Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
167s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
05/02/2022, 21:41
Static task
static1
Behavioral task
behavioral1
Sample
022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe
Resource
win10v2004-en-20220113
General
-
Target
022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe
-
Size
99KB
-
MD5
20abc2fc4ae0ddc631322df67c828c17
-
SHA1
30fc7b84a438df84624e79d5365d4bd959fb5f72
-
SHA256
022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f
-
SHA512
cf311ade900a87903cfb2ea686494fb3a002f3676ffda9f58f18cb53986eb2a3482e86ed3c6609b523a0880550cf416b918b076197027c775b88e8a29079c4a1
Malware Config
Extracted
C:\Users\Admin\Music\# DECRYPT MY FILES #.txt
http://decrypttozxybarc.onion/D0B9-7690-D2D4-0006-4D1A
Signatures
-
suricata: ET MALWARE Ransomware/Cerber Checkin 2
suricata: ET MALWARE Ransomware/Cerber Checkin 2
-
suricata: ET MALWARE Ransomware/Cerber Checkin M3 (14)
suricata: ET MALWARE Ransomware/Cerber Checkin M3 (14)
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{039EB981-FDFB-E250-78E7-3E7222249782}\\expand.exe\"" 022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{039EB981-FDFB-E250-78E7-3E7222249782}\\expand.exe\"" expand.exe -
Executes dropped EXE 7 IoCs
pid Process 4532 expand.exe 1052 expand.exe 4908 expand.exe 4188 expand.exe 3404 expand.exe 1712 expand.exe 948 expand.exe -
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion expand.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion expand.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion expand.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion expand.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion expand.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion expand.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion expand.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion expand.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation expand.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\expand.lnk expand.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\expand.lnk 022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\expand = "\"C:\\Users\\Admin\\AppData\\Roaming\\{039EB981-FDFB-E250-78E7-3E7222249782}\\expand.exe\"" expand.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce expand.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\expand = "\"C:\\Users\\Admin\\AppData\\Roaming\\{039EB981-FDFB-E250-78E7-3E7222249782}\\expand.exe\"" expand.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run 022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\expand = "\"C:\\Users\\Admin\\AppData\\Roaming\\{039EB981-FDFB-E250-78E7-3E7222249782}\\expand.exe\"" 022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce 022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\expand = "\"C:\\Users\\Admin\\AppData\\Roaming\\{039EB981-FDFB-E250-78E7-3E7222249782}\\expand.exe\"" 022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run expand.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 17 ipinfo.io 16419 ipinfo.io -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 2 IoCs
pid Process 4512 taskkill.exe 4824 taskkill.exe -
Modifies Control Panel 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\Desktop expand.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{039EB981-FDFB-E250-78E7-3E7222249782}\\expand.exe\"" expand.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\Desktop 022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{039EB981-FDFB-E250-78E7-3E7222249782}\\expand.exe\"" 022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe -
Modifies data under HKEY_USERS 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings expand.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 1976 PING.EXE 3796 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4532 expand.exe 4532 expand.exe 4532 expand.exe 4532 expand.exe 4532 expand.exe 4532 expand.exe 4532 expand.exe 4532 expand.exe 4532 expand.exe 4532 expand.exe 4532 expand.exe 4532 expand.exe 4532 expand.exe 4532 expand.exe 4532 expand.exe 4532 expand.exe 4532 expand.exe 4532 expand.exe 4532 expand.exe 4532 expand.exe 1052 expand.exe 1052 expand.exe 1052 expand.exe 1052 expand.exe 1052 expand.exe 1052 expand.exe 1052 expand.exe 1052 expand.exe 1052 expand.exe 1052 expand.exe 1052 expand.exe 1052 expand.exe 1052 expand.exe 1052 expand.exe 1052 expand.exe 1052 expand.exe 1052 expand.exe 1052 expand.exe 1052 expand.exe 1052 expand.exe 3404 expand.exe 3404 expand.exe 3404 expand.exe 3404 expand.exe 3404 expand.exe 3404 expand.exe 3404 expand.exe 3404 expand.exe 3404 expand.exe 3404 expand.exe 3404 expand.exe 3404 expand.exe 3404 expand.exe 3404 expand.exe 3404 expand.exe 3404 expand.exe 3404 expand.exe 3404 expand.exe 3404 expand.exe 3404 expand.exe 1712 expand.exe 1712 expand.exe 1712 expand.exe 1712 expand.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 1156 msedge.exe 1156 msedge.exe 1156 msedge.exe 1156 msedge.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeDebugPrivilege 4272 022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe Token: SeDebugPrivilege 4532 expand.exe Token: SeDebugPrivilege 4512 taskkill.exe Token: SeDebugPrivilege 1052 expand.exe Token: SeDebugPrivilege 4908 expand.exe Token: SeDebugPrivilege 4188 expand.exe Token: SeDebugPrivilege 3404 expand.exe Token: SeDebugPrivilege 1712 expand.exe Token: 33 2164 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2164 AUDIODG.EXE Token: SeDebugPrivilege 948 expand.exe Token: SeDebugPrivilege 4824 taskkill.exe Token: SeShutdownPrivilege 528 svchost.exe Token: SeCreatePagefilePrivilege 528 svchost.exe Token: SeShutdownPrivilege 528 svchost.exe Token: SeCreatePagefilePrivilege 528 svchost.exe Token: SeShutdownPrivilege 528 svchost.exe Token: SeCreatePagefilePrivilege 528 svchost.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1156 msedge.exe 1156 msedge.exe 1156 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4272 wrote to memory of 4532 4272 022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe 82 PID 4272 wrote to memory of 4532 4272 022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe 82 PID 4272 wrote to memory of 4532 4272 022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe 82 PID 4272 wrote to memory of 4464 4272 022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe 83 PID 4272 wrote to memory of 4464 4272 022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe 83 PID 4272 wrote to memory of 4464 4272 022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe 83 PID 4464 wrote to memory of 4512 4464 cmd.exe 85 PID 4464 wrote to memory of 4512 4464 cmd.exe 85 PID 4464 wrote to memory of 4512 4464 cmd.exe 85 PID 4464 wrote to memory of 1976 4464 cmd.exe 87 PID 4464 wrote to memory of 1976 4464 cmd.exe 87 PID 4464 wrote to memory of 1976 4464 cmd.exe 87 PID 4532 wrote to memory of 1052 4532 expand.exe 89 PID 4532 wrote to memory of 1052 4532 expand.exe 89 PID 4532 wrote to memory of 1052 4532 expand.exe 89 PID 4532 wrote to memory of 4188 4532 expand.exe 95 PID 4532 wrote to memory of 4188 4532 expand.exe 95 PID 4532 wrote to memory of 4188 4532 expand.exe 95 PID 4532 wrote to memory of 3404 4532 expand.exe 96 PID 4532 wrote to memory of 3404 4532 expand.exe 96 PID 4532 wrote to memory of 3404 4532 expand.exe 96 PID 4532 wrote to memory of 1660 4532 expand.exe 100 PID 4532 wrote to memory of 1660 4532 expand.exe 100 PID 4532 wrote to memory of 1156 4532 expand.exe 101 PID 4532 wrote to memory of 1156 4532 expand.exe 101 PID 4532 wrote to memory of 1928 4532 expand.exe 102 PID 4532 wrote to memory of 1928 4532 expand.exe 102 PID 4532 wrote to memory of 1712 4532 expand.exe 103 PID 4532 wrote to memory of 1712 4532 expand.exe 103 PID 4532 wrote to memory of 1712 4532 expand.exe 103 PID 1156 wrote to memory of 4724 1156 msedge.exe 104 PID 1156 wrote to memory of 4724 1156 msedge.exe 104 PID 1156 wrote to memory of 3460 1156 msedge.exe 107 PID 1156 wrote to memory of 3460 1156 msedge.exe 107 PID 1156 wrote to memory of 3460 1156 msedge.exe 107 PID 1156 wrote to memory of 3460 1156 msedge.exe 107 PID 1156 wrote to memory of 3460 1156 msedge.exe 107 PID 1156 wrote to memory of 3460 1156 msedge.exe 107 PID 1156 wrote to memory of 3460 1156 msedge.exe 107 PID 1156 wrote to memory of 3460 1156 msedge.exe 107 PID 1156 wrote to memory of 3460 1156 msedge.exe 107 PID 1156 wrote to memory of 3460 1156 msedge.exe 107 PID 1156 wrote to memory of 3460 1156 msedge.exe 107 PID 1156 wrote to memory of 3460 1156 msedge.exe 107 PID 1156 wrote to memory of 3460 1156 msedge.exe 107 PID 1156 wrote to memory of 3460 1156 msedge.exe 107 PID 1156 wrote to memory of 3460 1156 msedge.exe 107 PID 1156 wrote to memory of 3460 1156 msedge.exe 107 PID 1156 wrote to memory of 3460 1156 msedge.exe 107 PID 1156 wrote to memory of 3460 1156 msedge.exe 107 PID 1156 wrote to memory of 3460 1156 msedge.exe 107 PID 1156 wrote to memory of 3460 1156 msedge.exe 107 PID 1156 wrote to memory of 3460 1156 msedge.exe 107 PID 1156 wrote to memory of 3460 1156 msedge.exe 107 PID 1156 wrote to memory of 3460 1156 msedge.exe 107 PID 1156 wrote to memory of 3460 1156 msedge.exe 107 PID 1156 wrote to memory of 3460 1156 msedge.exe 107 PID 1156 wrote to memory of 3460 1156 msedge.exe 107 PID 1156 wrote to memory of 3460 1156 msedge.exe 107 PID 1156 wrote to memory of 3460 1156 msedge.exe 107 PID 1156 wrote to memory of 3460 1156 msedge.exe 107 PID 1156 wrote to memory of 3460 1156 msedge.exe 107 PID 1156 wrote to memory of 3460 1156 msedge.exe 107 PID 1156 wrote to memory of 3460 1156 msedge.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe"C:\Users\Admin\AppData\Local\Temp\022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe"1⤵
- Adds policy Run key to start application
- Drops startup file
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe"C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe"2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe"C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe" -stat -1 -wait "=a-Akau5uWl9~{s!#h^+DMlH(vSVs"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1052
-
-
C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe"C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe" -watchdog3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4188
-
-
C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe"C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe" -stat 943⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3404
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt3⤵PID:1660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html3⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc421846f8,0x7ffc42184708,0x7ffc421847184⤵PID:4724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,17715483856487101452,12411652332534045183,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:24⤵PID:3460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,17715483856487101452,12411652332534045183,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:34⤵PID:4808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,17715483856487101452,12411652332534045183,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3084 /prefetch:84⤵PID:1160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,17715483856487101452,12411652332534045183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3820 /prefetch:14⤵PID:2500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,17715483856487101452,12411652332534045183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3828 /prefetch:14⤵PID:2380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2112,17715483856487101452,12411652332534045183,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5312 /prefetch:84⤵PID:5056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,17715483856487101452,12411652332534045183,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:14⤵PID:1744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,17715483856487101452,12411652332534045183,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:14⤵PID:4736
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"3⤵PID:1928
-
-
C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe"C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe" -stat 94 -wait "fJ6yWW{F[G4HP@_<c#)gAVg^{C57M"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1712
-
-
C:\Windows\system32\cmd.exe/d /c taskkill /t /f /im "expand.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe" > NUL3⤵PID:888
-
C:\Windows\system32\taskkill.exetaskkill /t /f /im "expand.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4824
-
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
PID:3796
-
-
-
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe" > NUL2⤵
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4512
-
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
PID:1976
-
-
-
C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exeC:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4908
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x33c 0x3d81⤵
- Suspicious use of AdjustPrivilegeToken
PID:2164
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
PID:4192
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4240
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:528
-
C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exeC:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:948