Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
146s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
07/12/2021, 13:39
Static task
static1
Behavioral task
behavioral1
Sample
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Resource
win10-en-20211014
General
-
Target
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
-
Size
3.4MB
-
MD5
84c82835a5d21bbcf75a61706d8ab549
-
SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
-
SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
-
SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\@[email protected]
wannacry
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 14 IoCs
pid Process 644 taskdl.exe 3800 taskdl.exe 1940 @[email protected] 3608 @[email protected] 4872 taskhsvc.exe 2628 taskse.exe 4512 @[email protected] 1404 taskdl.exe 3768 taskse.exe 1044 @[email protected] 2036 taskdl.exe 2312 taskse.exe 2456 @[email protected] 2104 taskdl.exe -
Modifies extensions of user files 21 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\GroupUnlock.tif.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Pictures\SwitchTest.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File created C:\Users\Admin\Pictures\GroupUnlock.tif.WNCRYT ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File created C:\Users\Admin\Pictures\LimitResolve.raw.WNCRYT ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File created C:\Users\Admin\Pictures\UnpublishUnprotect.raw.WNCRYT ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Pictures\UseImport.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File renamed C:\Users\Admin\Pictures\ExitUninstall.png.WNCRYT => C:\Users\Admin\Pictures\ExitUninstall.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File created C:\Users\Admin\Pictures\FindCompress.png.WNCRYT ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Pictures\FindCompress.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Pictures\LimitResolve.raw.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File created C:\Users\Admin\Pictures\SwitchTest.png.WNCRYT ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Pictures\UnpublishUnprotect.raw.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File created C:\Users\Admin\Pictures\UseImport.png.WNCRYT ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File created C:\Users\Admin\Pictures\ExitUninstall.png.WNCRYT ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Pictures\ExitUninstall.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File renamed C:\Users\Admin\Pictures\FindCompress.png.WNCRYT => C:\Users\Admin\Pictures\FindCompress.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File renamed C:\Users\Admin\Pictures\UnpublishUnprotect.raw.WNCRYT => C:\Users\Admin\Pictures\UnpublishUnprotect.raw.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File renamed C:\Users\Admin\Pictures\UseImport.png.WNCRYT => C:\Users\Admin\Pictures\UseImport.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File renamed C:\Users\Admin\Pictures\GroupUnlock.tif.WNCRYT => C:\Users\Admin\Pictures\GroupUnlock.tif.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File renamed C:\Users\Admin\Pictures\LimitResolve.raw.WNCRYT => C:\Users\Admin\Pictures\LimitResolve.raw.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File renamed C:\Users\Admin\Pictures\SwitchTest.png.WNCRYT => C:\Users\Admin\Pictures\SwitchTest.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD2C33.tmp ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD2C69.tmp ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe -
Loads dropped DLL 7 IoCs
pid Process 4872 taskhsvc.exe 4872 taskhsvc.exe 4872 taskhsvc.exe 4872 taskhsvc.exe 4872 taskhsvc.exe 4872 taskhsvc.exe 4872 taskhsvc.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 4200 icacls.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ysbppvej396 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\"" reg.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" @[email protected] -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 4552 vssadmin.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 1220 reg.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4872 taskhsvc.exe 4872 taskhsvc.exe 4872 taskhsvc.exe 4872 taskhsvc.exe 4872 taskhsvc.exe 4872 taskhsvc.exe 4872 taskhsvc.exe 4872 taskhsvc.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
description pid Process Token: SeBackupPrivilege 768 vssvc.exe Token: SeRestorePrivilege 768 vssvc.exe Token: SeAuditPrivilege 768 vssvc.exe Token: SeIncreaseQuotaPrivilege 4864 WMIC.exe Token: SeSecurityPrivilege 4864 WMIC.exe Token: SeTakeOwnershipPrivilege 4864 WMIC.exe Token: SeLoadDriverPrivilege 4864 WMIC.exe Token: SeSystemProfilePrivilege 4864 WMIC.exe Token: SeSystemtimePrivilege 4864 WMIC.exe Token: SeProfSingleProcessPrivilege 4864 WMIC.exe Token: SeIncBasePriorityPrivilege 4864 WMIC.exe Token: SeCreatePagefilePrivilege 4864 WMIC.exe Token: SeBackupPrivilege 4864 WMIC.exe Token: SeRestorePrivilege 4864 WMIC.exe Token: SeShutdownPrivilege 4864 WMIC.exe Token: SeDebugPrivilege 4864 WMIC.exe Token: SeSystemEnvironmentPrivilege 4864 WMIC.exe Token: SeRemoteShutdownPrivilege 4864 WMIC.exe Token: SeUndockPrivilege 4864 WMIC.exe Token: SeManageVolumePrivilege 4864 WMIC.exe Token: 33 4864 WMIC.exe Token: 34 4864 WMIC.exe Token: 35 4864 WMIC.exe Token: 36 4864 WMIC.exe Token: SeIncreaseQuotaPrivilege 4864 WMIC.exe Token: SeSecurityPrivilege 4864 WMIC.exe Token: SeTakeOwnershipPrivilege 4864 WMIC.exe Token: SeLoadDriverPrivilege 4864 WMIC.exe Token: SeSystemProfilePrivilege 4864 WMIC.exe Token: SeSystemtimePrivilege 4864 WMIC.exe Token: SeProfSingleProcessPrivilege 4864 WMIC.exe Token: SeIncBasePriorityPrivilege 4864 WMIC.exe Token: SeCreatePagefilePrivilege 4864 WMIC.exe Token: SeBackupPrivilege 4864 WMIC.exe Token: SeRestorePrivilege 4864 WMIC.exe Token: SeShutdownPrivilege 4864 WMIC.exe Token: SeDebugPrivilege 4864 WMIC.exe Token: SeSystemEnvironmentPrivilege 4864 WMIC.exe Token: SeRemoteShutdownPrivilege 4864 WMIC.exe Token: SeUndockPrivilege 4864 WMIC.exe Token: SeManageVolumePrivilege 4864 WMIC.exe Token: 33 4864 WMIC.exe Token: 34 4864 WMIC.exe Token: 35 4864 WMIC.exe Token: 36 4864 WMIC.exe Token: SeTcbPrivilege 2628 taskse.exe Token: SeTcbPrivilege 2628 taskse.exe Token: SeTcbPrivilege 3768 taskse.exe Token: SeTcbPrivilege 3768 taskse.exe Token: SeTcbPrivilege 2312 taskse.exe Token: SeTcbPrivilege 2312 taskse.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 3608 @[email protected] 1940 @[email protected] 3608 @[email protected] 1940 @[email protected] 4512 @[email protected] 4512 @[email protected] 1044 @[email protected] 2456 @[email protected] -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4192 wrote to memory of 8 4192 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 68 PID 4192 wrote to memory of 8 4192 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 68 PID 4192 wrote to memory of 8 4192 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 68 PID 4192 wrote to memory of 4200 4192 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 70 PID 4192 wrote to memory of 4200 4192 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 70 PID 4192 wrote to memory of 4200 4192 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 70 PID 4192 wrote to memory of 644 4192 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 72 PID 4192 wrote to memory of 644 4192 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 72 PID 4192 wrote to memory of 644 4192 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 72 PID 4192 wrote to memory of 816 4192 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 73 PID 4192 wrote to memory of 816 4192 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 73 PID 4192 wrote to memory of 816 4192 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 73 PID 816 wrote to memory of 592 816 cmd.exe 75 PID 816 wrote to memory of 592 816 cmd.exe 75 PID 816 wrote to memory of 592 816 cmd.exe 75 PID 4192 wrote to memory of 3800 4192 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 79 PID 4192 wrote to memory of 3800 4192 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 79 PID 4192 wrote to memory of 3800 4192 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 79 PID 4192 wrote to memory of 1940 4192 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 80 PID 4192 wrote to memory of 1940 4192 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 80 PID 4192 wrote to memory of 1940 4192 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 80 PID 4192 wrote to memory of 3912 4192 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 81 PID 4192 wrote to memory of 3912 4192 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 81 PID 4192 wrote to memory of 3912 4192 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 81 PID 3912 wrote to memory of 3608 3912 cmd.exe 83 PID 3912 wrote to memory of 3608 3912 cmd.exe 83 PID 3912 wrote to memory of 3608 3912 cmd.exe 83 PID 1940 wrote to memory of 4872 1940 @[email protected] 85 PID 1940 wrote to memory of 4872 1940 @[email protected] 85 PID 1940 wrote to memory of 4872 1940 @[email protected] 85 PID 3608 wrote to memory of 4816 3608 @[email protected] 87 PID 3608 wrote to memory of 4816 3608 @[email protected] 87 PID 3608 wrote to memory of 4816 3608 @[email protected] 87 PID 4816 wrote to memory of 4552 4816 cmd.exe 89 PID 4816 wrote to memory of 4552 4816 cmd.exe 89 PID 4816 wrote to memory of 4552 4816 cmd.exe 89 PID 4816 wrote to memory of 4864 4816 cmd.exe 91 PID 4816 wrote to memory of 4864 4816 cmd.exe 91 PID 4816 wrote to memory of 4864 4816 cmd.exe 91 PID 4192 wrote to memory of 2628 4192 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 96 PID 4192 wrote to memory of 2628 4192 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 96 PID 4192 wrote to memory of 2628 4192 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 96 PID 4192 wrote to memory of 4512 4192 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 97 PID 4192 wrote to memory of 4512 4192 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 97 PID 4192 wrote to memory of 4512 4192 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 97 PID 4192 wrote to memory of 1248 4192 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 98 PID 4192 wrote to memory of 1248 4192 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 98 PID 4192 wrote to memory of 1248 4192 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 98 PID 1248 wrote to memory of 1220 1248 cmd.exe 100 PID 1248 wrote to memory of 1220 1248 cmd.exe 100 PID 1248 wrote to memory of 1220 1248 cmd.exe 100 PID 4192 wrote to memory of 1404 4192 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 101 PID 4192 wrote to memory of 1404 4192 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 101 PID 4192 wrote to memory of 1404 4192 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 101 PID 4192 wrote to memory of 3768 4192 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 102 PID 4192 wrote to memory of 3768 4192 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 102 PID 4192 wrote to memory of 3768 4192 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 102 PID 4192 wrote to memory of 1044 4192 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 103 PID 4192 wrote to memory of 1044 4192 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 103 PID 4192 wrote to memory of 1044 4192 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 103 PID 4192 wrote to memory of 2036 4192 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 104 PID 4192 wrote to memory of 2036 4192 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 104 PID 4192 wrote to memory of 2036 4192 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 104 PID 4192 wrote to memory of 2312 4192 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 105 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 8 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\SysWOW64\attrib.exeattrib +h .2⤵
- Views/modifies file attributes
PID:8
-
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:4200
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:644
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 132291639147692.bat2⤵
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\SysWOW64\cscript.execscript.exe //nologo m.vbs3⤵PID:592
-
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:3800
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exeTaskData\Tor\taskhsvc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4872
-
-
-
C:\Windows\SysWOW64\cmd.exePID:3912
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet4⤵
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Interacts with shadow copies
PID:4552
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4864
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:4512
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ysbppvej396" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ysbppvej396" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f3⤵
- Adds Run key to start application
- Modifies registry key
PID:1220
-
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:1404
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3768
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:1044
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:2036
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2312
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:2456
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:2104
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:768