wannacry | ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

Target

important.exe
Size

3.4MB
MD5

84c82835a5d21bbcf75a61706d8ab549
SHA1

5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA512

90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Score

10^/10

wannacry discovery persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2796 created 2648	2796	SystemSettings.exe	48

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 64 IoCs

pid	Process
1908	taskdl.exe
920	taskdl.exe
2528	@[email protected]
3000	@[email protected]
3660	taskhsvc.exe
2168	taskse.exe
3616	@[email protected]
920	taskdl.exe
3252	taskse.exe
3680	@[email protected]
3972	taskdl.exe
4088	taskse.exe
3668	@[email protected]
2276	taskdl.exe
3816	taskse.exe
3352	@[email protected]
1700	taskdl.exe
2760	taskse.exe
3244	@[email protected]
3612	taskdl.exe
1256	taskse.exe
1208	@[email protected]
3356	taskdl.exe
3656	taskse.exe
3648	@[email protected]
988	taskdl.exe
1676	taskse.exe
2408	@[email protected]
3684	taskdl.exe
1488	taskse.exe
3188	@[email protected]
3180	taskdl.exe
2848	taskse.exe
1704	@[email protected]
712	taskdl.exe
3996	taskse.exe
2388	@[email protected]
1820	taskdl.exe
4088	taskse.exe
1684	@[email protected]
1092	taskdl.exe
940	taskse.exe
3860	@[email protected]
204	taskdl.exe
4028	taskse.exe
3352	@[email protected]
3732	taskdl.exe
3008	taskse.exe
4044	@[email protected]
2760	taskdl.exe
3612	taskse.exe
2260	@[email protected]
1256	taskdl.exe
3356	taskse.exe
2196	@[email protected]
1816	taskdl.exe
3648	taskse.exe
3468	@[email protected]
1628	taskdl.exe
3592	taskse.exe
652	@[email protected]
2940	taskdl.exe
3064	taskse.exe
844	@[email protected]

Modifies extensions of user files 14 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\ClosePublish.png.WNCRY	important.exe
File renamed	C:\Users\Admin\Pictures\FindSuspend.tiff.WNCRYT => C:\Users\Admin\Pictures\FindSuspend.tiff.WNCRY	important.exe
File opened for modification	C:\Users\Admin\Pictures\FindSuspend.tiff.WNCRY	important.exe
File created	C:\Users\Admin\Pictures\ReadConnect.tiff.WNCRYT	important.exe
File opened for modification	C:\Users\Admin\Pictures\ReadConnect.tiff.WNCRY	important.exe
File renamed	C:\Users\Admin\Pictures\RepairOpen.png.WNCRYT => C:\Users\Admin\Pictures\RepairOpen.png.WNCRY	important.exe
File renamed	C:\Users\Admin\Pictures\ClosePublish.png.WNCRYT => C:\Users\Admin\Pictures\ClosePublish.png.WNCRY	important.exe
File renamed	C:\Users\Admin\Pictures\ReadConnect.tiff.WNCRYT => C:\Users\Admin\Pictures\ReadConnect.tiff.WNCRY	important.exe
File created	C:\Users\Admin\Pictures\RepairOpen.png.WNCRYT	important.exe
File opened for modification	C:\Users\Admin\Pictures\FindSuspend.tiff	important.exe
File created	C:\Users\Admin\Pictures\ClosePublish.png.WNCRYT	important.exe
File created	C:\Users\Admin\Pictures\FindSuspend.tiff.WNCRYT	important.exe
File opened for modification	C:\Users\Admin\Pictures\RepairOpen.png.WNCRY	important.exe
File opened for modification	C:\Users\Admin\Pictures\ReadConnect.tiff	important.exe

Drops startup file 18 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD1609.tmp	important.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD162F.tmp	important.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDD60.tmp	important.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDD77.tmp	important.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD3014.tmp	important.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD1C88.tmp	important.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD225E.tmp	important.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD1C52.tmp	important.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD1B88.tmp	important.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD29E5.tmp	important.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD720.tmp	important.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD176.tmp	important.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD29EC.tmp	important.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD709.tmp	important.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD2275.tmp	important.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD160.tmp	important.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD1B8F.tmp	important.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD302B.tmp	important.exe

Loads dropped DLL 7 IoCs

pid	Process
3660	taskhsvc.exe
3660	taskhsvc.exe
3660	taskhsvc.exe
3660	taskhsvc.exe
3660	taskhsvc.exe
3660	taskhsvc.exe
3660	taskhsvc.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3852	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rvndoxuid336 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\""	reg.exe

Maps connected drives based on registry 3 TTPs 7 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	mmc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count = "0"	mmc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\NextInstance = "0"	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	mmc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	mmc.exe

Drops file in System32 directory 13 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfh011.dat	WMIADAP.EXE
File opened for modification	C:\Windows\system32\devmgmt.msc	mmc.exe
File created	C:\Windows\system32\PerfStringBackup.TMP	WMIADAP.EXE
File opened for modification	C:\Windows\system32\PerfStringBackup.INI	WMIADAP.EXE
File created	C:\Windows\system32\perfc007.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh007.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh009.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc00C.dat	WMIADAP.EXE
File created	C:\Windows\system32\wbem\Performance\WmiApRpl_new.h	WMIADAP.EXE
File created	C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini	WMIADAP.EXE
File created	C:\Windows\system32\perfc009.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh00C.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc011.dat	WMIADAP.EXE

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	important.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Drops file in Windows directory 61 IoCs

description	ioc	Process
File created	C:\Windows\INF\c_fscontinuousbackup.PNF	mmc.exe
File created	C:\Windows\INF\ramdisk.PNF	mmc.exe
File created	C:\Windows\INF\wsdprint.PNF	mmc.exe
File created	C:\Windows\INF\c_fssecurityenhancer.PNF	mmc.exe
File created	C:\Windows\INF\c_proximity.PNF	mmc.exe
File created	C:\Windows\INF\c_fsvirtualization.PNF	mmc.exe
File created	C:\Windows\INF\c_fsopenfilebackup.PNF	mmc.exe
File created	C:\Windows\INF\PerceptionSimulationSixDof.PNF	mmc.exe
File created	C:\Windows\INF\digitalmediadevice.PNF	mmc.exe
File created	C:\Windows\INF\c_sslaccel.PNF	mmc.exe
File created	C:\Windows\INF\c_extension.PNF	mmc.exe
File created	C:\Windows\INF\c_fsundelete.PNF	mmc.exe
File opened for modification	C:\Windows\setupact.log	mmc.exe
File created	C:\Windows\INF\remoteposdrv.PNF	mmc.exe
File created	C:\Windows\INF\c_scmdisk.PNF	mmc.exe
File created	C:\Windows\INF\c_apo.PNF	mmc.exe
File created	C:\Windows\INF\c_receiptprinter.PNF	mmc.exe
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.ini	WMIADAP.EXE
File created	C:\Windows\rescache\_merged\3060194815\335381474.pri	SystemSettings.exe
File created	C:\Windows\INF\c_fssystem.PNF	mmc.exe
File created	C:\Windows\INF\c_fsinfrastructure.PNF	mmc.exe
File created	C:\Windows\INF\c_mcx.PNF	mmc.exe
File created	C:\Windows\INF\c_fsactivitymonitor.PNF	mmc.exe
File created	C:\Windows\INF\c_barcodescanner.PNF	mmc.exe
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.h	WMIADAP.EXE
File created	C:\Windows\INF\c_fsquotamgmt.PNF	mmc.exe
File created	C:\Windows\INF\ts_generic.PNF	mmc.exe
File created	C:\Windows\INF\c_fshsm.PNF	mmc.exe
File created	C:\Windows\INF\c_firmware.PNF	mmc.exe
File created	C:\Windows\INF\c_swcomponent.PNF	mmc.exe
File created	C:\Windows\INF\c_cashdrawer.PNF	mmc.exe
File created	C:\Windows\INF\rawsilo.PNF	mmc.exe
File created	C:\Windows\INF\miradisp.PNF	mmc.exe
File created	C:\Windows\INF\c_fssystemrecovery.PNF	mmc.exe
File created	C:\Windows\INF\c_holographic.PNF	mmc.exe
File created	C:\Windows\INF\c_fscompression.PNF	mmc.exe
File opened for modification	C:\Windows\setuperr.log	mmc.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File created	C:\Windows\INF\c_fsphysicalquotamgmt.PNF	mmc.exe
File created	C:\Windows\INF\xusb22.PNF	mmc.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	mmc.exe
File created	C:\Windows\INF\c_processor.PNF	mmc.exe
File created	C:\Windows\INF\c_fsreplication.PNF	mmc.exe
File created	C:\Windows\INF\c_linedisplay.PNF	mmc.exe
File created	C:\Windows\INF\c_fscopyprotection.PNF	mmc.exe
File created	C:\Windows\INF\dc1-controller.PNF	mmc.exe
File created	C:\Windows\INF\c_diskdrive.PNF	mmc.exe
File created	C:\Windows\INF\c_monitor.PNF	mmc.exe
File created	C:\Windows\INF\c_volume.PNF	mmc.exe
File created	C:\Windows\INF\c_fsencryption.PNF	mmc.exe
File created	C:\Windows\rescache\_merged\1742034116\2087166547.pri	SystemSettings.exe
File created	C:\Windows\INF\c_scmvolume.PNF	mmc.exe
File created	C:\Windows\INF\oposdrv.PNF	mmc.exe
File created	C:\Windows\rescache\_merged\421858948\382050043.pri	LogonUI.exe
File created	C:\Windows\INF\c_magneticstripereader.PNF	mmc.exe
File created	C:\Windows\INF\c_netdriver.PNF	mmc.exe
File created	C:\Windows\INF\c_fsantivirus.PNF	mmc.exe
File created	C:\Windows\inf\WmiApRpl\WmiApRpl.ini	WMIADAP.EXE
File created	C:\Windows\INF\c_fscontentscreener.PNF	mmc.exe
File created	C:\Windows\INF\c_fscfsmetadataserver.PNF	mmc.exe
File created	C:\Windows\rescache\_merged\2717123927\1713683155.pri	SystemSettings.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064	mmc.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80497100-8c73-48b9-aad9-ce387e19c56e}	mmc.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\000E	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0009\	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0009	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065	mmc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0004	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ContainerID	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}	mmc.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	mmc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	mmc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	mmc.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0009\	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties	mmc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}	mmc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0003	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\000C	mmc.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Driver	mmc.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceReported	mmc.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}	mmc.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Driver	mmc.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\LocationInformation	mmc.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Device Parameters\Partmgr	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0003	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\LowerFilters	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000\Device Parameters	mmc.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0007	mmc.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0003	mmc.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1292	vssadmin.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
3828	taskkill.exe
1428	taskkill.exe
3008	taskkill.exe
3132	taskkill.exe
4044	taskkill.exe

Modifies data under HKEY_USERS 19 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings	control.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
860	reg.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3660	taskhsvc.exe
3660	taskhsvc.exe
3660	taskhsvc.exe
3660	taskhsvc.exe
3660	taskhsvc.exe
3660	taskhsvc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2712	mmc.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
2812	Process not Found
3468	Process not Found
968	Process not Found
1764	Process not Found
1956	Process not Found
3380	Process not Found
1664	Process not Found
1256	Process not Found
3284	Process not Found
2820	Process not Found
1208	Process not Found
1880	Process not Found
3112	Process not Found
2288	Process not Found
2316	Process not Found
2236	Process not Found
4080	Process not Found
548	Process not Found
3280	Process not Found
2900	Process not Found
1284	Process not Found
2300	Process not Found
2432	Process not Found
2400	Process not Found
3788	Process not Found
1324	Process not Found
1628	Process not Found
3048	Process not Found
1092	Process not Found
2760	Process not Found
3144	Process not Found
2424	Process not Found
2604	Process not Found
1408	Process not Found
3972	Process not Found
4004	Process not Found
3000	Process not Found
3196	Process not Found
3132	Process not Found
2220	Process not Found
2960	Process not Found
2588	Process not Found
400	Process not Found
3392	Process not Found
724	Process not Found
840	Process not Found
3452	Process not Found
3568	Process not Found
3164	Process not Found
2808	Process not Found
3652	Process not Found
1032	Process not Found
2440	Process not Found
1072	Process not Found
2160	Process not Found
1572	Process not Found
3388	Process not Found
552	Process not Found
2620	Process not Found
1632	Process not Found
3156	Process not Found
3596	Process not Found
1008	Process not Found
2680	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	3156	vssvc.exe
Token: SeRestorePrivilege	3156	vssvc.exe
Token: SeAuditPrivilege	3156	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3644	WMIC.exe
Token: SeSecurityPrivilege	3644	WMIC.exe
Token: SeTakeOwnershipPrivilege	3644	WMIC.exe
Token: SeLoadDriverPrivilege	3644	WMIC.exe
Token: SeSystemProfilePrivilege	3644	WMIC.exe
Token: SeSystemtimePrivilege	3644	WMIC.exe
Token: SeProfSingleProcessPrivilege	3644	WMIC.exe
Token: SeIncBasePriorityPrivilege	3644	WMIC.exe
Token: SeCreatePagefilePrivilege	3644	WMIC.exe
Token: SeBackupPrivilege	3644	WMIC.exe
Token: SeRestorePrivilege	3644	WMIC.exe
Token: SeShutdownPrivilege	3644	WMIC.exe
Token: SeDebugPrivilege	3644	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3644	WMIC.exe
Token: SeRemoteShutdownPrivilege	3644	WMIC.exe
Token: SeUndockPrivilege	3644	WMIC.exe
Token: SeManageVolumePrivilege	3644	WMIC.exe
Token: 33	3644	WMIC.exe
Token: 34	3644	WMIC.exe
Token: 35	3644	WMIC.exe
Token: 36	3644	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3644	WMIC.exe
Token: SeSecurityPrivilege	3644	WMIC.exe
Token: SeTakeOwnershipPrivilege	3644	WMIC.exe
Token: SeLoadDriverPrivilege	3644	WMIC.exe
Token: SeSystemProfilePrivilege	3644	WMIC.exe
Token: SeSystemtimePrivilege	3644	WMIC.exe
Token: SeProfSingleProcessPrivilege	3644	WMIC.exe
Token: SeIncBasePriorityPrivilege	3644	WMIC.exe
Token: SeCreatePagefilePrivilege	3644	WMIC.exe
Token: SeBackupPrivilege	3644	WMIC.exe
Token: SeRestorePrivilege	3644	WMIC.exe
Token: SeShutdownPrivilege	3644	WMIC.exe
Token: SeDebugPrivilege	3644	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3644	WMIC.exe
Token: SeRemoteShutdownPrivilege	3644	WMIC.exe
Token: SeUndockPrivilege	3644	WMIC.exe
Token: SeManageVolumePrivilege	3644	WMIC.exe
Token: 33	3644	WMIC.exe
Token: 34	3644	WMIC.exe
Token: 35	3644	WMIC.exe
Token: 36	3644	WMIC.exe
Token: SeTcbPrivilege	2168	taskse.exe
Token: SeTcbPrivilege	2168	taskse.exe
Token: SeTcbPrivilege	3252	taskse.exe
Token: SeTcbPrivilege	3252	taskse.exe
Token: SeTcbPrivilege	4088	taskse.exe
Token: SeTcbPrivilege	4088	taskse.exe
Token: SeTcbPrivilege	3816	taskse.exe
Token: SeTcbPrivilege	3816	taskse.exe
Token: SeTcbPrivilege	2760	taskse.exe
Token: SeTcbPrivilege	2760	taskse.exe
Token: SeTcbPrivilege	1256	taskse.exe
Token: SeTcbPrivilege	1256	taskse.exe
Token: SeTcbPrivilege	3656	taskse.exe
Token: SeTcbPrivilege	3656	taskse.exe
Token: SeTcbPrivilege	1676	taskse.exe
Token: SeTcbPrivilege	1676	taskse.exe
Token: SeTcbPrivilege	1488	taskse.exe
Token: SeTcbPrivilege	1488	taskse.exe
Token: SeTcbPrivilege	2848	taskse.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3616	@[email protected]

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2528	@[email protected]
3000	@[email protected]
2528	@[email protected]
3000	@[email protected]
3616	@[email protected]
3616	@[email protected]
3680	@[email protected]
3668	@[email protected]
3352	@[email protected]
3244	@[email protected]
1208	@[email protected]
3648	@[email protected]
2408	@[email protected]
3188	@[email protected]
1704	@[email protected]
2388	@[email protected]
1684	@[email protected]
3860	@[email protected]
3352	@[email protected]
4044	@[email protected]
2260	@[email protected]
2196	@[email protected]
3468	@[email protected]
652	@[email protected]
844	@[email protected]
3044	@[email protected]
2764	@[email protected]
4040	@[email protected]
3160	@[email protected]
3252	@[email protected]
680	@[email protected]
1136	@[email protected]
2848	@[email protected]
1036	@[email protected]
4036	@[email protected]
2412	@[email protected]
1308	@[email protected]
1056	@[email protected]
156	@[email protected]
208	@[email protected]
2220	@[email protected]
2960	@[email protected]
3552	@[email protected]
920	@[email protected]
1616	@[email protected]
1864	@[email protected]
2796	SystemSettings.exe
2228	@[email protected]
420	@[email protected]
3864	SystemSettingsAdminFlows.exe
2220	@[email protected]
2712	mmc.exe
2712	mmc.exe
196	@[email protected]
1484	@[email protected]
188	@[email protected]
1524	@[email protected]
2712	mmc.exe
64	@[email protected]
2940	@[email protected]
3468	@[email protected]
2096	@[email protected]
3612	LogonUI.exe
3612	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 3828	2188	important.exe	69
PID 2188 wrote to memory of 3828	2188	important.exe	69
PID 2188 wrote to memory of 3828	2188	important.exe	69
PID 2188 wrote to memory of 3852	2188	important.exe	70
PID 2188 wrote to memory of 3852	2188	important.exe	70
PID 2188 wrote to memory of 3852	2188	important.exe	70
PID 2188 wrote to memory of 1908	2188	important.exe	73
PID 2188 wrote to memory of 1908	2188	important.exe	73
PID 2188 wrote to memory of 1908	2188	important.exe	73
PID 2188 wrote to memory of 548	2188	important.exe	74
PID 2188 wrote to memory of 548	2188	important.exe	74
PID 2188 wrote to memory of 548	2188	important.exe	74
PID 548 wrote to memory of 3812	548	cmd.exe	76
PID 548 wrote to memory of 3812	548	cmd.exe	76
PID 548 wrote to memory of 3812	548	cmd.exe	76
PID 2188 wrote to memory of 920	2188	important.exe	83
PID 2188 wrote to memory of 920	2188	important.exe	83
PID 2188 wrote to memory of 920	2188	important.exe	83
PID 2188 wrote to memory of 2528	2188	important.exe	84
PID 2188 wrote to memory of 2528	2188	important.exe	84
PID 2188 wrote to memory of 2528	2188	important.exe	84
PID 2188 wrote to memory of 1492	2188	important.exe	85
PID 2188 wrote to memory of 1492	2188	important.exe	85
PID 2188 wrote to memory of 1492	2188	important.exe	85
PID 1492 wrote to memory of 3000	1492	cmd.exe	87
PID 1492 wrote to memory of 3000	1492	cmd.exe	87
PID 1492 wrote to memory of 3000	1492	cmd.exe	87
PID 2528 wrote to memory of 3660	2528	@[email protected]	89
PID 2528 wrote to memory of 3660	2528	@[email protected]	89
PID 2528 wrote to memory of 3660	2528	@[email protected]	89
PID 3000 wrote to memory of 1468	3000	@[email protected]	93
PID 3000 wrote to memory of 1468	3000	@[email protected]	93
PID 3000 wrote to memory of 1468	3000	@[email protected]	93
PID 1468 wrote to memory of 1292	1468	cmd.exe	95
PID 1468 wrote to memory of 1292	1468	cmd.exe	95
PID 1468 wrote to memory of 1292	1468	cmd.exe	95
PID 1468 wrote to memory of 3644	1468	cmd.exe	97
PID 1468 wrote to memory of 3644	1468	cmd.exe	97
PID 1468 wrote to memory of 3644	1468	cmd.exe	97
PID 2188 wrote to memory of 2168	2188	important.exe	101
PID 2188 wrote to memory of 2168	2188	important.exe	101
PID 2188 wrote to memory of 2168	2188	important.exe	101
PID 2188 wrote to memory of 3616	2188	important.exe	102
PID 2188 wrote to memory of 3616	2188	important.exe	102
PID 2188 wrote to memory of 3616	2188	important.exe	102
PID 2188 wrote to memory of 1412	2188	important.exe	103
PID 2188 wrote to memory of 1412	2188	important.exe	103
PID 2188 wrote to memory of 1412	2188	important.exe	103
PID 1412 wrote to memory of 860	1412	cmd.exe	105
PID 1412 wrote to memory of 860	1412	cmd.exe	105
PID 1412 wrote to memory of 860	1412	cmd.exe	105
PID 2188 wrote to memory of 920	2188	important.exe	106
PID 2188 wrote to memory of 920	2188	important.exe	106
PID 2188 wrote to memory of 920	2188	important.exe	106
PID 2188 wrote to memory of 3252	2188	important.exe	107
PID 2188 wrote to memory of 3252	2188	important.exe	107
PID 2188 wrote to memory of 3252	2188	important.exe	107
PID 2188 wrote to memory of 3680	2188	important.exe	108
PID 2188 wrote to memory of 3680	2188	important.exe	108
PID 2188 wrote to memory of 3680	2188	important.exe	108
PID 2188 wrote to memory of 3972	2188	important.exe	109
PID 2188 wrote to memory of 3972	2188	important.exe	109
PID 2188 wrote to memory of 3972	2188	important.exe	109
PID 2188 wrote to memory of 4088	2188	important.exe	110

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
3828	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2648
- C:\Users\Admin\AppData\Local\Temp\important.exe
  "C:\Users\Admin\AppData\Local\Temp\important.exe"
  2⤵
  - Modifies extensions of user files
  - Drops startup file
  - Sets desktop wallpaper using registry
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h .
    3⤵
    - Views/modifies file attributes
    PID:3828
- - C:\Windows\SysWOW64\icacls.exe
    icacls . /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:3852
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:1908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 308451634875137.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:548
  - - C:\Windows\SysWOW64\cscript.exe
      cscript.exe //nologo m.vbs
      4⤵
      PID:3812
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:920
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected] co
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
      TaskData\Tor\taskhsvc.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:3660
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b @[email protected] vs
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1492
  - - C:\Users\Admin\AppData\Local\Temp\@[email protected]
      @[email protected] vs
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3000
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1468
      - C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        6⤵
        Interacts with shadow copies
        
        PID:1292
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3644
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2168
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:3616
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "rvndoxuid336" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1412
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "rvndoxuid336" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:860
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:920
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3252
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3680
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:3972
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4088
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3668
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:2276
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3816
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3352
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:1700
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2760
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3244
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:3612
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1256
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1208
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:3356
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3656
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3648
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:988
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1676
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2408
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:3684
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1488
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3188
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:3180
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2848
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1704
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:712
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    - Executes dropped EXE
    PID:3996
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2388
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:1820
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    - Executes dropped EXE
    PID:4088
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1684
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:1092
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    - Executes dropped EXE
    PID:940
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3860
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:204
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    - Executes dropped EXE
    PID:4028
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3352
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:3732
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    - Executes dropped EXE
    PID:3008
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4044
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:2760
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    - Executes dropped EXE
    PID:3612
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2260
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:1256
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    - Executes dropped EXE
    PID:3356
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2196
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:1816
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    - Executes dropped EXE
    PID:3648
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3468
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:1628
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    - Executes dropped EXE
    PID:3592
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:652
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:2940
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    - Executes dropped EXE
    PID:3064
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:844
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    PID:3784
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:3044
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    PID:2580
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    PID:3584
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    PID:1948
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2764
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    PID:3196
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    PID:1864
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:4040
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    PID:3972
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    PID:3284
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:3160
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    PID:772
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    PID:2660
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:3252
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    PID:980
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    PID:1060
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:680
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    PID:3720
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    PID:2960
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1136
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    PID:2300
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    PID:3192
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2848
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    PID:1316
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    PID:548
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1036
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    PID:2388
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    PID:3996
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:4036
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    PID:2276
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    PID:2724
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2412
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    PID:1092
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    PID:1968
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1308
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    PID:860
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    PID:1484
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1056
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    PID:2308
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    PID:396
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:156
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    PID:220
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    PID:196
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:208
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    PID:1436
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    PID:3816
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2220
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    PID:3732
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill.exe /f /im Microsoft.Exchange.*
    3⤵
    - Kills process with taskkill
    PID:3828
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill.exe /f /im mysqld.exe
    3⤵
    - Kills process with taskkill
    PID:1428
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill.exe /f /im sqlwriter.exe
    3⤵
    - Kills process with taskkill
    PID:3008
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill.exe /f /im sqlserver.exe
    3⤵
    - Kills process with taskkill
    PID:3132
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill.exe /f /im MSExchange*
    3⤵
    - Kills process with taskkill
    PID:4044
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    PID:4052
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2960
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    PID:2020
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    PID:3116
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:3552
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    PID:1552
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    PID:1056
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:920
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    PID:2308
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    PID:1288
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1616
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    PID:2024
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    PID:2596
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1864
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    PID:2848
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    PID:2812
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2228
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    PID:1956
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    PID:3204
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:420
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    PID:2404
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    PID:2196
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2220
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    PID:3284
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    PID:3860
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:196
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    PID:3280
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    PID:3944
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1484
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    PID:384
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    PID:3812
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:188
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    PID:3436
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    PID:3280
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1524
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    PID:1284
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    PID:1592
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:64
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    PID:3404
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    PID:1056
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2940
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    PID:700
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:3468
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    PID:1764
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    PID:2396
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    PID:3232
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2096
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    PID:2220
- C:\Windows\system32\SystemSettingsAdminFlows.exe
  "C:\Windows\system32\SystemSettingsAdminFlows.exe" RemoveDevice 638 439 128 32 {d4bdab5f-bc84-5394-8642-ae29ccd6bd05}
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3864
- C:\Windows\system32\control.exe
  "C:\Windows\system32\control.exe" /name Microsoft.DeviceManager
  2⤵
  - Modifies registry class
  PID:1220
- - C:\Windows\system32\mmc.exe
    "C:\Windows\system32\mmc.exe" C:\Windows\system32\devmgmt.msc
    3⤵
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Checks SCSI registry key(s)
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2712

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3156

C:\Windows\ImmersiveControlPanel\SystemSettings.exe
"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:2796

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Drops file in Windows directory
PID:3524

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:4064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3132

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x348
1⤵
PID:3864

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /R /T
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:2476

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3aee855 /state1:0x41c64e6d
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2188-121-0x000000001000E000-0x000000001000F000-memory.dmp

Filesize
4KB

Download
memory/2188-120-0x0000000010007000-0x000000001000C000-memory.dmp

Filesize
20KB

Download
memory/2188-119-0x0000000010001000-0x0000000010007000-memory.dmp

Filesize
24KB

Download
memory/3660-192-0x0000000073920000-0x0000000073942000-memory.dmp

Filesize
136KB

Download
memory/3660-189-0x0000000073670000-0x000000007388C000-memory.dmp

Filesize
2.1MB

Download
memory/3660-188-0x0000000073890000-0x0000000073912000-memory.dmp

Filesize
520KB

Download
memory/3660-190-0x0000000073890000-0x0000000073912000-memory.dmp

Filesize
520KB

Download
memory/3660-193-0x0000000073560000-0x00000000735E2000-memory.dmp

Filesize
520KB

Download
memory/3660-195-0x0000000073920000-0x0000000073942000-memory.dmp

Filesize
136KB

Download
memory/3660-197-0x00000000013B0000-0x00000000016AE000-memory.dmp

Filesize
3.0MB

Download
memory/3660-191-0x0000000073560000-0x00000000735E2000-memory.dmp

Filesize
520KB

Download
memory/3660-196-0x00000000013B0000-0x00000000016AE000-memory.dmp

Filesize
3.0MB

Download
memory/3660-194-0x0000000073670000-0x000000007388C000-memory.dmp

Filesize
2.1MB

Download
memory/3864-257-0x000001B66E2F0000-0x000001B66E2F2000-memory.dmp

Filesize
8KB

Download
memory/3864-256-0x000001B66E2F0000-0x000001B66E2F2000-memory.dmp

Filesize
8KB

Download
memory/3864-255-0x000001B66E2F0000-0x000001B66E2F2000-memory.dmp

Filesize
8KB

Download