Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
18/07/2022, 04:40
220718-faqj6ahdd3 109/07/2022, 10:37
220709-mn992sgcd4 1008/07/2022, 15:34
220708-sz77qaadf8 1020/06/2022, 11:39
220620-nsq8eacgfk 1013/06/2022, 10:07
220613-l5wmjsbff6 1012/06/2022, 12:47
220612-p1kw2acbbp 1012/06/2022, 07:39
220612-jg55zagca5 1011/06/2022, 20:25
220611-y7pcgabdf5 1011/06/2022, 20:25
220611-y7fekabde7 1011/06/2022, 20:24
220611-y642jafber 1Analysis
-
max time kernel
1800s -
max time network
1790s -
platform
windows10_x64 -
resource
win10-ja-20211208 -
submitted
12/01/2022, 10:01
Static task
static1
Behavioral task
behavioral1
Sample
WannaCry.EXE
Resource
win10-ja-20211208
General
-
Target
WannaCry.EXE
-
Size
3.4MB
-
MD5
84c82835a5d21bbcf75a61706d8ab549
-
SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
-
SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
-
SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\@[email protected]
wannacry
12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
Signatures
-
Modifies system executable filetype association 2 TTPs 3 IoCs
description ioc Process Key deleted \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}" OneDriveSetup.exe -
Registers COM server for autorun 1 TTPs
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 64 IoCs
pid Process 652 taskdl.exe 4872 @[email protected] 3520 @[email protected] 4408 taskhsvc.exe 1708 taskdl.exe 1552 taskse.exe 2116 @[email protected] 4788 FileSyncConfig.exe 1132 taskdl.exe 816 taskse.exe 1904 @[email protected] 1260 taskdl.exe 5080 taskse.exe 4992 @[email protected] 4864 taskse.exe 4900 @[email protected] 3552 taskdl.exe 1036 taskse.exe 712 @[email protected] 1724 taskdl.exe 1240 taskse.exe 4964 @[email protected] 420 taskdl.exe 3488 taskse.exe 2788 @[email protected] 3328 taskdl.exe 980 taskse.exe 1292 @[email protected] 3012 taskdl.exe 3784 taskse.exe 2192 @[email protected] 2808 taskdl.exe 2308 taskse.exe 2272 @[email protected] 2668 taskdl.exe 4624 taskse.exe 1788 @[email protected] 2192 taskdl.exe 1020 taskse.exe 4440 @[email protected] 3540 taskdl.exe 1308 taskse.exe 4692 @[email protected] 4360 taskdl.exe 4824 taskse.exe 3164 @[email protected] 4820 taskdl.exe 2276 taskse.exe 1296 @[email protected] 2196 taskdl.exe 1356 taskse.exe 2976 @[email protected] 4440 taskdl.exe 1900 taskse.exe 1028 @[email protected] 344 taskdl.exe 4984 taskse.exe 4568 @[email protected] 940 taskdl.exe 4356 taskse.exe 4856 @[email protected] 3988 taskdl.exe 1904 taskse.exe 1136 @[email protected] -
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\OpenUndo.tiff WannaCry.EXE File created C:\Users\Admin\Pictures\OpenUndo.tiff.WNCRYT WannaCry.EXE File renamed C:\Users\Admin\Pictures\OpenUndo.tiff.WNCRYT => C:\Users\Admin\Pictures\OpenUndo.tiff.WNCRY WannaCry.EXE File opened for modification C:\Users\Admin\Pictures\OpenUndo.tiff.WNCRY WannaCry.EXE -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\International\Geo\Nation @[email protected] -
Drops startup file 26 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD9052.tmp WannaCry.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDE0DC.tmp WannaCry.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDD6F7.tmp WannaCry.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDA2A3.tmp WannaCry.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDC4ED.tmp WannaCry.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDB432.tmp WannaCry.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDAB38.tmp WannaCry.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD904B.tmp WannaCry.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD87E5.tmp WannaCry.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD1268.tmp WannaCry.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDD6E1.tmp WannaCry.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDCDDE.tmp WannaCry.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDAB3F.tmp WannaCry.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDA28D.tmp WannaCry.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD9974.tmp WannaCry.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD87DE.tmp WannaCry.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD127F.tmp WannaCry.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDBC80.tmp WannaCry.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDBC87.tmp WannaCry.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDCDD7.tmp WannaCry.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDC4F4.tmp WannaCry.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDB439.tmp WannaCry.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD997B.tmp WannaCry.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDE0C6.tmp WannaCry.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDDF9C.tmp WannaCry.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDDFA3.tmp WannaCry.EXE -
Loads dropped DLL 14 IoCs
pid Process 4408 taskhsvc.exe 4408 taskhsvc.exe 4408 taskhsvc.exe 4408 taskhsvc.exe 4408 taskhsvc.exe 4408 taskhsvc.exe 4408 taskhsvc.exe 4788 FileSyncConfig.exe 4788 FileSyncConfig.exe 4788 FileSyncConfig.exe 4788 FileSyncConfig.exe 4788 FileSyncConfig.exe 4788 FileSyncConfig.exe 4788 FileSyncConfig.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 4608 icacls.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\exvqpukpdbbhw483 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\"" reg.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\"" OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Standalone Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\"" OneDriveSetup.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA @[email protected] -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db-wal OfficeC2RClient.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db-shm OfficeC2RClient.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat OfficeC2RClient.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db OfficeC2RClient.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" WannaCry.EXE Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" @[email protected] -
Drops file in Windows directory 14 IoCs
description ioc Process File created C:\Windows\rescache\_merged\2717123927\1253081315.pri taskmgr.exe File created C:\Windows\rescache\_merged\3720402701\1659841449.pri MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\1659841449.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\1601268389\1361672858.pri taskmgr.exe File created C:\Windows\rescache\_merged\3720402701\1659841449.pri taskmgr.exe File created C:\Windows\rescache\_merged\860799236\3444516878.pri taskmgr.exe File created C:\Windows\rescache\_merged\1301087654\4010849688.pri taskmgr.exe File created C:\Windows\rescache\_merged\3720402701\1659841449.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\1659841449.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\4183903823\97717462.pri taskmgr.exe File created C:\Windows\rescache\_merged\4272278488\30062976.pri taskmgr.exe File created C:\Windows\rescache\_merged\3720402701\1659841449.pri MicrosoftEdge.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1792 vssadmin.exe -
Kills process with taskkill 5 IoCs
pid Process 4280 taskkill.exe 4224 taskkill.exe 3540 taskkill.exe 4748 taskkill.exe 3112 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch msfeedssync.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Suggested Sites msfeedssync.exe Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Suggested Sites\DeletePending = "0" msfeedssync.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000" OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" msfeedssync.exe Set value (data) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Suggested Sites\UploadDiagInfo = 0200000000000000000000000000000000000000000000000000000000000000b00400004e96d936aeeed701040000001cd1d436aeeed7011cd1d436aeeed7016801000068010000000301 msfeedssync.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION OneDriveSetup.exe -
Modifies data under HKEY_USERS 23 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData OfficeC2RClient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2" OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe OfficeC2RClient.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe\ULSMonitor OfficeC2RClient.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe\ULSMonitor OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides OfficeC2RClient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1" OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeC2RClient.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,941 10,1329 15,941 15,941 6,1329 100,1329 6" OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\Volatile OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun OfficeC2RClient.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,17110988,7153487,39965824,17962391,17962392,3702920,3462423,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry OfficeC2RClient.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Interface\{c1439245-96b4-47fc-b391-679386c5d40f} OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\TypeLib\{F904F88C-E60D-4327-9FA2-865AD075B400}\1.0 OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\.fluid\shell\open OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57} OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\WOW6432Node\Interface\{53de12aa-df96-413d-a25e-c75b6528abf2}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2} OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\.note\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\OneDriveFileLauncher.exe\" \"%1\"" OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_CLASSES\WOW6432NODE\CLSID\{2E7C0A19-0438-41E9-81E3-3AD3D64F55BA}\TYPELIB OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_CLASSES\SYNCENGINEFILEINFOPROVIDER.SYNCENGINEFILEINFOPROVIDER.1\CLSID OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\ProgID\ = "StorageProviderUriSource.StorageProviderUriSource.1" OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Interface\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\ProxyStubClsid32\ = "{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}" OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\CLSID\{917E8742-AA3B-7318-FA12-10485FB322A2} OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage MicrosoftEdgeCP.exe Key deleted \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9} OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\ = "UpToDateCloudOverlayHandler Class" OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32 OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Interface\{31508CC7-9BC7-494B-9D0F-7B1C7F144182} OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52}\ = "IFileSyncClient5" OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\WOW6432Node\Interface\{2387C6BD-9A36-41A2-88ED-FF731E529384}\TypeLib\Version = "1.0" OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\ = "ErrorOverlayHandler2 Class" OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\BannerNotificationHandler.BannerNotificationHandler\shell\import\DropTarget\CLSID = "{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}" OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\WOW6432Node\Interface\{B54E7079-90C9-4C62-A6B8-B2834C33A04A}\ProxyStubClsid32 OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30} OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_CLASSES\WOW6432NODE\INTERFACE\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\PROXYSTUBCLSID32 OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD} OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\TypeLib\{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}\1.0\0\win32 OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_CLASSES\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\INPROCSERVER32 OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\ = "UpToDatePinnedOverlayHandler Class" OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_CLASSES\BANNERNOTIFICATIONHANDLER.BANNERNOTIFICATIONHANDLER\SHELL\IMPORT\DROPTARGET OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\TypeLib\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}\1.0\HELPDIR OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Key deleted \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_CLASSES\INTERFACE\{9D613F8A-B30E-4938-8490-CB5677701EBF}\PROXYSTUBCLSID32 OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\TypeLib\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\SyncEngine.dll\\2" OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\SyncEngineFileInfoProvider.SyncEngineFileInfoProvider\CurVer\ = "SyncEngineFileInfoProvider.SyncEngineFileInfoProvider.1" OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_CLASSES\WOW6432NODE\INTERFACE\{5D65DD0D-81BF-4FF4-AEEA-6EFFB445CB3F}\PROXYSTUBCLSID32 OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_CLASSES\INTERFACE\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\PROXYSTUBCLSID32 OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\TypeLib\{F904F88C-E60D-4327-9FA2-865AD075B400}\1.0\ = "Microsoft SharePoint Type Library" OneDriveSetup.exe Set value (data) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = b96c19a6aceed701 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState MicrosoftEdgeCP.exe Key deleted \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17} OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_CLASSES\TYPELIB\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}\1.0\0\WIN32 OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\TypeLib\Version = "1.0" OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\WOW6432Node\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\WOW6432Node\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\NucleusNativeMessaging.NucleusNativeMessaging\CLSID OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "0" MicrosoftEdgeCP.exe Key deleted \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30} OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\WOW6432Node\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\ProxyStubClsid32 OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Interface\{d8c80ebb-099c-4208-afa3-fbc4d11f8a3c}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\WOW6432Node\Interface\{2387C6BD-9A36-41A2-88ED-FF731E529384}\ = "ISetItemPropertiesCallback" OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Key deleted \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_CLASSES\WOW6432NODE\INTERFACE\{53DE12AA-DF96-413D-A25E-C75B6528ABF2}\TYPELIB OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\BannerNotificationHandler.BannerNotificationHandler\CurVer\ = "BannerNotificationHandler.AutoBannerNotificationHandlerPlayHandler.1" OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Interface\{f0440f4e-4884-4a8F-8a45-ba89c00f96f2}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\WOW6432Node\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3} OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Interface\{50487D09-FFA9-45E1-8DF5-D457F646CD83}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}" OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}\TypeLib OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Interface\{049FED7E-C3EA-4B66-9D92-10E8085D60FB} OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\WOW6432Node\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17}\TypeLib OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\WOW6432Node\Interface\{d8c80ebb-099c-4208-afa3-fbc4d11f8a3c} OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E} OneDriveSetup.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2160 reg.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 428 WINWORD.EXE 428 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4408 taskhsvc.exe 4408 taskhsvc.exe 4408 taskhsvc.exe 4408 taskhsvc.exe 4408 taskhsvc.exe 4408 taskhsvc.exe 4632 OneDriveSetup.exe 4632 OneDriveSetup.exe 4632 OneDriveSetup.exe 4632 OneDriveSetup.exe 4632 OneDriveSetup.exe 4632 OneDriveSetup.exe 4632 OneDriveSetup.exe 4632 OneDriveSetup.exe 4632 OneDriveSetup.exe 4632 OneDriveSetup.exe 4632 OneDriveSetup.exe 4632 OneDriveSetup.exe 4632 OneDriveSetup.exe 4632 OneDriveSetup.exe 4632 OneDriveSetup.exe 4632 OneDriveSetup.exe 4632 OneDriveSetup.exe 4632 OneDriveSetup.exe 4632 OneDriveSetup.exe 4632 OneDriveSetup.exe 4632 OneDriveSetup.exe 4632 OneDriveSetup.exe 4632 OneDriveSetup.exe 4632 OneDriveSetup.exe 4632 OneDriveSetup.exe 4632 OneDriveSetup.exe 4632 OneDriveSetup.exe 4632 OneDriveSetup.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2116 @[email protected] 2912 taskmgr.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
pid Process 3160 MicrosoftEdgeCP.exe 3160 MicrosoftEdgeCP.exe 3160 MicrosoftEdgeCP.exe 3160 MicrosoftEdgeCP.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTcbPrivilege 1552 taskse.exe Token: SeTcbPrivilege 1552 taskse.exe Token: SeBackupPrivilege 2916 vssvc.exe Token: SeRestorePrivilege 2916 vssvc.exe Token: SeAuditPrivilege 2916 vssvc.exe Token: SeIncreaseQuotaPrivilege 3652 WMIC.exe Token: SeSecurityPrivilege 3652 WMIC.exe Token: SeTakeOwnershipPrivilege 3652 WMIC.exe Token: SeLoadDriverPrivilege 3652 WMIC.exe Token: SeSystemProfilePrivilege 3652 WMIC.exe Token: SeSystemtimePrivilege 3652 WMIC.exe Token: SeProfSingleProcessPrivilege 3652 WMIC.exe Token: SeIncBasePriorityPrivilege 3652 WMIC.exe Token: SeCreatePagefilePrivilege 3652 WMIC.exe Token: SeBackupPrivilege 3652 WMIC.exe Token: SeRestorePrivilege 3652 WMIC.exe Token: SeShutdownPrivilege 3652 WMIC.exe Token: SeDebugPrivilege 3652 WMIC.exe Token: SeSystemEnvironmentPrivilege 3652 WMIC.exe Token: SeRemoteShutdownPrivilege 3652 WMIC.exe Token: SeUndockPrivilege 3652 WMIC.exe Token: SeManageVolumePrivilege 3652 WMIC.exe Token: 33 3652 WMIC.exe Token: 34 3652 WMIC.exe Token: 35 3652 WMIC.exe Token: 36 3652 WMIC.exe Token: SeIncreaseQuotaPrivilege 3652 WMIC.exe Token: SeSecurityPrivilege 3652 WMIC.exe Token: SeTakeOwnershipPrivilege 3652 WMIC.exe Token: SeLoadDriverPrivilege 3652 WMIC.exe Token: SeSystemProfilePrivilege 3652 WMIC.exe Token: SeSystemtimePrivilege 3652 WMIC.exe Token: SeProfSingleProcessPrivilege 3652 WMIC.exe Token: SeIncBasePriorityPrivilege 3652 WMIC.exe Token: SeCreatePagefilePrivilege 3652 WMIC.exe Token: SeBackupPrivilege 3652 WMIC.exe Token: SeRestorePrivilege 3652 WMIC.exe Token: SeShutdownPrivilege 3652 WMIC.exe Token: SeDebugPrivilege 3652 WMIC.exe Token: SeSystemEnvironmentPrivilege 3652 WMIC.exe Token: SeRemoteShutdownPrivilege 3652 WMIC.exe Token: SeUndockPrivilege 3652 WMIC.exe Token: SeManageVolumePrivilege 3652 WMIC.exe Token: 33 3652 WMIC.exe Token: 34 3652 WMIC.exe Token: 35 3652 WMIC.exe Token: 36 3652 WMIC.exe Token: SeTcbPrivilege 816 taskse.exe Token: SeTcbPrivilege 816 taskse.exe Token: SeTcbPrivilege 5080 taskse.exe Token: SeTcbPrivilege 5080 taskse.exe Token: SeTcbPrivilege 4864 taskse.exe Token: SeTcbPrivilege 4864 taskse.exe Token: SeTcbPrivilege 1036 taskse.exe Token: SeTcbPrivilege 1036 taskse.exe Token: SeTcbPrivilege 1240 taskse.exe Token: SeTcbPrivilege 1240 taskse.exe Token: SeTcbPrivilege 3488 taskse.exe Token: SeTcbPrivilege 3488 taskse.exe Token: SeTcbPrivilege 980 taskse.exe Token: SeTcbPrivilege 980 taskse.exe Token: SeDebugPrivilege 2912 taskmgr.exe Token: SeSystemProfilePrivilege 2912 taskmgr.exe Token: SeCreateGlobalPrivilege 2912 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe 2912 taskmgr.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 960 wrote to memory of 4628 960 WannaCry.EXE 78 PID 960 wrote to memory of 4628 960 WannaCry.EXE 78 PID 960 wrote to memory of 4628 960 WannaCry.EXE 78 PID 960 wrote to memory of 4608 960 WannaCry.EXE 80 PID 960 wrote to memory of 4608 960 WannaCry.EXE 80 PID 960 wrote to memory of 4608 960 WannaCry.EXE 80 PID 960 wrote to memory of 652 960 WannaCry.EXE 82 PID 960 wrote to memory of 652 960 WannaCry.EXE 82 PID 960 wrote to memory of 652 960 WannaCry.EXE 82 PID 960 wrote to memory of 992 960 WannaCry.EXE 83 PID 960 wrote to memory of 992 960 WannaCry.EXE 83 PID 960 wrote to memory of 992 960 WannaCry.EXE 83 PID 992 wrote to memory of 1184 992 cmd.exe 85 PID 992 wrote to memory of 1184 992 cmd.exe 85 PID 992 wrote to memory of 1184 992 cmd.exe 85 PID 960 wrote to memory of 4872 960 WannaCry.EXE 88 PID 960 wrote to memory of 4872 960 WannaCry.EXE 88 PID 960 wrote to memory of 4872 960 WannaCry.EXE 88 PID 960 wrote to memory of 4888 960 WannaCry.EXE 89 PID 960 wrote to memory of 4888 960 WannaCry.EXE 89 PID 960 wrote to memory of 4888 960 WannaCry.EXE 89 PID 4888 wrote to memory of 3520 4888 cmd.exe 91 PID 4888 wrote to memory of 3520 4888 cmd.exe 91 PID 4888 wrote to memory of 3520 4888 cmd.exe 91 PID 4872 wrote to memory of 4408 4872 @[email protected] 93 PID 4872 wrote to memory of 4408 4872 @[email protected] 93 PID 4872 wrote to memory of 4408 4872 @[email protected] 93 PID 960 wrote to memory of 1552 960 WannaCry.EXE 96 PID 960 wrote to memory of 1552 960 WannaCry.EXE 96 PID 960 wrote to memory of 1552 960 WannaCry.EXE 96 PID 960 wrote to memory of 1708 960 WannaCry.EXE 97 PID 960 wrote to memory of 1708 960 WannaCry.EXE 97 PID 960 wrote to memory of 1708 960 WannaCry.EXE 97 PID 960 wrote to memory of 2116 960 WannaCry.EXE 98 PID 960 wrote to memory of 2116 960 WannaCry.EXE 98 PID 960 wrote to memory of 2116 960 WannaCry.EXE 98 PID 960 wrote to memory of 2036 960 WannaCry.EXE 100 PID 960 wrote to memory of 2036 960 WannaCry.EXE 100 PID 960 wrote to memory of 2036 960 WannaCry.EXE 100 PID 2036 wrote to memory of 2160 2036 cmd.exe 101 PID 2036 wrote to memory of 2160 2036 cmd.exe 101 PID 2036 wrote to memory of 2160 2036 cmd.exe 101 PID 3520 wrote to memory of 1564 3520 @[email protected] 104 PID 3520 wrote to memory of 1564 3520 @[email protected] 104 PID 3520 wrote to memory of 1564 3520 @[email protected] 104 PID 1564 wrote to memory of 1792 1564 cmd.exe 106 PID 1564 wrote to memory of 1792 1564 cmd.exe 106 PID 1564 wrote to memory of 1792 1564 cmd.exe 106 PID 1564 wrote to memory of 3652 1564 cmd.exe 108 PID 1564 wrote to memory of 3652 1564 cmd.exe 108 PID 1564 wrote to memory of 3652 1564 cmd.exe 108 PID 4632 wrote to memory of 4788 4632 OneDriveSetup.exe 113 PID 4632 wrote to memory of 4788 4632 OneDriveSetup.exe 113 PID 4632 wrote to memory of 4788 4632 OneDriveSetup.exe 113 PID 960 wrote to memory of 1132 960 WannaCry.EXE 115 PID 960 wrote to memory of 1132 960 WannaCry.EXE 115 PID 960 wrote to memory of 1132 960 WannaCry.EXE 115 PID 960 wrote to memory of 816 960 WannaCry.EXE 116 PID 960 wrote to memory of 816 960 WannaCry.EXE 116 PID 960 wrote to memory of 816 960 WannaCry.EXE 116 PID 960 wrote to memory of 1904 960 WannaCry.EXE 117 PID 960 wrote to memory of 1904 960 WannaCry.EXE 117 PID 960 wrote to memory of 1904 960 WannaCry.EXE 117 PID 960 wrote to memory of 1260 960 WannaCry.EXE 121 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 4628 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\WannaCry.EXE"C:\Users\Admin\AppData\Local\Temp\WannaCry.EXE"1⤵
- Modifies extensions of user files
- Drops startup file
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\attrib.exeattrib +h .2⤵
- Views/modifies file attributes
PID:4628
-
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:4608
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:652
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 315571639240049.bat2⤵
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\SysWOW64\cscript.execscript.exe //nologo m.vbs3⤵PID:1184
-
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exeTaskData\Tor\taskhsvc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4408
-
-
-
C:\Windows\SysWOW64\cmd.exePID:4888
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet4⤵
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Interacts with shadow copies
PID:1792
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3652
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1552
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:1708
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2116
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "exvqpukpdbbhw483" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "exvqpukpdbbhw483" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f3⤵
- Adds Run key to start application
- Modifies registry key
PID:2160
-
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:1132
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:816
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:1904
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:1260
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5080
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:4992
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4864
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:4900
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:3552
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1036
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:712
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:1724
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1240
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:4964
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:420
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3488
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:2788
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:3328
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:980
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:1292
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:3012
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:3784
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:2192
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:2808
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:2308
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:2272
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:2668
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:4624
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:1788
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:2192
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:1020
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:4440
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:3540
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:1308
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:4692
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:4360
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:4824
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:3164
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:4820
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:2276
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:1296
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:2196
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:1356
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:2976
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:4440
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:1900
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:1028
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:344
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:4984
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:4568
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:940
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:4356
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:4856
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:3988
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:1904
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:1136
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:1932
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:1972
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:4204
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:992
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:4492
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:2364
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:4596
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:3788
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:4696
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:812
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:4632
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:624
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:5012
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:2624
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:4840
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:5060
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:3308
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:4964
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:4848
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:3068
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:4772
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:2504
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:5040
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:3992
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:4444
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:5096
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:2916
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:1952
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:3160
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:3184
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:2976
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:3352
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:1020
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:3500
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:1372
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:432
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:4112
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:5044
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:820
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:2176
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:1780
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:4544
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:4272
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:3868
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:4644
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:3524
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:1172
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:2300
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:1784
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im Microsoft.Exchange.*2⤵
- Kills process with taskkill
PID:4280
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im sqlwriter.exe2⤵
- Kills process with taskkill
PID:4224
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im mysqld.exe2⤵
- Kills process with taskkill
PID:3540
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im sqlserver.exe2⤵
- Kills process with taskkill
PID:4748
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im MSExchange*2⤵
- Kills process with taskkill
PID:3112
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:3012
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:1348
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:2144
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:4356
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:984
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:4584
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:1552
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:4940
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:4552
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:1640
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:1080
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:4764
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:2996
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:1364
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:5012
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:4368
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:5060
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:3448
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:4456
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:3480
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:4772
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:5024
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:2100
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:3596
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:2036
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:2092
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:3808
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:3156
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:1848
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:712
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:216
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:3128
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:4116
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:868
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:4452
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:4864
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:2300
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:2564
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:368
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:5064
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:4280
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:3760
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:2236
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:4168
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:3912
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:608
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:1348
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:3516
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:2688
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:3468
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:3916
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:4784
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:4424
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:1896
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:1972
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:1592
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:4512
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:2692
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:2420
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:1716
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:944
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:3188
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:2616
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:2280
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:32
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:5048
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:4684
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:1996
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:4528
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2916
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe /update /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode1⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4788
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2912
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4708
-
C:\Windows\system32\LaunchWinApp.exe"C:\Windows\system32\LaunchWinApp.exe" "http://www.bing.com/search?q=tasksche.exe Tasksche"1⤵PID:4496
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4576
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:820
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:3720
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:3864
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3364
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:5040
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:3160
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
PID:1292
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
PID:5076
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵PID:2108
-
C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:428
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /frequentupdate SCHEDULEDTASK displaylevel=False1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1036
-
C:\Windows\system32\msfeedssync.exeC:\Windows\system32\msfeedssync.exe sync1⤵
- Modifies Internet Explorer settings
PID:1356
Network
MITRE ATT&CK Enterprise v6
Persistence
Change Default File Association
1Hidden Files and Directories
1Registry Run Keys / Startup Folder
2Defense Evasion
File Deletion
2File and Directory Permissions Modification
1Hidden Files and Directories
1Modify Registry
5