wannacry | 23f81d5ec379edc9c5deb9fdbd5a87049879baa96063ffd32611b6f99c5f31da

General

Target

Spin the Bottle VIP AREA & MORE!.txt
Size

95B
MD5

04001a54082f4d894a999d8f33997cef
SHA1

e666e0e92260a683cb3429ea1144693915778d5f
SHA256

23f81d5ec379edc9c5deb9fdbd5a87049879baa96063ffd32611b6f99c5f31da
SHA512

af888003336d94b8d41598a6731eedfae686f8b95b14216d70e22b0b59c686dfc55ae688c27731dcddd6108862e29f31e5fa155bb36c910e1620fe7b12cda03d

Score

10^/10

wannacry discovery persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\@Please_Read_Me@.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 64 IoCs

Processes:

WannaCry.EXEtaskdl.exe@WanaDecryptor@.exe@WanaDecryptor@.exetaskhsvc.exe@WanaDecryptor@.exetaskse.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exe@WanaDecryptor@.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe

pid	process
1728	WannaCry.EXE
2064	taskdl.exe
3088	@WanaDecryptor@.exe
3216	@WanaDecryptor@.exe
652	taskhsvc.exe
1164	@WanaDecryptor@.exe
2840	taskse.exe
4076	taskdl.exe
3340	taskse.exe
2824	@WanaDecryptor@.exe
1740	taskdl.exe
2268	@WanaDecryptor@.exe
3900	taskse.exe
3888	@WanaDecryptor@.exe
4052	taskdl.exe
2772	taskse.exe
3280	@WanaDecryptor@.exe
4072	taskdl.exe
1396	taskse.exe
2596	@WanaDecryptor@.exe
2044	taskdl.exe
3140	taskse.exe
3148	@WanaDecryptor@.exe
3292	taskdl.exe
3720	taskse.exe
3788	@WanaDecryptor@.exe
2648	taskdl.exe
3384	taskse.exe
524	@WanaDecryptor@.exe
2504	taskdl.exe
1544	taskse.exe
2832	@WanaDecryptor@.exe
2260	taskdl.exe
3032	taskse.exe
2100	@WanaDecryptor@.exe
1924	taskdl.exe
1836	taskse.exe
1820	@WanaDecryptor@.exe
2888	taskdl.exe
1636	taskse.exe
952	@WanaDecryptor@.exe
2168	taskdl.exe
3272	taskse.exe
3472	@WanaDecryptor@.exe
2472	taskdl.exe
796	taskse.exe
2764	@WanaDecryptor@.exe
3856	taskdl.exe
2440	taskse.exe
2636	@WanaDecryptor@.exe
2820	taskdl.exe
2488	taskse.exe
2060	@WanaDecryptor@.exe
2164	taskdl.exe
892	taskse.exe
1228	@WanaDecryptor@.exe
2208	taskdl.exe
2476	taskse.exe
1344	@WanaDecryptor@.exe
2960	taskdl.exe
3084	taskse.exe
2172	@WanaDecryptor@.exe
3192	taskdl.exe
3004	taskse.exe

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

WannaCry.EXE

description	ioc	process
File created	C:\Users\Admin\Pictures\SaveSplit.png.WNCRYT	WannaCry.EXE
File renamed	C:\Users\Admin\Pictures\SaveSplit.png.WNCRYT => C:\Users\Admin\Pictures\SaveSplit.png.WNCRY	WannaCry.EXE
File created	C:\Users\Admin\Pictures\ResumeApprove.png.WNCRYT	WannaCry.EXE
File renamed	C:\Users\Admin\Pictures\ResumeApprove.png.WNCRYT => C:\Users\Admin\Pictures\ResumeApprove.png.WNCRY	WannaCry.EXE
File opened for modification	C:\Users\Admin\Pictures\ResumeApprove.png.WNCRY	WannaCry.EXE
File created	C:\Users\Admin\Pictures\ResumeDisable.png.WNCRYT	WannaCry.EXE
File renamed	C:\Users\Admin\Pictures\ResumeDisable.png.WNCRYT => C:\Users\Admin\Pictures\ResumeDisable.png.WNCRY	WannaCry.EXE
File opened for modification	C:\Users\Admin\Pictures\ResumeDisable.png.WNCRY	WannaCry.EXE
File opened for modification	C:\Users\Admin\Pictures\SaveSplit.png.WNCRY	WannaCry.EXE

Drops startup file 1 IoCs

Processes:

WannaCry.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD9E45.tmp	WannaCry.EXE

Loads dropped DLL 64 IoCs

Processes:

WannaCry.EXEcscript.execmd.exe@WanaDecryptor@.exetaskhsvc.exe

pid	process
1728	WannaCry.EXE
1216	cscript.exe
1728	WannaCry.EXE
3024	cmd.exe
3088	@WanaDecryptor@.exe
3088	@WanaDecryptor@.exe
652	taskhsvc.exe
652	taskhsvc.exe
652	taskhsvc.exe
652	taskhsvc.exe
652	taskhsvc.exe
652	taskhsvc.exe
1728	WannaCry.EXE
1728	WannaCry.EXE
1728	WannaCry.EXE
1728	WannaCry.EXE
1728	WannaCry.EXE
1728	WannaCry.EXE
1728	WannaCry.EXE
1728	WannaCry.EXE
1728	WannaCry.EXE
1728	WannaCry.EXE
1728	WannaCry.EXE
1728	WannaCry.EXE
1728	WannaCry.EXE
1728	WannaCry.EXE
1728	WannaCry.EXE
1728	WannaCry.EXE
1728	WannaCry.EXE
1728	WannaCry.EXE
1728	WannaCry.EXE
1728	WannaCry.EXE
1728	WannaCry.EXE
1728	WannaCry.EXE
1728	WannaCry.EXE
1728	WannaCry.EXE
1728	WannaCry.EXE
1728	WannaCry.EXE
1728	WannaCry.EXE
1728	WannaCry.EXE
1728	WannaCry.EXE
1728	WannaCry.EXE
1728	WannaCry.EXE
1728	WannaCry.EXE
1728	WannaCry.EXE
1728	WannaCry.EXE
1728	WannaCry.EXE
1728	WannaCry.EXE
1728	WannaCry.EXE
1728	WannaCry.EXE
1728	WannaCry.EXE
1728	WannaCry.EXE
1728	WannaCry.EXE
1728	WannaCry.EXE
1728	WannaCry.EXE
1728	WannaCry.EXE
1728	WannaCry.EXE
1728	WannaCry.EXE
1728	WannaCry.EXE
1728	WannaCry.EXE
1728	WannaCry.EXE
1728	WannaCry.EXE
1728	WannaCry.EXE
1728	WannaCry.EXE

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

2552 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2552	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yqdbhvadqux735 = "\"C:\\Users\\Admin\\Desktop\\tasksche.exe\""	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

WannaCry.EXE@WanaDecryptor@.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@WanaDecryptor@.bmp"	WannaCry.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@WanaDecryptor@.bmp"	@WanaDecryptor@.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1888 vssadmin.exe

pid	process
1888	vssadmin.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 189b31e3f3bed801	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TypedURLs\url6 = "https://twitter.com/"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.mediafire.com\ = "124"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "808"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\mediafire.com\Total = "808"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url2 = 0000000000000000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "124"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url6 = 0000000000000000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.mediafire.com\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url3 = 0000000000000000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TypedURLs\url4 = "https://signin.ebay.com/ws/ebayisapi.dll"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url4 = 0000000000000000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000e22af1bbd2ed46f69d9eeb13438bf324a7a0573cb09b65cdd1a6ad1a3e904a42000000000e8000000002000020000000478484add9652b65f32db42d424508bda03655cfdc4881716ea3d53b6f52a6f7900000000d3b12136afd7abdab48eb5dad75a55d32b9501356989f3648803e5fc50d7a880a8298ad4f3d8b3a9afc64f3c70049559ad03379354cbc09d1950f6fead71c0e04c7e5207b99d9fdb3027e2cdcd01a09fb6e6ff6aa2a1f79f3dd0a8955c7087ec8682fbf4da44c513fc68d491cd25e37f31974901f6ea2bffaedb979fe5a0cee8ddc604749722cbd63644470451ab3f540000000558678bd9b16c6f59fefde47b8e3778634ce9cffe001589454f83098910fbaabf066403d31861bb9a86e33674c1e7ef9b76e81c57ffce6de624bfce0237bb609	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TypedURLs\url5 = "https://login.live.com/"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.mediafire.com\ = "51"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000cc5a54360aa11a5d565ec482cc052b7a27c204b123a57d9a6d8109b969662b4b000000000e800000000200002000000004bd736f14b4decdb44978fc329bff04a13473234545f4c40dd9bb04f9aa808a200000004597fc77156e87b650cf5705711706fe93e84bf2a386a1540f6638dff8e18a2d40000000525cb2b348d2ae6ee8ade87d9b7c8222249d2ceeab15aeb776c1c71a12a25cf11473dcfc1bcf77ca9a4b2e678c37e7a43f613d7f4b2dc8debe24dcd2b3edcc54	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "51"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\mediafire.com\Total = "124"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.mediafire.com\ = "808"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TypedURLs	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TypedURLs\url1 = "http://www.mediafire.com/file/9f8fds9s3efg7so/WannaCry_by_Rafael.rar/file"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.mediafire.com\ = "111"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Cache = b104000004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TypedURLs\url3 = "https://login.aliexpress.com/"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\mediafire.com\Total = "51"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TypedURLsTime	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "111"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\mediafire.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\mediafire.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1536BC11-2AE7-11ED-BAA3-DE6E3020A1A7} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url1 = 005a0ae1f3bed801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\mediafire.com\Total = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe

Modifies registry class 2 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4028 reg.exe

pid	process
4028	reg.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exetaskhsvc.exe

pid	process
1292	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
3292	chrome.exe
3292	chrome.exe
3448	chrome.exe
3448	chrome.exe
1832	chrome.exe
3548	chrome.exe
3548	chrome.exe
652	taskhsvc.exe
652	taskhsvc.exe
652	taskhsvc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

@WanaDecryptor@.exe

pid process

1164 @WanaDecryptor@.exe

pid	process
1164	@WanaDecryptor@.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AUDIODG.EXE7zFM.exevssvc.exeWMIC.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exe

description	pid	process
Token: 33	2588	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2588	AUDIODG.EXE
Token: 33	2588	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2588	AUDIODG.EXE
Token: SeRestorePrivilege	2292	7zFM.exe
Token: 35	2292	7zFM.exe
Token: SeSecurityPrivilege	2292	7zFM.exe
Token: SeBackupPrivilege	2140	vssvc.exe
Token: SeRestorePrivilege	2140	vssvc.exe
Token: SeAuditPrivilege	2140	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2924	WMIC.exe
Token: SeSecurityPrivilege	2924	WMIC.exe
Token: SeTakeOwnershipPrivilege	2924	WMIC.exe
Token: SeLoadDriverPrivilege	2924	WMIC.exe
Token: SeSystemProfilePrivilege	2924	WMIC.exe
Token: SeSystemtimePrivilege	2924	WMIC.exe
Token: SeProfSingleProcessPrivilege	2924	WMIC.exe
Token: SeIncBasePriorityPrivilege	2924	WMIC.exe
Token: SeCreatePagefilePrivilege	2924	WMIC.exe
Token: SeBackupPrivilege	2924	WMIC.exe
Token: SeRestorePrivilege	2924	WMIC.exe
Token: SeShutdownPrivilege	2924	WMIC.exe
Token: SeDebugPrivilege	2924	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2924	WMIC.exe
Token: SeRemoteShutdownPrivilege	2924	WMIC.exe
Token: SeUndockPrivilege	2924	WMIC.exe
Token: SeManageVolumePrivilege	2924	WMIC.exe
Token: 33	2924	WMIC.exe
Token: 34	2924	WMIC.exe
Token: 35	2924	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2924	WMIC.exe
Token: SeSecurityPrivilege	2924	WMIC.exe
Token: SeTakeOwnershipPrivilege	2924	WMIC.exe
Token: SeLoadDriverPrivilege	2924	WMIC.exe
Token: SeSystemProfilePrivilege	2924	WMIC.exe
Token: SeSystemtimePrivilege	2924	WMIC.exe
Token: SeProfSingleProcessPrivilege	2924	WMIC.exe
Token: SeIncBasePriorityPrivilege	2924	WMIC.exe
Token: SeCreatePagefilePrivilege	2924	WMIC.exe
Token: SeBackupPrivilege	2924	WMIC.exe
Token: SeRestorePrivilege	2924	WMIC.exe
Token: SeShutdownPrivilege	2924	WMIC.exe
Token: SeDebugPrivilege	2924	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2924	WMIC.exe
Token: SeRemoteShutdownPrivilege	2924	WMIC.exe
Token: SeUndockPrivilege	2924	WMIC.exe
Token: SeManageVolumePrivilege	2924	WMIC.exe
Token: 33	2924	WMIC.exe
Token: 34	2924	WMIC.exe
Token: 35	2924	WMIC.exe
Token: SeTcbPrivilege	2840	taskse.exe
Token: SeTcbPrivilege	2840	taskse.exe
Token: SeTcbPrivilege	3340	taskse.exe
Token: SeTcbPrivilege	3340	taskse.exe
Token: SeTcbPrivilege	3900	taskse.exe
Token: SeTcbPrivilege	3900	taskse.exe
Token: SeTcbPrivilege	2772	taskse.exe
Token: SeTcbPrivilege	2772	taskse.exe
Token: SeTcbPrivilege	1396	taskse.exe
Token: SeTcbPrivilege	1396	taskse.exe
Token: SeTcbPrivilege	3140	taskse.exe
Token: SeTcbPrivilege	3140	taskse.exe
Token: SeTcbPrivilege	3720	taskse.exe
Token: SeTcbPrivilege	3720	taskse.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exeiexplore.exe7zFM.exechrome.exe

pid	process
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
3712	iexplore.exe
3712	iexplore.exe
2292	7zFM.exe
2292	7zFM.exe
2292	7zFM.exe
3548	chrome.exe
3548	chrome.exe
3548	chrome.exe
3548	chrome.exe
3548	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exechrome.exe

pid	process
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
3548	chrome.exe
3548	chrome.exe
3548	chrome.exe
3548	chrome.exe
3548	chrome.exe
3548	chrome.exe
3548	chrome.exe
3548	chrome.exe
3548	chrome.exe
3548	chrome.exe
3548	chrome.exe
3548	chrome.exe
3548	chrome.exe
3548	chrome.exe
3548	chrome.exe
3548	chrome.exe
3548	chrome.exe
3548	chrome.exe
3548	chrome.exe
3548	chrome.exe
3548	chrome.exe
3548	chrome.exe
3548	chrome.exe
3548	chrome.exe
3548	chrome.exe
3548	chrome.exe
3548	chrome.exe
3548	chrome.exe
3548	chrome.exe
3548	chrome.exe
3548	chrome.exe
3548	chrome.exe

Suspicious use of SetWindowsHookEx 61 IoCs

Processes:

iexplore.exeIEXPLORE.EXE@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe

pid	process
3712	iexplore.exe
3712	iexplore.exe
3808	IEXPLORE.EXE
3808	IEXPLORE.EXE
3712	iexplore.exe
3808	IEXPLORE.EXE
3808	IEXPLORE.EXE
3088	@WanaDecryptor@.exe
3216	@WanaDecryptor@.exe
3088	@WanaDecryptor@.exe
3216	@WanaDecryptor@.exe
1164	@WanaDecryptor@.exe
1164	@WanaDecryptor@.exe
2824	@WanaDecryptor@.exe
2268	@WanaDecryptor@.exe
3888	@WanaDecryptor@.exe
3280	@WanaDecryptor@.exe
2596	@WanaDecryptor@.exe
3148	@WanaDecryptor@.exe
3788	@WanaDecryptor@.exe
524	@WanaDecryptor@.exe
2832	@WanaDecryptor@.exe
2100	@WanaDecryptor@.exe
1820	@WanaDecryptor@.exe
952	@WanaDecryptor@.exe
3472	@WanaDecryptor@.exe
2764	@WanaDecryptor@.exe
2636	@WanaDecryptor@.exe
2060	@WanaDecryptor@.exe
1228	@WanaDecryptor@.exe
1344	@WanaDecryptor@.exe
2172	@WanaDecryptor@.exe
1972	@WanaDecryptor@.exe
2200	@WanaDecryptor@.exe
3100	@WanaDecryptor@.exe
2464	@WanaDecryptor@.exe
2280	@WanaDecryptor@.exe
3212	@WanaDecryptor@.exe
2076	@WanaDecryptor@.exe
2396	@WanaDecryptor@.exe
2056	@WanaDecryptor@.exe
3368	@WanaDecryptor@.exe
3388	@WanaDecryptor@.exe
3312	@WanaDecryptor@.exe
1980	@WanaDecryptor@.exe
2704	@WanaDecryptor@.exe
1216	@WanaDecryptor@.exe
3196	@WanaDecryptor@.exe
3252	@WanaDecryptor@.exe
1000	@WanaDecryptor@.exe
608	@WanaDecryptor@.exe
2784	@WanaDecryptor@.exe
1452	@WanaDecryptor@.exe
3952	@WanaDecryptor@.exe
3960	@WanaDecryptor@.exe
3464	@WanaDecryptor@.exe
3536	@WanaDecryptor@.exe
3112	@WanaDecryptor@.exe
2536	@WanaDecryptor@.exe
4024	@WanaDecryptor@.exe
4016	@WanaDecryptor@.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1640 wrote to memory of 1288	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 1288	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 1288	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 1780	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 1780	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 1780	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 1780	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 1780	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 1780	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 1780	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 1780	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 1780	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 1780	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 1780	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 1780	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 1780	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 1780	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 1780	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 1780	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 1780	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 1780	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 1780	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 1780	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 1780	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 1780	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 1780	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 1780	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 1780	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 1780	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 1780	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 1780	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 1780	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 1780	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 1780	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 1780	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 1780	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 1780	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 1780	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 1780	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 1780	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 1780	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 1780	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 1780	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 1780	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 1292	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 1292	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 1292	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 608	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 608	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 608	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 608	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 608	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 608	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 608	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 608	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 608	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 608	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 608	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 608	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 608	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 608	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 608	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 608	1640	chrome.exe	chrome.exe
PID 1640 wrote to memory of 608	1640	chrome.exe	chrome.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1080 attrib.exe

pid	process
1080	attrib.exe

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Spin the Bottle VIP AREA & MORE!.txt"
1⤵
PID:996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6ae4f50,0x7fef6ae4f60,0x7fef6ae4f70
2⤵
PID:1288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1036 /prefetch:2
2⤵
PID:1780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1388 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1704 /prefetch:8
2⤵
PID:608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2092 /prefetch:1
2⤵
PID:1908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2084 /prefetch:1
2⤵
PID:1784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
2⤵
PID:1668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3344 /prefetch:2
2⤵
PID:1452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
2⤵
PID:1668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3516 /prefetch:8
2⤵
PID:2060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3664 /prefetch:8
2⤵
PID:2068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3900 /prefetch:8
2⤵
PID:2144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:1
2⤵
PID:2180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2196 /prefetch:1
2⤵
PID:2240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1984 /prefetch:1
2⤵
PID:2332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2396 /prefetch:1
2⤵
PID:2340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2292 /prefetch:1
2⤵
PID:2420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3468 /prefetch:8
2⤵
PID:2540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4284 /prefetch:8
2⤵
PID:2608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2308 /prefetch:1
2⤵
PID:2720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4872 /prefetch:8
2⤵
PID:2816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
2⤵
PID:2924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
2⤵
PID:2988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
2⤵
PID:1928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
2⤵
PID:1068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
2⤵
PID:2032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
2⤵
PID:2228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
2⤵
PID:2236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:1
2⤵
PID:1356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6220 /prefetch:1
2⤵
PID:536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:1
2⤵
PID:2680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
2⤵
PID:2428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6928 /prefetch:1
2⤵
PID:1896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7480 /prefetch:1
2⤵
PID:3000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7220 /prefetch:1
2⤵
PID:2768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8736 /prefetch:8
2⤵
PID:2900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9060 /prefetch:1
2⤵
PID:2264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7476 /prefetch:8
2⤵
PID:2292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:1
2⤵
PID:2040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2872 /prefetch:1
2⤵
PID:3056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2540 /prefetch:1
2⤵
PID:1660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
2⤵
PID:2828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3660 /prefetch:1
2⤵
PID:2292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
2⤵
PID:2584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4244 /prefetch:1
2⤵
PID:2600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1964 /prefetch:1
2⤵
PID:2996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
2⤵
PID:2104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3224 /prefetch:8
2⤵
PID:2532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
2⤵
PID:2776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
2⤵
PID:2728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2608 /prefetch:1
2⤵
PID:2760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7496 /prefetch:1
2⤵
PID:1184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
2⤵
PID:2084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7448 /prefetch:1
2⤵
PID:2252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7444 /prefetch:1
2⤵
PID:2096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
2⤵
PID:1500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:1
2⤵
PID:1716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6928 /prefetch:1
2⤵
PID:2052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7572 /prefetch:1
2⤵
PID:1780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4500 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3924 /prefetch:1
2⤵
PID:3356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=10872 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=10824 /prefetch:8
2⤵
PID:3456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=10892 /prefetch:8
2⤵
PID:3572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,3283328722720517722,10704881367893463002,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=10876 /prefetch:8
2⤵
PID:3640

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x554
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2588

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3712

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3712 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3808

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Downloads\WannaCry by Rafael.rar
1⤵
- Modifies registry class
PID:1004

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\WannaCry by Rafael.rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6ae4f50,0x7fef6ae4f60,0x7fef6ae4f70
2⤵
PID:3568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1104,16059466917295537881,13124922930062816137,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1236 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1104,16059466917295537881,13124922930062816137,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1120 /prefetch:2
2⤵
PID:3488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1104,16059466917295537881,13124922930062816137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1696 /prefetch:8
2⤵
PID:2852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1104,16059466917295537881,13124922930062816137,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2028 /prefetch:1
2⤵
PID:3288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1104,16059466917295537881,13124922930062816137,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2020 /prefetch:1
2⤵
PID:3272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1104,16059466917295537881,13124922930062816137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2348 /prefetch:8
2⤵
PID:2716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1104,16059466917295537881,13124922930062816137,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3060 /prefetch:1
2⤵
PID:2892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1104,16059466917295537881,13124922930062816137,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3644 /prefetch:2
2⤵
PID:2056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1104,16059466917295537881,13124922930062816137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3712 /prefetch:8
2⤵
PID:2412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1104,16059466917295537881,13124922930062816137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3748 /prefetch:8
2⤵
PID:1924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1104,16059466917295537881,13124922930062816137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3932 /prefetch:8
2⤵
PID:1632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1104,16059466917295537881,13124922930062816137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4056 /prefetch:8
2⤵
PID:2808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1104,16059466917295537881,13124922930062816137,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
2⤵
PID:2480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1104,16059466917295537881,13124922930062816137,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2260 /prefetch:8
2⤵
PID:2928

C:\Users\Admin\Desktop\WannaCry.EXE
"C:\Users\Admin\Desktop\WannaCry.EXE"
1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Loads dropped DLL
- Sets desktop wallpaper using registry
PID:1728

C:\Windows\SysWOW64\attrib.exe
attrib +h .
2⤵
- Views/modifies file attributes
PID:1080

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:2552

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2064

C:\Windows\SysWOW64\cmd.exe
cmd /c 104421662140868.bat
2⤵
PID:2192

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
3⤵
- Loads dropped DLL
PID:1216

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe co
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3088

C:\Users\Admin\Desktop\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:652

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @WanaDecryptor@.exe vs
2⤵
- Loads dropped DLL
PID:3024

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe vs
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3216

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
PID:2540

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:1888

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2924

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2840

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "yqdbhvadqux735" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f
2⤵
PID:3964

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "yqdbhvadqux735" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f
3⤵
- Adds Run key to start application
- Modifies registry key
PID:4028

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1164

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4076

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3340

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2824

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1740

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3900

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3888

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4052

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3280

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4072

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1396

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2596

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2044

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3140

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3148

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:3292

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3720

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3788

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2648

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
PID:3384

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:524

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2504

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
PID:1544

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2832

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2260

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
PID:3032

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2100

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1924

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
PID:1836

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1820

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2888

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
PID:1636

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:952

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2168

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
PID:3272

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3472

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2472

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
PID:796

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2764

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:3856

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
PID:2440

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2636

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2820

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
PID:2488

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2060

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2164

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
PID:892

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1228

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2208

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
PID:2476

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1344

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2960

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
PID:3084

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2172

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:3192

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
PID:3004

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Suspicious use of SetWindowsHookEx
PID:1972

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:2368

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
PID:3188

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Suspicious use of SetWindowsHookEx
PID:2200

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:1324

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
PID:2792

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Suspicious use of SetWindowsHookEx
PID:3100

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
PID:2944

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Suspicious use of SetWindowsHookEx
PID:2464

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:1584

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
PID:2244

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Suspicious use of SetWindowsHookEx
PID:2280

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:3136

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
PID:2088

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Suspicious use of SetWindowsHookEx
PID:3212

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:3572

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
PID:3632

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Suspicious use of SetWindowsHookEx
PID:2076

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:2752

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
PID:1832

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Suspicious use of SetWindowsHookEx
PID:2396

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:2480

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
PID:3844

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Suspicious use of SetWindowsHookEx
PID:2056

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:1712

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Suspicious use of SetWindowsHookEx
PID:3368

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
PID:3628

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:3568

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
PID:3392

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Suspicious use of SetWindowsHookEx
PID:3388

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:3316

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
PID:3444

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Suspicious use of SetWindowsHookEx
PID:3312

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:3424

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
PID:3256

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Suspicious use of SetWindowsHookEx
PID:1980

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:2628

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
PID:2564

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Suspicious use of SetWindowsHookEx
PID:2704

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:3752

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
PID:2372

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Suspicious use of SetWindowsHookEx
PID:1216

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:2856

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
PID:3024

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Suspicious use of SetWindowsHookEx
PID:3196

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:2680

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
PID:1356

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Suspicious use of SetWindowsHookEx
PID:3252

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:764

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
PID:1704

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Suspicious use of SetWindowsHookEx
PID:1000

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:3656

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
PID:1292

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Suspicious use of SetWindowsHookEx
PID:608

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:1576

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
PID:1964

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Suspicious use of SetWindowsHookEx
PID:2784

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:2996

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
PID:1828

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Suspicious use of SetWindowsHookEx
PID:1452

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:1500

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
PID:2600

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Suspicious use of SetWindowsHookEx
PID:3952

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:4088

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
PID:4028

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Suspicious use of SetWindowsHookEx
PID:3960

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:2660

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
PID:1912

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Suspicious use of SetWindowsHookEx
PID:3464

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
PID:3516

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Suspicious use of SetWindowsHookEx
PID:3536

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:3028

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
PID:1064

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Suspicious use of SetWindowsHookEx
PID:3112

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:1208

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
PID:2388

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Suspicious use of SetWindowsHookEx
PID:2536

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:2652

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
PID:4004

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Suspicious use of SetWindowsHookEx
PID:4024

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:2016

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
PID:3352

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Suspicious use of SetWindowsHookEx
PID:4016

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:4008

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2140

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
"C:\Users\Admin\Desktop\@WanaDecryptor@.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

File Permissions Modification

1

T1222

Modify Registry

5

T1112

Hidden Files and Directories

1

T1158

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

\??\pipe\crashpad_1640_BPEXPMVGCCOWIKLW
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/524-125-0x0000000000000000-mapping.dmp

Download
memory/652-90-0x0000000074290000-0x00000000744AC000-memory.dmp

Filesize
2.1MB

Download
memory/652-84-0x00000000741D0000-0x00000000741F2000-memory.dmp

Filesize
136KB

Download
memory/652-81-0x0000000074550000-0x00000000745D2000-memory.dmp

Filesize
520KB

Download
memory/652-82-0x0000000074290000-0x00000000744AC000-memory.dmp

Filesize
2.1MB

Download
memory/652-83-0x0000000074200000-0x0000000074282000-memory.dmp

Filesize
520KB

Download
memory/652-85-0x00000000008C0000-0x0000000000BBE000-memory.dmp

Filesize
3.0MB

Download
memory/652-91-0x0000000074200000-0x0000000074282000-memory.dmp

Filesize
520KB

Download
memory/652-89-0x0000000074550000-0x00000000745D2000-memory.dmp

Filesize
520KB

Download
memory/652-80-0x00000000008C0000-0x0000000000BBE000-memory.dmp

Filesize
3.0MB

Download
memory/652-92-0x00000000008C0000-0x0000000000BBE000-memory.dmp

Filesize
3.0MB

Download
memory/652-74-0x0000000000000000-mapping.dmp

Download
memory/652-76-0x0000000074550000-0x00000000745D2000-memory.dmp

Filesize
520KB

Download
memory/652-77-0x0000000074290000-0x00000000744AC000-memory.dmp

Filesize
2.1MB

Download
memory/652-78-0x0000000074200000-0x0000000074282000-memory.dmp

Filesize
520KB

Download
memory/652-79-0x00000000741D0000-0x00000000741F2000-memory.dmp

Filesize
136KB

Download
memory/796-148-0x0000000000000000-mapping.dmp

Download
memory/892-160-0x0000000000000000-mapping.dmp

Download
memory/952-141-0x0000000000000000-mapping.dmp

Download
memory/996-54-0x000007FEFBBF1000-0x000007FEFBBF3000-memory.dmp

Filesize
8KB

Download
memory/1080-58-0x0000000000000000-mapping.dmp

Download
memory/1164-94-0x0000000000000000-mapping.dmp

Download
memory/1216-67-0x0000000000000000-mapping.dmp

Download
memory/1228-161-0x0000000000000000-mapping.dmp

Download
memory/1396-112-0x0000000000000000-mapping.dmp

Download
memory/1544-128-0x0000000000000000-mapping.dmp

Download
memory/1636-140-0x0000000000000000-mapping.dmp

Download
memory/1728-61-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1728-60-0x00000000760E1000-0x00000000760E3000-memory.dmp

Filesize
8KB

Download
memory/1740-102-0x0000000000000000-mapping.dmp

Download
memory/1820-137-0x0000000000000000-mapping.dmp

Download
memory/1836-136-0x0000000000000000-mapping.dmp

Download
memory/1888-87-0x0000000000000000-mapping.dmp

Download
memory/1924-135-0x0000000000000000-mapping.dmp

Download
memory/2044-115-0x0000000000000000-mapping.dmp

Download
memory/2060-157-0x0000000000000000-mapping.dmp

Download
memory/2064-65-0x0000000000000000-mapping.dmp

Download
memory/2100-133-0x0000000000000000-mapping.dmp

Download
memory/2164-159-0x0000000000000000-mapping.dmp

Download
memory/2168-143-0x0000000000000000-mapping.dmp

Download
memory/2192-66-0x0000000000000000-mapping.dmp

Download
memory/2260-131-0x0000000000000000-mapping.dmp

Download
memory/2440-152-0x0000000000000000-mapping.dmp

Download
memory/2472-147-0x0000000000000000-mapping.dmp

Download
memory/2488-156-0x0000000000000000-mapping.dmp

Download
memory/2504-127-0x0000000000000000-mapping.dmp

Download
memory/2540-86-0x0000000000000000-mapping.dmp

Download
memory/2552-59-0x0000000000000000-mapping.dmp

Download
memory/2596-113-0x0000000000000000-mapping.dmp

Download
memory/2636-153-0x0000000000000000-mapping.dmp

Download
memory/2648-123-0x0000000000000000-mapping.dmp

Download
memory/2764-149-0x0000000000000000-mapping.dmp

Download
memory/2772-108-0x0000000000000000-mapping.dmp

Download
memory/2820-155-0x0000000000000000-mapping.dmp

Download
memory/2824-100-0x0000000000000000-mapping.dmp

Download
memory/2832-129-0x0000000000000000-mapping.dmp

Download
memory/2840-93-0x0000000000000000-mapping.dmp

Download
memory/2888-139-0x0000000000000000-mapping.dmp

Download
memory/2924-88-0x0000000000000000-mapping.dmp

Download
memory/3024-70-0x0000000000000000-mapping.dmp

Download
memory/3032-132-0x0000000000000000-mapping.dmp

Download
memory/3088-69-0x0000000000000000-mapping.dmp

Download
memory/3140-116-0x0000000000000000-mapping.dmp

Download
memory/3148-117-0x0000000000000000-mapping.dmp

Download
memory/3216-72-0x0000000000000000-mapping.dmp

Download
memory/3272-144-0x0000000000000000-mapping.dmp

Download
memory/3280-109-0x0000000000000000-mapping.dmp

Download
memory/3292-119-0x0000000000000000-mapping.dmp

Download
memory/3340-99-0x0000000000000000-mapping.dmp

Download
memory/3384-124-0x0000000000000000-mapping.dmp

Download
memory/3472-145-0x0000000000000000-mapping.dmp

Download
memory/3720-120-0x0000000000000000-mapping.dmp

Download
memory/3788-121-0x0000000000000000-mapping.dmp

Download
memory/3856-151-0x0000000000000000-mapping.dmp

Download
memory/3888-105-0x0000000000000000-mapping.dmp

Download
memory/3900-104-0x0000000000000000-mapping.dmp

Download
memory/3964-96-0x0000000000000000-mapping.dmp

Download
memory/4028-97-0x0000000000000000-mapping.dmp

Download
memory/4052-107-0x0000000000000000-mapping.dmp

Download
memory/4072-111-0x0000000000000000-mapping.dmp

Download
memory/4076-98-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads