Resubmissions
18-07-2022 04:40
220718-faqj6ahdd3 109-07-2022 10:37
220709-mn992sgcd4 1008-07-2022 15:34
220708-sz77qaadf8 1020-06-2022 11:39
220620-nsq8eacgfk 1013-06-2022 10:07
220613-l5wmjsbff6 1012-06-2022 12:47
220612-p1kw2acbbp 1012-06-2022 07:39
220612-jg55zagca5 1011-06-2022 20:25
220611-y7pcgabdf5 1011-06-2022 20:25
220611-y7fekabde7 1011-06-2022 20:24
220611-y642jafber 1Analysis
-
max time kernel
4266753s -
max time network
1199s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
15-01-2022 13:52
Static task
static1
Behavioral task
behavioral1
Sample
WannaCry.EXE
Resource
win10v2004-en-20220112
General
-
Target
WannaCry.EXE
-
Size
3.4MB
-
MD5
84c82835a5d21bbcf75a61706d8ab549
-
SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
-
SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
-
SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\@[email protected]
wannacry
12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
description pid Process procid_target PID 2656 created 2684 2656 WerFault.exe 81 -
Wannacry
WannaCry is a ransomware cryptoworm.
-
Executes dropped EXE 64 IoCs
pid Process 3436 taskdl.exe 1448 taskdl.exe 1560 @[email protected] 2132 @[email protected] 808 @[email protected] 4044 @[email protected] 2848 taskse.exe 3700 @[email protected] 1028 taskdl.exe 2688 taskse.exe 2908 @[email protected] 2108 taskdl.exe 732 taskse.exe 1532 @[email protected] 2872 taskdl.exe 2952 taskse.exe 1600 @[email protected] 1604 taskdl.exe 2772 @[email protected] 2768 taskse.exe 3272 @[email protected] 2528 taskdl.exe 1952 taskse.exe 3876 @[email protected] 3504 taskdl.exe 2688 taskse.exe 2952 @[email protected] 3536 taskdl.exe 3428 taskse.exe 3668 @[email protected] 620 taskdl.exe 1212 taskse.exe 3044 @[email protected] 4068 taskdl.exe 3908 taskse.exe 1548 @[email protected] 1612 taskdl.exe 3800 taskse.exe 3476 @[email protected] 3288 taskdl.exe 4008 taskse.exe 2712 @[email protected] 2736 taskdl.exe 1308 taskse.exe 2276 @[email protected] 3644 taskdl.exe 3776 taskse.exe 3428 @[email protected] 3340 taskdl.exe 1088 taskse.exe 3584 @[email protected] 3328 taskdl.exe 2272 taskse.exe 3768 @[email protected] 3576 taskdl.exe 1972 taskse.exe 2236 @[email protected] 3324 taskdl.exe 3692 taskse.exe 3456 @[email protected] 2312 taskdl.exe 2528 taskse.exe 3952 @[email protected] 3276 taskdl.exe -
Modifies extensions of user files 15 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\CompareUpdate.tif.WNCRY WannaCry.EXE File created C:\Users\Admin\Pictures\ExitClose.png.WNCRYT WannaCry.EXE File renamed C:\Users\Admin\Pictures\SkipUnpublish.tif.WNCRYT => C:\Users\Admin\Pictures\SkipUnpublish.tif.WNCRY WannaCry.EXE File renamed C:\Users\Admin\Pictures\BlockWatch.tif.WNCRYT => C:\Users\Admin\Pictures\BlockWatch.tif.WNCRY WannaCry.EXE File opened for modification C:\Users\Admin\Pictures\BlockWatch.tif.WNCRY WannaCry.EXE File created C:\Users\Admin\Pictures\SkipUnpublish.tif.WNCRYT WannaCry.EXE File created C:\Users\Admin\Pictures\BlockWatch.tif.WNCRYT WannaCry.EXE File opened for modification C:\Users\Admin\Pictures\ExitClose.png.WNCRY WannaCry.EXE File created C:\Users\Admin\Pictures\SelectUpdate.png.WNCRYT WannaCry.EXE File opened for modification C:\Users\Admin\Pictures\SelectUpdate.png.WNCRY WannaCry.EXE File opened for modification C:\Users\Admin\Pictures\SkipUnpublish.tif.WNCRY WannaCry.EXE File created C:\Users\Admin\Pictures\CompareUpdate.tif.WNCRYT WannaCry.EXE File renamed C:\Users\Admin\Pictures\CompareUpdate.tif.WNCRYT => C:\Users\Admin\Pictures\CompareUpdate.tif.WNCRY WannaCry.EXE File renamed C:\Users\Admin\Pictures\ExitClose.png.WNCRYT => C:\Users\Admin\Pictures\ExitClose.png.WNCRY WannaCry.EXE File renamed C:\Users\Admin\Pictures\SelectUpdate.png.WNCRYT => C:\Users\Admin\Pictures\SelectUpdate.png.WNCRY WannaCry.EXE -
Drops startup file 22 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD5301.tmp WannaCry.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD5317.tmp WannaCry.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD6AF4.tmp WannaCry.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD7710.tmp WannaCry.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD6604.tmp WannaCry.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD5E2D.tmp WannaCry.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD591D.tmp WannaCry.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD5924.tmp WannaCry.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD557C.tmp WannaCry.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD50F1.tmp WannaCry.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD76EA.tmp WannaCry.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD73D5.tmp WannaCry.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD702B.tmp WannaCry.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD6AED.tmp WannaCry.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD660B.tmp WannaCry.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD6289.tmp WannaCry.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD5E06.tmp WannaCry.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD5583.tmp WannaCry.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD50F8.tmp WannaCry.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD73DC.tmp WannaCry.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD7024.tmp WannaCry.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD6282.tmp WannaCry.EXE -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 2228 icacls.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jkdklrylw922 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\"" reg.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\devmgmt.msc mmc.exe -
Sets desktop wallpaper using registry 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" WannaCry.EXE Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" @[email protected] Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" @[email protected] -
Drops file in Windows directory 58 IoCs
description ioc Process File created C:\Windows\INF\c_magneticstripereader.PNF mmc.exe File created C:\Windows\INF\c_fsphysicalquotamgmt.PNF mmc.exe File created C:\Windows\INF\c_fsquotamgmt.PNF mmc.exe File created C:\Windows\INF\c_extension.PNF mmc.exe File created C:\Windows\INF\c_fscompression.PNF mmc.exe File created C:\Windows\INF\c_sslaccel.PNF mmc.exe File created C:\Windows\INF\c_linedisplay.PNF mmc.exe File created C:\Windows\INF\c_smrdisk.PNF mmc.exe File created C:\Windows\INF\c_apo.PNF mmc.exe File created C:\Windows\INF\oposdrv.PNF mmc.exe File created C:\Windows\INF\c_fsopenfilebackup.PNF mmc.exe File created C:\Windows\INF\c_smrvolume.PNF mmc.exe File created C:\Windows\INF\c_holographic.PNF mmc.exe File created C:\Windows\INF\c_fsreplication.PNF mmc.exe File created C:\Windows\INF\c_proximity.PNF mmc.exe File created C:\Windows\INF\c_camera.PNF mmc.exe File created C:\Windows\INF\c_fsinfrastructure.PNF mmc.exe File created C:\Windows\INF\c_fscontinuousbackup.PNF mmc.exe File created C:\Windows\INF\c_fscfsmetadataserver.PNF mmc.exe File created C:\Windows\INF\c_cashdrawer.PNF mmc.exe File created C:\Windows\INF\c_netdriver.PNF mmc.exe File created C:\Windows\INF\c_fsundelete.PNF mmc.exe File created C:\Windows\INF\c_scmvolume.PNF mmc.exe File created C:\Windows\INF\ts_generic.PNF mmc.exe File created C:\Windows\INF\c_barcodescanner.PNF mmc.exe File created C:\Windows\INF\c_mcx.PNF mmc.exe File created C:\Windows\INF\miradisp.PNF mmc.exe File created C:\Windows\INF\c_fshsm.PNF mmc.exe File created C:\Windows\INF\c_fsvirtualization.PNF mmc.exe File created C:\Windows\INF\c_swcomponent.PNF mmc.exe File created C:\Windows\INF\c_fscopyprotection.PNF mmc.exe File created C:\Windows\INF\c_diskdrive.PNF mmc.exe File created C:\Windows\INF\c_display.PNF mmc.exe File created C:\Windows\INF\c_monitor.PNF mmc.exe File created C:\Windows\INF\c_fssystem.PNF mmc.exe File created C:\Windows\INF\c_firmware.PNF mmc.exe File opened for modification C:\Windows\INF\setupapi.dev.log mmc.exe File created C:\Windows\INF\rdcameradriver.PNF mmc.exe File created C:\Windows\INF\wsdprint.PNF mmc.exe File created C:\Windows\INF\c_computeaccelerator.PNF mmc.exe File created C:\Windows\INF\c_fssystemrecovery.PNF mmc.exe File created C:\Windows\INF\c_fscontentscreener.PNF mmc.exe File created C:\Windows\INF\PerceptionSimulationSixDof.PNF mmc.exe File created C:\Windows\INF\c_fsantivirus.PNF mmc.exe File created C:\Windows\INF\c_fsactivitymonitor.PNF mmc.exe File created C:\Windows\INF\c_fssecurityenhancer.PNF mmc.exe File created C:\Windows\INF\xusb22.PNF mmc.exe File created C:\Windows\INF\dc1-controller.PNF mmc.exe File created C:\Windows\INF\remoteposdrv.PNF mmc.exe File created C:\Windows\INF\c_fsencryption.PNF mmc.exe File created C:\Windows\INF\c_receiptprinter.PNF mmc.exe File created C:\Windows\INF\c_media.PNF mmc.exe File created C:\Windows\INF\c_volume.PNF mmc.exe File created C:\Windows\INF\digitalmediadevice.PNF mmc.exe File created C:\Windows\INF\c_processor.PNF mmc.exe File created C:\Windows\INF\c_scmdisk.PNF mmc.exe File created C:\Windows\INF\rawsilo.PNF mmc.exe File created C:\Windows\INF\c_ucm.PNF mmc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 2848 2684 WerFault.exe 81 -
Checks SCSI registry key(s) 3 TTPs 18 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID SystemSettings.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SystemSettings.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID SystemSettings.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SystemSettings.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 mmc.exe -
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotification.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotification.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Enumerates system info in registry 2 TTPs 5 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Kills process with taskkill 5 IoCs
pid Process 3152 taskkill.exe 3400 taskkill.exe 1584 taskkill.exe 840 taskkill.exe 1808 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe -
Modifies registry class 8 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000020000000100000003000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\MuiCache ShellExperienceHost.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings control.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202 explorer.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 1664 reg.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3464 explorer.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 228 chrome.exe 228 chrome.exe 2764 chrome.exe 2764 chrome.exe 2848 WerFault.exe 2848 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2132 @[email protected] 212 mmc.exe -
Suspicious behavior: LoadsDriver 10 IoCs
pid Process 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 652 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
pid Process 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2684 SystemSettings.exe Token: SeCreatePagefilePrivilege 2684 SystemSettings.exe Token: SeShutdownPrivilege 2260 MusNotification.exe Token: SeCreatePagefilePrivilege 2260 MusNotification.exe Token: SeTcbPrivilege 2848 taskse.exe Token: SeTcbPrivilege 2848 taskse.exe Token: SeTcbPrivilege 2688 taskse.exe Token: SeTcbPrivilege 2688 taskse.exe Token: SeTcbPrivilege 732 taskse.exe Token: SeTcbPrivilege 732 taskse.exe Token: SeTcbPrivilege 2952 taskse.exe Token: SeTcbPrivilege 2952 taskse.exe Token: SeTcbPrivilege 2768 taskse.exe Token: SeTcbPrivilege 2768 taskse.exe Token: SeTcbPrivilege 1952 taskse.exe Token: SeTcbPrivilege 1952 taskse.exe Token: SeShutdownPrivilege 748 control.exe Token: SeCreatePagefilePrivilege 748 control.exe Token: SeShutdownPrivilege 3464 explorer.exe Token: SeCreatePagefilePrivilege 3464 explorer.exe Token: 33 212 mmc.exe Token: SeIncBasePriorityPrivilege 212 mmc.exe Token: 33 212 mmc.exe Token: SeIncBasePriorityPrivilege 212 mmc.exe Token: SeTcbPrivilege 2688 taskse.exe Token: SeTcbPrivilege 2688 taskse.exe Token: SeLoadDriverPrivilege 212 mmc.exe Token: SeLoadDriverPrivilege 212 mmc.exe Token: SeLoadDriverPrivilege 212 mmc.exe Token: SeLoadDriverPrivilege 212 mmc.exe Token: SeLoadDriverPrivilege 212 mmc.exe Token: SeLoadDriverPrivilege 212 mmc.exe Token: SeTcbPrivilege 3428 taskse.exe Token: SeTcbPrivilege 3428 taskse.exe Token: SeTcbPrivilege 1212 taskse.exe Token: SeTcbPrivilege 1212 taskse.exe Token: SeTcbPrivilege 3908 taskse.exe Token: SeTcbPrivilege 3908 taskse.exe Token: SeTcbPrivilege 3800 taskse.exe Token: SeTcbPrivilege 3800 taskse.exe Token: SeTcbPrivilege 4008 taskse.exe Token: SeTcbPrivilege 4008 taskse.exe Token: SeTcbPrivilege 1308 taskse.exe Token: SeTcbPrivilege 1308 taskse.exe Token: SeTcbPrivilege 3776 taskse.exe Token: SeTcbPrivilege 3776 taskse.exe Token: SeTcbPrivilege 1088 taskse.exe Token: SeTcbPrivilege 1088 taskse.exe Token: SeTcbPrivilege 2272 taskse.exe Token: SeTcbPrivilege 2272 taskse.exe Token: SeTcbPrivilege 1972 taskse.exe Token: SeTcbPrivilege 1972 taskse.exe Token: SeTcbPrivilege 3692 taskse.exe Token: SeTcbPrivilege 3692 taskse.exe Token: SeTcbPrivilege 2528 taskse.exe Token: SeTcbPrivilege 2528 taskse.exe Token: SeTcbPrivilege 2736 taskse.exe Token: SeTcbPrivilege 2736 taskse.exe Token: SeTcbPrivilege 804 taskse.exe Token: SeTcbPrivilege 804 taskse.exe Token: SeTcbPrivilege 1316 taskse.exe Token: SeTcbPrivilege 1316 taskse.exe Token: SeTcbPrivilege 3536 taskse.exe Token: SeTcbPrivilege 3536 taskse.exe -
Suspicious use of FindShellTrayWindow 39 IoCs
pid Process 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2132 @[email protected] 2132 @[email protected] 1560 @[email protected] 3464 explorer.exe -
Suspicious use of SendNotifyMessage 32 IoCs
pid Process 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2764 wrote to memory of 3772 2764 chrome.exe 53 PID 2764 wrote to memory of 3772 2764 chrome.exe 53 PID 3980 wrote to memory of 2912 3980 WannaCry.EXE 55 PID 3980 wrote to memory of 2912 3980 WannaCry.EXE 55 PID 3980 wrote to memory of 2912 3980 WannaCry.EXE 55 PID 3980 wrote to memory of 2228 3980 WannaCry.EXE 56 PID 3980 wrote to memory of 2228 3980 WannaCry.EXE 56 PID 3980 wrote to memory of 2228 3980 WannaCry.EXE 56 PID 2764 wrote to memory of 528 2764 chrome.exe 59 PID 2764 wrote to memory of 528 2764 chrome.exe 59 PID 2764 wrote to memory of 528 2764 chrome.exe 59 PID 2764 wrote to memory of 528 2764 chrome.exe 59 PID 2764 wrote to memory of 528 2764 chrome.exe 59 PID 2764 wrote to memory of 528 2764 chrome.exe 59 PID 2764 wrote to memory of 528 2764 chrome.exe 59 PID 2764 wrote to memory of 528 2764 chrome.exe 59 PID 2764 wrote to memory of 528 2764 chrome.exe 59 PID 2764 wrote to memory of 528 2764 chrome.exe 59 PID 2764 wrote to memory of 528 2764 chrome.exe 59 PID 2764 wrote to memory of 528 2764 chrome.exe 59 PID 2764 wrote to memory of 528 2764 chrome.exe 59 PID 2764 wrote to memory of 528 2764 chrome.exe 59 PID 2764 wrote to memory of 528 2764 chrome.exe 59 PID 2764 wrote to memory of 528 2764 chrome.exe 59 PID 2764 wrote to memory of 528 2764 chrome.exe 59 PID 2764 wrote to memory of 528 2764 chrome.exe 59 PID 2764 wrote to memory of 528 2764 chrome.exe 59 PID 2764 wrote to memory of 528 2764 chrome.exe 59 PID 2764 wrote to memory of 528 2764 chrome.exe 59 PID 2764 wrote to memory of 528 2764 chrome.exe 59 PID 2764 wrote to memory of 528 2764 chrome.exe 59 PID 2764 wrote to memory of 528 2764 chrome.exe 59 PID 2764 wrote to memory of 528 2764 chrome.exe 59 PID 2764 wrote to memory of 528 2764 chrome.exe 59 PID 2764 wrote to memory of 528 2764 chrome.exe 59 PID 2764 wrote to memory of 528 2764 chrome.exe 59 PID 2764 wrote to memory of 528 2764 chrome.exe 59 PID 2764 wrote to memory of 528 2764 chrome.exe 59 PID 2764 wrote to memory of 528 2764 chrome.exe 59 PID 2764 wrote to memory of 528 2764 chrome.exe 59 PID 2764 wrote to memory of 528 2764 chrome.exe 59 PID 2764 wrote to memory of 528 2764 chrome.exe 59 PID 2764 wrote to memory of 528 2764 chrome.exe 59 PID 2764 wrote to memory of 528 2764 chrome.exe 59 PID 2764 wrote to memory of 528 2764 chrome.exe 59 PID 2764 wrote to memory of 528 2764 chrome.exe 59 PID 2764 wrote to memory of 528 2764 chrome.exe 59 PID 2764 wrote to memory of 528 2764 chrome.exe 59 PID 2764 wrote to memory of 228 2764 chrome.exe 61 PID 2764 wrote to memory of 228 2764 chrome.exe 61 PID 3980 wrote to memory of 2684 3980 WannaCry.EXE 62 PID 3980 wrote to memory of 2684 3980 WannaCry.EXE 62 PID 3980 wrote to memory of 2684 3980 WannaCry.EXE 62 PID 3980 wrote to memory of 3436 3980 WannaCry.EXE 60 PID 3980 wrote to memory of 3436 3980 WannaCry.EXE 60 PID 3980 wrote to memory of 3436 3980 WannaCry.EXE 60 PID 2684 wrote to memory of 3036 2684 cmd.exe 64 PID 2684 wrote to memory of 3036 2684 cmd.exe 64 PID 2684 wrote to memory of 3036 2684 cmd.exe 64 PID 2764 wrote to memory of 3088 2764 chrome.exe 65 PID 2764 wrote to memory of 3088 2764 chrome.exe 65 PID 2764 wrote to memory of 3088 2764 chrome.exe 65 PID 2764 wrote to memory of 3088 2764 chrome.exe 65 PID 2764 wrote to memory of 3088 2764 chrome.exe 65 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2912 attrib.exe
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb5b244f50,0x7ffb5b244f60,0x7ffb5b244f702⤵PID:3772
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1676,5831489477116359225,7109811757509124998,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1704 /prefetch:22⤵PID:528
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1676,5831489477116359225,7109811757509124998,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2000 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:228
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1676,5831489477116359225,7109811757509124998,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2332 /prefetch:82⤵PID:3088
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,5831489477116359225,7109811757509124998,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2848 /prefetch:12⤵PID:3300
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,5831489477116359225,7109811757509124998,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2860 /prefetch:12⤵PID:396
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,5831489477116359225,7109811757509124998,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3628 /prefetch:12⤵PID:3804
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,5831489477116359225,7109811757509124998,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:12⤵PID:1476
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,5831489477116359225,7109811757509124998,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:12⤵PID:1800
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,5831489477116359225,7109811757509124998,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:12⤵PID:464
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,5831489477116359225,7109811757509124998,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:12⤵PID:4064
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,5831489477116359225,7109811757509124998,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:12⤵PID:4052
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,5831489477116359225,7109811757509124998,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:12⤵PID:1740
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,5831489477116359225,7109811757509124998,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4252 /prefetch:12⤵PID:1680
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,5831489477116359225,7109811757509124998,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2868 /prefetch:12⤵PID:1304
-
-
C:\Users\Admin\AppData\Local\Temp\WannaCry.EXE"C:\Users\Admin\AppData\Local\Temp\WannaCry.EXE"1⤵
- Modifies extensions of user files
- Drops startup file
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\SysWOW64\attrib.exeattrib +h .2⤵
- Views/modifies file attributes
PID:2912
-
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:2228
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:3436
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 249341642257153.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\cscript.execscript.exe //nologo m.vbs3⤵PID:3036
-
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:1448
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:808
-
-
C:\Windows\SysWOW64\cmd.exePID:3252
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:4044
-
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2848
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:3700
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "jkdklrylw922" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f2⤵PID:1548
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "jkdklrylw922" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f3⤵
- Adds Run key to start application
- Modifies registry key
PID:1664
-
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:1028
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:2908
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:2108
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:732
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:1532
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:2872
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2952
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:1600
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:1604
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:3272
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:2528
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1952
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:3876
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:3504
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:2952
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:3536
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3428
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:3668
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:620
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1212
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:3044
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:4068
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3908
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:1548
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:1612
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3800
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:3476
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:3288
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4008
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:2712
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:2736
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1308
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:2276
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:3644
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3776
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:3428
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:3340
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1088
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:3584
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:3328
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2272
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:3768
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:3576
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1972
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:2236
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:3324
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3692
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:3456
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:2312
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2528
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:3952
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:3276
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2736
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:64
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:748
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:1948
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Suspicious use of AdjustPrivilegeToken
PID:804
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:4056
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1316
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:3828
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:1372
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3536
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:3440
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:1640
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:3020
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:3740
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:3816
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:2696
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:3280
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:1344
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:3268
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:2772
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:2280
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:1848
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:3640
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:2748
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:3496
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:2408
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:660
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:556
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:3968
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:2556
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:1236
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:2684
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:1140
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:2432
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:2228
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:460
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:3664
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:4044
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:1252
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:3724
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:1704
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:1832
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:2312
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:2284
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:3884
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:2260
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:2552
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:3616
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:1968
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:1952
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:2528
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:2136
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:2160
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:2736
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:3920
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:3880
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:1692
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im Microsoft.Exchange.*2⤵
- Kills process with taskkill
PID:3152
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im sqlserver.exe2⤵
- Kills process with taskkill
PID:3400
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im MSExchange*2⤵
- Kills process with taskkill
PID:1584
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im sqlwriter.exe2⤵
- Kills process with taskkill
PID:840
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im mysqld.exe2⤵
- Kills process with taskkill
PID:1808
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:2564
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:2976
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:1604
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:2144
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:2332
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:3008
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:2876
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:460
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:3664
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:2284
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:2908
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:3884
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:1972
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:2236
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:1564
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:2896
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:2540
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:3768
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:3888
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:3880
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:1692
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:3796
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:1904
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:3428
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:2680
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:1652
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:3336
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:2808
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:2664
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:1940
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:2608
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:3908
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:3700
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:3268
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:2016
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:3664
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:1168
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:3092
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:3572
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:3324
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:752
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:3848
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:3548
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:1812
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:3124
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:616
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:2264
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:8
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:2416
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:3276
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:1644
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:1740
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:2700
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:1344
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:2112
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:3336
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:3152
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:2356
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:3836
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵PID:2772
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2292
-
C:\Windows\ImmersiveControlPanel\SystemSettings.exe"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2684 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2684 -s 29282⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:2848
-
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3892
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 440 -p 2684 -ip 26841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2656
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs1⤵PID:2108
-
C:\Windows\system32\MusNotification.exeC:\Windows\system32\MusNotification.exe1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2260
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs1⤵PID:3832
-
C:\Users\Admin\Desktop\@[email protected]"C:\Users\Admin\Desktop\@[email protected]"1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1560
-
C:\Users\Admin\Desktop\@[email protected]"C:\Users\Admin\Desktop\@[email protected]"1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2132
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:2880
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2160
-
PID:2772
-
C:\Windows\system32\NOTEPAD.EXEPID:1832
-
C:\Windows\system32\control.exe"C:\Windows\system32\control.exe" SYSTEM1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:748
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵PID:1812
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3464 -
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" C:\Windows\system32\devmgmt.msc2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:212
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵PID:3836
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wsappx -p1⤵PID:2292
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wsappx -p1⤵PID:2020