-Ransom.MSIL.Foreign.gen-a0f6963845d7aeae328048da66059059fdbcb6cc30712fd10a34018caf0bd28a.exe
    HEUR-Trojan-Ransom.MSIL.Foreign.gen-a0f6963845d7aeae328048da66059059fdbcb6cc30712fd10a34018caf0bd28a.exe
    3⤵
    - Executes dropped EXE
    PID:1788
- - C:\Users\Admin\Desktop\00442\HEUR-Trojan-Ransom.Win32.Blocker.gen-6ed03bf8b4ccac4ba927f7dcbe6b5e6385f9c4e47092f4fe3bc68ec11888be33.exe
    HEUR-Trojan-Ransom.Win32.Blocker.gen-6ed03bf8b4ccac4ba927f7dcbe6b5e6385f9c4e47092f4fe3bc68ec11888be33.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3540
  - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\d323f3fg32jh2uh8dhn2.exe
      "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\d323f3fg32jh2uh8dhn2.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4288
- - C:\Users\Admin\Desktop\00442\HEUR-Trojan-Ransom.Win32.CryFile.gen-759a1edf26259c3bcddbbe4d9d15998ddcf948eecbfd368c46973700c2e59c18.exe
    HEUR-Trojan-Ransom.Win32.CryFile.gen-759a1edf26259c3bcddbbe4d9d15998ddcf948eecbfd368c46973700c2e59c18.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:372
- - C:\Users\Admin\Desktop\00442\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-ffa319009785e835d244f06d851637007c7b9fdb3680c473ed8739adb961a8e3.exe
    HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-ffa319009785e835d244f06d851637007c7b9fdb3680c473ed8739adb961a8e3.exe
    3⤵
    - Executes dropped EXE
    PID:2200
- - C:\Users\Admin\Desktop\00442\HEUR-Trojan-Ransom.Win32.Cryptor.gen-703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
    HEUR-Trojan-Ransom.Win32.Cryptor.gen-703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3552
  - - C:\Users\Admin\Desktop\00442\xaIljYEKwrep.exe
      "C:\Users\Admin\Desktop\00442\xaIljYEKwrep.exe" 9 REP
      4⤵
      PID:5936
  - - C:\Users\Admin\Desktop\00442\YdQCMClVBlan.exe
      "C:\Users\Admin\Desktop\00442\YdQCMClVBlan.exe" 8 LAN
      4⤵
      PID:2812
  - - C:\Users\Admin\Desktop\00442\JNsQULtoulan.exe
      "C:\Users\Admin\Desktop\00442\JNsQULtoulan.exe" 8 LAN
      4⤵
      PID:7112
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\*" /grant Everyone:F /T /C /Q
      4⤵
      Modifies file permissions
      PID:6444
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "D:\*" /grant Everyone:F /T /C /Q
      4⤵
      Modifies file permissions
      PID:5184
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "F:\*" /grant Everyone:F /T /C /Q
      4⤵
      Modifies file permissions
      PID:4828
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "Z:\*" /grant Everyone:F /T /C /Q
      4⤵
      Modifies file permissions
      PID:4852
  - - C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
      4⤵
      PID:8380
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "audioendpointbuilder" /y
        5⤵
        
        PID:10960
  - - C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
      4⤵
      PID:8508
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "audioendpointbuilder" /y
        5⤵
        
        PID:10968
  - - C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" stop "samss" /y
      4⤵
      PID:3476
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "samss" /y
        5⤵
        
        PID:13612
  - - C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" stop "samss" /y
      4⤵
      PID:4040
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "samss" /y
        5⤵
        
        PID:13864
- - C:\Users\Admin\Desktop\00442\HEUR-Trojan-Ransom.Win32.Cuba.gen-d639bb64f11acc7320232966c0550a9d676485e42906132f6f6db82bb08149e1.exe
    HEUR-Trojan-Ransom.Win32.Cuba.gen-d639bb64f11acc7320232966c0550a9d676485e42906132f6f6db82bb08149e1.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4424
- - C:\Users\Admin\Desktop\00442\HEUR-Trojan-Ransom.Win32.Encoder.gen-3b67639018b8b9e0b8eaaa640f12f59c7dc7d09681a1e08e5a84b915095e0808.exe
    HEUR-Trojan-Ransom.Win32.Encoder.gen-3b67639018b8b9e0b8eaaa640f12f59c7dc7d09681a1e08e5a84b915095e0808.exe
    3⤵
    PID:2220
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\SystemNinjaPortable.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\SystemNinjaPortable.exe"
      4⤵
      PID:2688
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\App\SystemNinja\System Ninja.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\App\SystemNinja\System Ninja.exe"
        5⤵
        
        PID:3444
      - C:\Users\Admin\AppData\Local\Temp\RarSFX0\App\SystemNinja\CleanSync.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\App\SystemNinja\CleanSync.exe" /SYNCRULES
        6⤵
        
        PID:4784
      - C:\Users\Admin\AppData\Local\Temp\RarSFX0\App\SystemNinja\cleansync.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\App\SystemNinja\cleansync.exe" /SYNCLOCALES
        6⤵
        
        PID:1356
- - C:\Users\Admin\Desktop\00442\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-5ccb4e2ce42a9fdd6e2a73eea6a2d308dbc587d21de9fd7ef0238a063808f8db.exe
    HEUR-Trojan-Ransom.Win32.GandCrypt.gen-5ccb4e2ce42a9fdd6e2a73eea6a2d308dbc587d21de9fd7ef0238a063808f8db.exe
    3⤵
    PID:2176
- - C:\Users\Admin\Desktop\00442\HEUR-Trojan-Ransom.Win32.Gen.gen-279ad0d2e7a3f48dbdf44450dec4f96ad1a4d4b3e3059e658e08c73062491f19.exe
    HEUR-Trojan-Ransom.Win32.Gen.gen-279ad0d2e7a3f48dbdf44450dec4f96ad1a4d4b3e3059e658e08c73062491f19.exe
    3⤵
    PID:4132
- - C:\Users\Admin\Desktop\00442\HEUR-Trojan-Ransom.Win32.Generic-055a8b5b17eb7829910f5da4b61144acdabdef75d9815bfe4f1c5f7aa4fab5f4.exe
    HEUR-Trojan-Ransom.Win32.Generic-055a8b5b17eb7829910f5da4b61144acdabdef75d9815bfe4f1c5f7aa4fab5f4.exe
    3⤵
    PID:548
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      4⤵
      PID:3324
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      4⤵
      PID:4828
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      4⤵
      PID:4632
- - C:\Users\Admin\Desktop\00442\HEUR-Trojan-Ransom.Win32.Generic-06ed05427008cc32b007373b76bc6c337b1ee73bdf251892313907093b96f3a3.exe
    HEUR-Trojan-Ransom.Win32.Generic-06ed05427008cc32b007373b76bc6c337b1ee73bdf251892313907093b96f3a3.exe
    3⤵
    PID:2944
  - - C:\Users\Admin\AppData\Roaming\joker-hell.exe
      "C:\Users\Admin\AppData\Roaming\joker-hell.exe"
      4⤵
      PID:5432
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\joker-hell.exe" "joker-hell.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:5604
- - C:\Users\Admin\Desktop\00442\HEUR-Trojan-Ransom.Win32.Generic-22676a7fa8d469132dbec60a0baf79848013dec8bc0d4bf68faf5d4af754dcfe.exe
    HEUR-Trojan-Ransom.Win32.Generic-22676a7fa8d469132dbec60a0baf79848013dec8bc0d4bf68faf5d4af754dcfe.exe
    3⤵
    PID:2480
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe"
      4⤵
      PID:4720
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:4956
- - C:\Users\Admin\Desktop\00442\HEUR-Trojan-Ransom.Win32.Generic-45a1fbe5aa5ad526f8b6377ce93e451604110396b2729cb8ed84fdd0f365caa9.exe
    HEUR-Trojan-Ransom.Win32.Generic-45a1fbe5aa5ad526f8b6377ce93e451604110396b2729cb8ed84fdd0f365caa9.exe
    3⤵
    PID:4144
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F75.tmp\F76.tmp\F77.bat C:\Users\Admin\Desktop\00442\HEUR-Trojan-Ransom.Win32.Generic-45a1fbe5aa5ad526f8b6377ce93e451604110396b2729cb8ed84fdd0f365caa9.exe"
      4⤵
      PID:1340
    - - C:\Windows\system32\timeout.exe
        
        timeout 1
        5⤵
        Delays execution with timeout.exe
        
        PID:16192
    - - C:\Windows\system32\reg.exe
        
        reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Windows\LocalArea\FixTools/DRAGON.bmp /f
        5⤵
        
        PID:14844
- - C:\Users\Admin\Desktop\00442\HEUR-Trojan-Ransom.Win32.Generic-52764e2e384e93e78326d72316314257c7d6c7d2c88b60c823c13bcaf7629b23.exe
    HEUR-Trojan-Ransom.Win32.Generic-52764e2e384e93e78326d72316314257c7d6c7d2c88b60c823c13bcaf7629b23.exe
    3⤵
    PID:2096
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c net stop MSDTC
      4⤵
      PID:3268
    - - C:\Windows\SysWOW64\net.exe
        
        net stop MSDTC
        5⤵
        
        PID:284
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSDTC
        6⤵
        
        PID:268
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      PID:5572
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
      4⤵
      PID:5888
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
      4⤵
      PID:2160
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
      4⤵
      PID:5656
    - - C:\Windows\SysWOW64\net.exe
        
        net stop SQLSERVERAGENT
        5⤵
        
        PID:5976
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLSERVERAGENT
        6⤵
        
        PID:3060
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
      4⤵
      PID:4744
    - - C:\Windows\SysWOW64\net.exe
        
        net stop MSSQLSERVER
        5⤵
        
        PID:2040
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLSERVER
        6⤵
        
        PID:5876
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c net stop vds
      4⤵
      PID:6044
    - - C:\Windows\SysWOW64\net.exe
        
        net stop vds
        5⤵
        
        PID:5492
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop vds
        6⤵
        
        PID:748
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
      4⤵
      PID:3912
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall set currentprofile state off
        5⤵
        Modifies Windows Firewall
        
        PID:5176
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
      4⤵
      PID:7096
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall set opmode mode=disable
        5⤵
        Modifies Windows Firewall
        
        PID:6056
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c net stop SQLWriter
      4⤵
      PID:7592
    - - C:\Windows\SysWOW64\net.exe
        
        net stop SQLWriter
        5⤵
        
        PID:8548
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLWriter
        6⤵
        
        PID:7312
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c net stop SQLBrowser
      4⤵
      PID:7600
    - - C:\Windows\SysWOW64\net.exe
        
        net stop SQLBrowser
        5⤵
        
        PID:9116
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLBrowser
        6⤵
        
        PID:15932
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
      4⤵
      PID:16284
    - - C:\Windows\SysWOW64\net.exe
        
        net stop MSSQLSERVER
        5⤵
        
        PID:10936
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLSERVER
        6⤵
        
        PID:13436
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
      4⤵
      PID:15564
    - - C:\Windows\SysWOW64\net.exe
        
        net stop MSSQL$CONTOSO1
        5⤵
        
        PID:5608
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$CONTOSO1
        6⤵
        
        PID:1340
- - C:\Users\Admin\Desktop\00442\HEUR-Trojan-Ransom.Win32.Generic-556a0d488e067fe1ebe6d640e90b7ce12309ba68f8281464deec37908b4e8f5b.exe
    HEUR-Trojan-Ransom.Win32.Generic-556a0d488e067fe1ebe6d640e90b7ce12309ba68f8281464deec37908b4e8f5b.exe
    3⤵
    PID:5096
- - C:\Users\Admin\Desktop\00442\HEUR-Trojan-Ransom.Win32.Generic-a9fdbc6d20b780ca42660ad4803f391308fa0243fbc515fd3c1acf935dd43c1e.exe
    HEUR-Trojan-Ransom.Win32.Generic-a9fdbc6d20b780ca42660ad4803f391308fa0243fbc515fd3c1acf935dd43c1e.exe
    3⤵
    PID:5528
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c cmd.exe /c schtasks /Create /F /RU System /SC ONLOGON /TN sz403 /TR "vssadmin Delete Shadows /For=C:" &SCHTASKS /run /TN sz403&SCHTASKS /Delete /TN sz403 /F
      4⤵
      Indicator Removal: Clear Persistence
      PID:1332
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c schtasks /Create /F /RU System /SC ONLOGON /TN sz403 /TR "vssadmin Delete Shadows /For=C:"
        5⤵
        
        PID:1904
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /F /RU System /SC ONLOGON /TN sz403 /TR "vssadmin Delete Shadows /For=C:"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6344
    - - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /run /TN sz403
        5⤵
        
        PID:3408
    - - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /Delete /TN sz403 /F
        5⤵
        
        PID:1480
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\Sysnative\cmd.exe" /c bcdedit /copy {current} /d "Lorenz Encrypt System" & bcdedit /set {current} description "Lorenz Encrypt System" & bcdedit /timeout 100000 && ipconfig
      4⤵
      PID:6556
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /copy {current} /d "Lorenz Encrypt System"
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:6572
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {current} description "Lorenz Encrypt System"
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:11040
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /timeout 100000
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:15120
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig
        5⤵
        Gathers network information
        
        PID:15688
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD "HKEY_USERS\.DEFAULT\Control Panel\Desktop" /V Wallpaper /T REG_SZ /F /D "C:\Program Files\Lorenz.bmp"
      4⤵
      PID:6388
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_USERS\.DEFAULT\Control Panel\Desktop" /V Wallpaper /T REG_SZ /F /D "C:\Program Files\Lorenz.bmp"
        5⤵
        
        PID:14548
- - C:\Users\Admin\Desktop\00442\HEUR-Trojan-Ransom.Win32.Generic-b374151311e03ec13047e2992a66a787e1e9b7c1a06a78c8c051a4c4a48bf840.exe
    HEUR-Trojan-Ransom.Win32.Generic-b374151311e03ec13047e2992a66a787e1e9b7c1a06a78c8c051a4c4a48bf840.exe
    3⤵
    PID:5676
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /t REG_DWORD /d 1 /f
      4⤵
      PID:5360
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"
      4⤵
      PID:1640
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /t REG_DWORD /d 1 /f
        5⤵
        
        PID:5944
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winmgmt.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winmgmt.exe"
      4⤵
      PID:1732
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /t REG_DWORD /d 1 /f
        5⤵
        
        PID:2712
- - C:\Users\Admin\Desktop\00442\HEUR-Trojan-Ransom.Win32.Generic-f9f20ca0a61f83cd1ba52d6c5c31445900e6ed5459f85527613292db56229794.exe
    HEUR-Trojan-Ransom.Win32.Generic-f9f20ca0a61f83cd1ba52d6c5c31445900e6ed5459f85527613292db56229794.exe
    3⤵
    PID:4512
- - C:\Users\Admin\Desktop\00442\HEUR-Trojan-Ransom.Win32.Sodin.vho-fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe
    HEUR-Trojan-Ransom.Win32.Sodin.vho-fd164c4c121371f94cfd3a034ad8cf8edc7c0f7141a8f4c9da1683d41b212a87.exe
    3⤵
    PID:6024
- - C:\Users\Admin\Desktop\00442\HEUR-Trojan-Ransom.Win32.Stop.gen-2e8922bbfc8d35adf05bdc7d90168b3ba17a8412d66951e87e76f12350d252a5.exe
    HEUR-Trojan-Ransom.Win32.Stop.gen-2e8922bbfc8d35adf05bdc7d90168b3ba17a8412d66951e87e76f12350d252a5.exe
    3⤵
    PID:5460
  - - C:\Users\Admin\Desktop\00442\HEUR-Trojan-Ransom.Win32.Stop.gen-2e8922bbfc8d35adf05bdc7d90168b3ba17a8412d66951e87e76f12350d252a5.exe
      HEUR-Trojan-Ransom.Win32.Stop.gen-2e8922bbfc8d35adf05bdc7d90168b3ba17a8412d66951e87e76f12350d252a5.exe
      4⤵
      PID:5132
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Users\Admin\AppData\Local\beaa10ba-daf2-4a85-b72e-ee0cc19a4a66" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        5⤵
        Modifies file permissions
        
        PID:3616
    - - C:\Users\Admin\Desktop\00442\HEUR-Trojan-Ransom.Win32.Stop.gen-2e8922bbfc8d35adf05bdc7d90168b3ba17a8412d66951e87e76f12350d252a5.exe
        
        "C:\Users\Admin\Desktop\00442\HEUR-Trojan-Ransom.Win32.Stop.gen-2e8922bbfc8d35adf05bdc7d90168b3ba17a8412d66951e87e76f12350d252a5.exe" --Admin IsNotAutoStart IsNotTask
        5⤵
        
        PID:6940
      - C:\Users\Admin\Desktop\00442\HEUR-Trojan-Ransom.Win32.Stop.gen-2e8922bbfc8d35adf05bdc7d90168b3ba17a8412d66951e87e76f12350d252a5.exe
        
        "C:\Users\Admin\Desktop\00442\HEUR-Trojan-Ransom.Win32.Stop.gen-2e8922bbfc8d35adf05bdc7d90168b3ba17a8412d66951e87e76f12350d252a5.exe" --Admin IsNotAutoStart IsNotTask
        6⤵
        
        PID:11224
- - C:\Users\Admin\Desktop\00442\HEUR-Trojan.MSIL.Crypt.gen-c04af468c32ceaa1f7870c7a9962cf6c13a9941499fe1e7ec04327d6abb01a97.exe
    HEUR-Trojan.MSIL.Crypt.gen-c04af468c32ceaa1f7870c7a9962cf6c13a9941499fe1e7ec04327d6abb01a97.exe
    3⤵
    PID:4556
  - - C:\Users\Admin\Desktop\00442\HEUR-Trojan.MSIL.Crypt.gen-c04af468c32ceaa1f7870c7a9962cf6c13a9941499fe1e7ec04327d6abb01a97.exe
      "C:\Users\Admin\Desktop\00442\HEUR-Trojan.MSIL.Crypt.gen-c04af468c32ceaa1f7870c7a9962cf6c13a9941499fe1e7ec04327d6abb01a97.exe"
      4⤵
      PID:17220
  - - C:\Users\Admin\Desktop\00442\HEUR-Trojan.MSIL.Crypt.gen-c04af468c32ceaa1f7870c7a9962cf6c13a9941499fe1e7ec04327d6abb01a97.exe
      "C:\Users\Admin\Desktop\00442\HEUR-Trojan.MSIL.Crypt.gen-c04af468c32ceaa1f7870c7a9962cf6c13a9941499fe1e7ec04327d6abb01a97.exe"
      4⤵
      PID:17384
  - - C:\Users\Admin\Desktop\00442\HEUR-Trojan.MSIL.Crypt.gen-c04af468c32ceaa1f7870c7a9962cf6c13a9941499fe1e7ec04327d6abb01a97.exe
      "C:\Users\Admin\Desktop\00442\HEUR-Trojan.MSIL.Crypt.gen-c04af468c32ceaa1f7870c7a9962cf6c13a9941499fe1e7ec04327d6abb01a97.exe"
      4⤵
      PID:6712
- - C:\Users\Admin\Desktop\00442\HEUR-Trojan.MSIL.Crypt.gen-c46a577975367c2ea04555d035a7a3960e369a64196412db86b2acd984d41fa4.exe
    HEUR-Trojan.MSIL.Crypt.gen-c46a577975367c2ea04555d035a7a3960e369a64196412db86b2acd984d41fa4.exe
    3⤵
    PID:1420
  - - C:\Users\Admin\Desktop\00442\HEUR-Trojan.MSIL.Crypt.gen-c46a577975367c2ea04555d035a7a3960e369a64196412db86b2acd984d41fa4.exe
      "C:\Users\Admin\Desktop\00442\HEUR-Trojan.MSIL.Crypt.gen-c46a577975367c2ea04555d035a7a3960e369a64196412db86b2acd984d41fa4.exe"
      4⤵
      PID:17252
  - - C:\Users\Admin\Desktop\00442\HEUR-Trojan.MSIL.Crypt.gen-c46a577975367c2ea04555d035a7a3960e369a64196412db86b2acd984d41fa4.exe
      "C:\Users\Admin\Desktop\00442\HEUR-Trojan.MSIL.Crypt.gen-c46a577975367c2ea04555d035a7a3960e369a64196412db86b2acd984d41fa4.exe"
      4⤵
      PID:13860
- - C:\Users\Admin\Desktop\00442\HEUR-Trojan.MSIL.Crypt.gen-c8a1cf196c674ee93358f6cd6e0ab5c88e654d1f8a115507e937c7cb507d9879.exe
    HEUR-Trojan.MSIL.Crypt.gen-c8a1cf196c674ee93358f6cd6e0ab5c88e654d1f8a115507e937c7cb507d9879.exe
    3⤵
    PID:5900
- - C:\Users\Admin\Desktop\00442\HEUR-Trojan.MSIL.Crypt.gen-c8ca7dc91eb1da6a7319f4ea608a4522499ab081567ce3bf520ec907f632b67c.exe
    HEUR-Trojan.MSIL.Crypt.gen-c8ca7dc91eb1da6a7319f4ea608a4522499ab081567ce3bf520ec907f632b67c.exe
    3⤵
    PID:3548
  - - C:\Users\Admin\AppData\Roaming\WindowsApplication1\Checker\1.0.0.0.exe
      "C:\Users\Admin\AppData\Roaming\WindowsApplication1\Checker\1.0.0.0.exe"
      4⤵
      PID:6112
    - - C:\ProgramData\GoogleUpdate.exe
        
        "C:\ProgramData\GoogleUpdate.exe"
        5⤵
        
        PID:16144
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\GoogleUpdate.exe" "GoogleUpdate.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        
        PID:14820
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programscracker SPIDER.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programscracker SPIDER.exe"
      4⤵
      PID:6104
- - C:\Users\Admin\Desktop\00442\HEUR-Trojan.MSIL.Crypt.gen-d695b176840b1ef6e92aa382e35a3a2a1457d0d3a1e75b83e1a2ccd49e1f9897.exe
    HEUR-Trojan.MSIL.Crypt.gen-d695b176840b1ef6e92aa382e35a3a2a1457d0d3a1e75b83e1a2ccd49e1f9897.exe
    3⤵
    PID:1216
  - - C:\Users\Admin\Desktop\00442\HEUR-Trojan.MSIL.Crypt.gen-d695b176840b1ef6e92aa382e35a3a2a1457d0d3a1e75b83e1a2ccd49e1f9897.exe
      "C:\Users\Admin\Desktop\00442\HEUR-Trojan.MSIL.Crypt.gen-d695b176840b1ef6e92aa382e35a3a2a1457d0d3a1e75b83e1a2ccd49e1f9897.exe"
      4⤵
      PID:6536
- - C:\Users\Admin\Desktop\00442\HEUR-Trojan.MSIL.Crypt.gen-da40b4795dc1e587aa08ec1c379245d23c9baf7630580355b08e1628546151dd.exe
    HEUR-Trojan.MSIL.Crypt.gen-da40b4795dc1e587aa08ec1c379245d23c9baf7630580355b08e1628546151dd.exe
    3⤵
    PID:6336
- - C:\Users\Admin\Desktop\00442\HEUR-Trojan.MSIL.Crypt.gen-ddc2d90201d30cf89851362ca7db3dc7a1fad18acd23a8300080589f7989f68b.exe
    HEUR-Trojan.MSIL.Crypt.gen-ddc2d90201d30cf89851362ca7db3dc7a1fad18acd23a8300080589f7989f68b.exe
    3⤵
    PID:912
  - - C:\ProgramData\conhost.exe
      "C:\ProgramData\conhost.exe"
      4⤵
      PID:5240
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\conhost.exe" "conhost.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:12232
- - C:\Users\Admin\Desktop\00442\HEUR-Trojan.MSIL.Crypt.gen-deb0420f07aa9dcd5ad84487ca66827df881c106798916ec3b7d6e27b9203ec7.exe
    HEUR-Trojan.MSIL.Crypt.gen-deb0420f07aa9dcd5ad84487ca66827df881c106798916ec3b7d6e27b9203ec7.exe
    3⤵
    PID:2424
  - - C:\Users\Admin\AppData\Local\Temp\oneFile.exe
      "C:\Users\Admin\AppData\Local\Temp\oneFile.exe"
      4⤵
      PID:8408
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram \"C:\Users\Admin\AppData\Local\Temp\oneFile.exe\" \"oneFile.exe\" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:13440
- - C:\Users\Admin\Desktop\00442\HEUR-Trojan.MSIL.Crypt.gen-f27509cc12a904e34fea2c9e57b08db656556bb1aa2546a5350a4e2b5ce5a2e0.exe
    HEUR-Trojan.MSIL.Crypt.gen-f27509cc12a904e34fea2c9e57b08db656556bb1aa2546a5350a4e2b5ce5a2e0.exe
    3⤵
    PID:5864
- - C:\Users\Admin\Desktop\00442\HEUR-Trojan.MSIL.Crypt.gen-f54de265ee596dad552b2266331aae83af49e7c06b07b5f702790944a47e8776.exe
    HEUR-Trojan.MSIL.Crypt.gen-f54de265ee596dad552b2266331aae83af49e7c06b07b5f702790944a47e8776.exe
    3⤵
    PID:5940
- - C:\Users\Admin\Desktop\00442\HEUR-Trojan.MSIL.Crypt.gen-f8fd816d1a4f7acd72eb9d3c3819b05a004f02e69db6ace5590e5c82c19a46ea.exe
    HEUR-Trojan.MSIL.Crypt.gen-f8fd816d1a4f7acd72eb9d3c3819b05a004f02e69db6ace5590e5c82c19a46ea.exe
    3⤵
    PID:8012
  - - C:\Users\Admin\AppData\Local\Temp\CcK_O51y.exe
      "C:\Users\Admin\AppData\Local\Temp\CcK_O51y.exe"
      4⤵
      PID:13840
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\CcK_O51y.exe" "CcK_O51y.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:15572
- - C:\Users\Admin\Desktop\00442\HEUR-Trojan.MSIL.Crypt.gen-fa8e43ddb5a6bfb5ab7b97eb7d89abb2f0dd707fb79476ea039a29ff49009b09.exe
    HEUR-Trojan.MSIL.Crypt.gen-fa8e43ddb5a6bfb5ab7b97eb7d89abb2f0dd707fb79476ea039a29ff49009b09.exe
    3⤵
    PID:7424
  - - C:\Users\Admin\Desktop\00442\HEUR-Trojan.MSIL.Crypt.gen-fa8e43ddb5a6bfb5ab7b97eb7d89abb2f0dd707fb79476ea039a29ff49009b09.exe
      "C:\Users\Admin\Desktop\00442\HEUR-Trojan.MSIL.Crypt.gen-fa8e43ddb5a6bfb5ab7b97eb7d89abb2f0dd707fb79476ea039a29ff49009b09.exe"
      4⤵
      PID:6564
- - C:\Users\Admin\Desktop\00442\HEUR-Trojan.MSIL.Crypt.gen-fb4de36ff38a036705818546b679f72f2a0cec04f7e0532dda016d1717091592.exe
    HEUR-Trojan.MSIL.Crypt.gen-fb4de36ff38a036705818546b679f72f2a0cec04f7e0532dda016d1717091592.exe
    3⤵
    PID:13592
- - C:\Users\Admin\Desktop\00442\HEUR-Trojan.MSIL.Crypt.gen-fb82f218d502fcce8150894ae8057d0f05b33efb5b3a67702519b0e332f8992c.exe
    HEUR-Trojan.MSIL.Crypt.gen-fb82f218d502fcce8150894ae8057d0f05b33efb5b3a67702519b0e332f8992c.exe
    3⤵
    PID:7624
- - C:\Users\Admin\Desktop\00442\HEUR-Trojan.MSIL.Crypt.gen-ffdbe4a151dc79655d82564b28027aa566f1a5b940d31fb88139c281d61500fc.exe
    HEUR-Trojan.MSIL.Crypt.gen-ffdbe4a151dc79655d82564b28027aa566f1a5b940d31fb88139c281d61500fc.exe
    3⤵
    PID:10772
- - C:\Users\Admin\Desktop\00442\HEUR-Trojan.MSIL.Cryptos.gen-9b3e5586b8cd6ba3cac38694fd26a090c30c9b91a2a120f0e242da7eb7f5d239.exe
    HEUR-Trojan.MSIL.Cryptos.gen-9b3e5586b8cd6ba3cac38694fd26a090c30c9b91a2a120f0e242da7eb7f5d239.exe
    3⤵
    PID:15432
  - - C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Cryptos.gen-9b3e5586b8cd6ba3cac38694fd26a090c30c9b91a2a120f0e242da7eb7f5d239.exe
      C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Cryptos.gen-9b3e5586b8cd6ba3cac38694fd26a090c30c9b91a2a120f0e242da7eb7f5d239.exe HEDJDGE EDHEDGEJE
      4⤵
      PID:15400
  - - C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Cryptos.gen-9b3e5586b8cd6ba3cac38694fd26a090c30c9b91a2a120f0e242da7eb7f5d239.exe
      C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Cryptos.gen-9b3e5586b8cd6ba3cac38694fd26a090c30c9b91a2a120f0e242da7eb7f5d239.exe HEDJDGE EDHEDGEJE
      4⤵
      PID:16732
  - - C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Cryptos.gen-9b3e5586b8cd6ba3cac38694fd26a090c30c9b91a2a120f0e242da7eb7f5d239.exe
      C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Cryptos.gen-9b3e5586b8cd6ba3cac38694fd26a090c30c9b91a2a120f0e242da7eb7f5d239.exe HEDJDGE EDHEDGEJE
      4⤵
      PID:3532
  - - C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Cryptos.gen-9b3e5586b8cd6ba3cac38694fd26a090c30c9b91a2a120f0e242da7eb7f5d239.exe
      C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Cryptos.gen-9b3e5586b8cd6ba3cac38694fd26a090c30c9b91a2a120f0e242da7eb7f5d239.exe HEDJDGE EDHEDGEJE
      4⤵
      PID:15000
  - - C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Cryptos.gen-9b3e5586b8cd6ba3cac38694fd26a090c30c9b91a2a120f0e242da7eb7f5d239.exe
      C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Cryptos.gen-9b3e5586b8cd6ba3cac38694fd26a090c30c9b91a2a120f0e242da7eb7f5d239.exe HEDJDGE EDHEDGEJE
      4⤵
      PID:6672
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /create /f /tn "NTFS Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp409D.tmp"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:15060
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /create /f /tn "NTFS Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4E5A.tmp"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:16848
- - C:\Users\Admin\Desktop\00442\HEUR-Trojan.MSIL.Cryptos.gen-a7b3571b0aae5dc45c0a181548acf0b32ae6407db8e4811cedcd114e379d1b91.exe
    HEUR-Trojan.MSIL.Cryptos.gen-a7b3571b0aae5dc45c0a181548acf0b32ae6407db8e4811cedcd114e379d1b91.exe
    3⤵
    PID:16804
  - - C:\WINDOWS\explorer.exe
      C:\WINDOWS\explorer.exe -B --coin=monero --asm=auto --cpu-memory-pool=-1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.minexmr.com:443 --user=433eE24rKZN6R3fRFBbWd2aGmUrv4DHsJ649JHywEiehLnfTtNzNCzCLJBknY2azohPs6dTv3v71YVmtNy7urenF8pVEZ7x --pass=Master --cpu-max-threads-hint=20 --donate-level=5
      4⤵
      PID:6292
- - C:\Users\Admin\Desktop\00442\HEUR-Trojan.MSIL.Cryptos.gen-af3c7e33bd1784f28a1eb2e7dd8e930c2282c04bd4777681cc3061b0b02f1467.exe
    HEUR-Trojan.MSIL.Cryptos.gen-af3c7e33bd1784f28a1eb2e7dd8e930c2282c04bd4777681cc3061b0b02f1467.exe
    3⤵
    PID:16704
- - C:\Users\Admin\Desktop\00442\HEUR-Trojan.Win32.Crypt.gen-295d67404d02862338e9ad33c0e4889a6454bf15b2b02c9285a7f691b3b58fd2.exe
    HEUR-Trojan.Win32.Crypt.gen-295d67404d02862338e9ad33c0e4889a6454bf15b2b02c9285a7f691b3b58fd2.exe
    3⤵
    PID:14856
- - C:\Users\Admin\Desktop\00442\HEUR-Trojan.Win32.Crypt.gen-b06ae4c035656f13a44b3aa8eebf529002e5f11cb87da539b6d7005dcbd18b1e.exe
    HEUR-Trojan.Win32.Crypt.gen-b06ae4c035656f13a44b3aa8eebf529002e5f11cb87da539b6d7005dcbd18b1e.exe
    3⤵
    PID:14176
  - - C:\Users\Admin\Desktop\00442\HEUR-Trojan.Win32.Crypt.gen-b06ae4c035656f13a44b3aa8eebf529002e5f11cb87da539b6d7005dcbd18b1e.exe
      C:\Users\Admin\Desktop\00442\HEUR-Trojan.Win32.Crypt.gen-b06ae4c035656f13a44b3aa8eebf529002e5f11cb87da539b6d7005dcbd18b1e.exe
      4⤵
      PID:17296
- - C:\Users\Admin\Desktop\00442\Trojan-Ransom.Win32.Blocker.gyoq-0cce66472ef1aa057f4ef419afcc905984f0b4de5e77d0e9e52b8594ed7841b6.exe
    Trojan-Ransom.Win32.Blocker.gyoq-0cce66472ef1aa057f4ef419afcc905984f0b4de5e77d0e9e52b8594ed7841b6.exe
    3⤵
    PID:16740
- - C:\Users\Admin\Desktop\00442\Trojan-Ransom.Win32.Blocker.hgec-449729ff79edea4e0e8864d0cb9b61dd389bafaebb7086b141c860963fff5235.exe
    Trojan-Ransom.Win32.Blocker.hgec-449729ff79edea4e0e8864d0cb9b61dd389bafaebb7086b141c860963fff5235.exe
    3⤵
    PID:15892
  - - C:\Users\Admin\Desktop\00442\Trojan-Ransom.Win32.Blocker.hgec-449729ff79edea4e0e8864d0cb9b61dd389bafaebb7086b141c860963fff5235.exe
      "C:\Users\Admin\Desktop\00442\Trojan-Ransom.Win32.Blocker.hgec-449729ff79edea4e0e8864d0cb9b61dd389bafaebb7086b141c860963fff5235.exe"
      4⤵
      PID:14592
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 14592 -s 280
        5⤵
        Program crash
        
        PID:17088
- - C:\Users\Admin\Desktop\00442\Trojan-Ransom.Win32.Blocker.jzec-8746e8b34b6948b17612be62a176ab5bb006111a74e8c37b6ef783963b49e221.exe
    Trojan-Ransom.Win32.Blocker.jzec-8746e8b34b6948b17612be62a176ab5bb006111a74e8c37b6ef783963b49e221.exe
    3⤵
    PID:6120
- - C:\Users\Admin\Desktop\00442\Trojan-Ransom.Win32.Blocker.kpuo-a8aa0911f6bffe308af1db01f29765ae325cd03f90f23ae241290dd0bffa5b34.exe
    Trojan-Ransom.Win32.Blocker.kpuo-a8aa0911f6bffe308af1db01f29765ae325cd03f90f23ae241290dd0bffa5b34.exe
    3⤵
    PID:7156
- - C:\Users\Admin\Desktop\00442\Trojan-Ransom.Win32.Blocker.najc-eb108f13a7f8e1c7ead29706bfba60404b29ceb51d9eaebf6a2429e63009f515.exe
    Trojan-Ransom.Win32.Blocker.najc-eb108f13a7f8e1c7ead29706bfba60404b29ceb51d9eaebf6a2429e63009f515.exe
    3⤵
    PID:13656
  - - C:\Users\Admin\Desktop\00442\Trojan-Ransom.Win32.Blocker.najc-eb108f13a7f8e1c7ead29706bfba60404b29ceb51d9eaebf6a2429e63009f515.exe
      Trojan-Ransom.Win32.Blocker.najc-eb108f13a7f8e1c7ead29706bfba60404b29ceb51d9eaebf6a2429e63009f515.exe
      4⤵
      PID:16672
- - C:\Users\Admin\Desktop\00442\Trojan-Ransom.Win32.Blocker.namn-71e050e75ef81c25007c8c23a72fdacdd5573e691d003b54a13546a36e6014f5.exe
    Trojan-Ransom.Win32.Blocker.namn-71e050e75ef81c25007c8c23a72fdacdd5573e691d003b54a13546a36e6014f5.exe
    3⤵
    PID:15284
  - - C:\Users\Admin\Desktop\00442\Trojan-Ransom.Win32.Blocker.namn-71e050e75ef81c25007c8c23a72fdacdd5573e691d003b54a13546a36e6014f5.exe
      Trojan-Ransom.Win32.Blocker.namn-71e050e75ef81c25007c8c23a72fdacdd5573e691d003b54a13546a36e6014f5.exe
      4⤵
      PID:7464
- - C:\Users\Admin\Desktop\00442\Trojan-Ransom.Win32.Blocker.naoc-f35a6ae21eb25c186c55445ee8a2861343de885b8f85cfbeecfe8371d76cb0fe.exe
    Trojan-Ransom.Win32.Blocker.naoc-f35a6ae21eb25c186c55445ee8a2861343de885b8f85cfbeecfe8371d76cb0fe.exe
    3⤵
    PID:8028
  - - C:\Users\Admin\Desktop\00442\Trojan-Ransom.Win32.Blocker.naoc-f35a6ae21eb25c186c55445ee8a2861343de885b8f85cfbeecfe8371d76cb0fe.exe
      Trojan-Ransom.Win32.Blocker.naoc-f35a6ae21eb25c186c55445ee8a2861343de885b8f85cfbeecfe8371d76cb0fe.exe
      4⤵
      PID:16128

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /1
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4368

C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
1⤵
- Process spawned unexpected child process
PID:4940

C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
1⤵
- Process spawned unexpected child process
PID:2100

C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
1⤵
- Process spawned unexpected child process
PID:2524

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1492

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k swprv
1⤵
PID:4992

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HEUR-Trojan-Ransom.Win32.Generic-055a8b5b17eb7829910f5da4b61144acdabdef75d9815bfe4f1c5f7aa4fab5f4.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HEUR-Trojan-Ransom.Win32.Generic-055a8b5b17eb7829910f5da4b61144acdabdef75d9815bfe4f1c5f7aa4fab5f4.exe
1⤵
PID:4396
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic SHADOWCOPY DELETE /nointeractive
  2⤵
  PID:15588

C:\Windows\system32\vssadmin.EXE
C:\Windows\system32\vssadmin.EXE Delete Shadows /For=C:
1⤵
- Interacts with shadow copies
PID:5760

C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
1⤵
- Process spawned unexpected child process
PID:15648

C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
1⤵
- Process spawned unexpected child process
PID:17108

C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
1⤵
- Process spawned unexpected child process
PID:14828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 14592 -ip 14592
1⤵
PID:16480

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:13604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Direct Volume Access

T1006

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

Clear Persistence

T1070.009

File Deletion

T1070.004

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery