Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1026s -
max time network
1032s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
25/11/2022, 00:07
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://drive.google.com/uc?export=download&confirm=no_antivirus&id=1u-QY29jwsxXFxY5OOF4jWT1owIH4dgXw
Resource
win10v2004-20220901-en
windows10-2004-x64
45 signatures
1800 seconds
Errors
Reason
Machine shutdown
General
-
Target
https://drive.google.com/uc?export=download&confirm=no_antivirus&id=1u-QY29jwsxXFxY5OOF4jWT1owIH4dgXw
Malware Config
Extracted
Path
C:\Readme.txt
Ransom Note
Oops! Your files have been encrypted.
If you see this text, your files are no longer accessible.
You might have been looking for a way to recover your files.
Don't waste your time. No one will be able to recover them without our
decryption service.
We guarantee that you can recover all your files safely. All you
need to do is submit the payment and get the decryption password.
Visit our web service at caforssztxqzf2nm.onion
Your personal installation key#2:
Zl3y2Sw8lh7JMlrs46/rCAz88bLbsfOmt0g8i60aT3TuRvTV6xaLErs5DbSJRJio
Yj2BtCpqrgF0cbxjOHixj7Yy8Sd2b545VDLDeS1HwKbCsXrHSGH7hDZ1vfCqAQB3
bEUoFJt8avferKiNDaejSjbyWULWlqK3VWZ3OyViVZx8kiAz3loHfkOwUkcWbscf
Oujo+zzxIpIoNZf1+EXIaT1T8Y5rp6wAr1J0u+0pIEC/3jF1ylwuN2jsivRw7fd1
r/vIcT7gJQxiZi9WDU5tN9MENxOfwWTMUmqx6+aNlodfNZibbHieWpfkSuymJVao
f1EhiSniN7I2s4S0mRTQ5fOQqairCHxFGA==
URLs
http://caforssztxqzf2nm.onion
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Program Files (x86)\\Windows\\Error file remover\\fatalerror.exe" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Program Files (x86)\\Windows\\Error file remover\\fatalerror.exe" msiexec.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cmd.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cmd.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cmd.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cscript.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cmd.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cscript.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" [email protected] Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cmd.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cmd.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 425 5012 MsiExec.exe -
Downloads MZ/PE file
-
Executes dropped EXE 64 IoCs
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\SyncInstall.tiff rundll32.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation PCEkcUwA.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation beast.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation kCwIAoUQ.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation kCwIAoUQ.exe -
Loads dropped DLL 30 IoCs
pid Process 1672 beast.exe 1672 beast.exe 1672 beast.exe 1672 beast.exe 1672 beast.exe 1672 beast.exe 1672 beast.exe 1672 beast.exe 1672 beast.exe 1672 beast.exe 1672 beast.exe 1672 beast.exe 1952 beast.exe 5324 [email protected] 5324 [email protected] 5012 MsiExec.exe 5012 MsiExec.exe 5012 MsiExec.exe 5012 MsiExec.exe 5012 MsiExec.exe 5012 MsiExec.exe 5012 MsiExec.exe 5012 MsiExec.exe 5012 MsiExec.exe 5012 MsiExec.exe 4032 MsiExec.exe 5012 MsiExec.exe 5324 [email protected] 5012 MsiExec.exe 5188 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 9 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kCwIAoUQ.exe = "C:\\Users\\Admin\\VSUsQoIc\\kCwIAoUQ.exe" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kCwIAoUQ.exe = "C:\\Users\\Admin\\VSUsQoIc\\kCwIAoUQ.exe" kCwIAoUQ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PCEkcUwA.exe = "C:\\ProgramData\\eEIUUUEU\\PCEkcUwA.exe" PCEkcUwA.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kCwIAoUQ.exe = "C:\\Users\\Admin\\VSUsQoIc\\kCwIAoUQ.exe" kCwIAoUQ.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kCwIAoUQ.exe = "C:\\Users\\Admin\\VSUsQoIc\\kCwIAoUQ.exe" kCwIAoUQ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PCEkcUwA.exe = "C:\\ProgramData\\eEIUUUEU\\PCEkcUwA.exe" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kCwIAoUQ.exe = "C:\\Users\\Admin\\VSUsQoIc\\kCwIAoUQ.exe" [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PCEkcUwA.exe = "C:\\ProgramData\\eEIUUUEU\\PCEkcUwA.exe" [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PCEkcUwA.exe = "C:\\ProgramData\\eEIUUUEU\\PCEkcUwA.exe" PCEkcUwA.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" [email protected] Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" [email protected] Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA [email protected] Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" [email protected] Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" [email protected] -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini LogonUI.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: [email protected] File opened (read-only) \??\S: [email protected] File opened (read-only) \??\Y: [email protected] File opened (read-only) \??\Z: [email protected] File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\N: [email protected] File opened (read-only) \??\O: [email protected] File opened (read-only) \??\X: [email protected] File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: [email protected] File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: [email protected] File opened (read-only) \??\T: [email protected] File opened (read-only) \??\W: [email protected] File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\H: [email protected] File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\L: [email protected] File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: [email protected] File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: [email protected] File opened (read-only) \??\F: [email protected] File opened (read-only) \??\I: [email protected] File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: [email protected] File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: [email protected] File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: [email protected] File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: [email protected] File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\F: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\shell32.dll.exe kCwIAoUQ.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt beast.exe File created C:\Windows\SysWOW64\shell32.dll.exe kCwIAoUQ.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 3428 MSIAfterburner.exe 3428 MSIAfterburner.exe 5584 MSIAfterburner.exe 5584 MSIAfterburner.exe -
Drops file in Program Files directory 44 IoCs
description ioc Process File opened for modification C:\Program Files\Process Hacker 2\ProcessHacker.exe processhacker-2.39-setup.tmp File opened for modification C:\Program Files\Process Hacker 2\plugins\ExtendedNotifications.dll processhacker-2.39-setup.tmp File opened for modification C:\Program Files\Process Hacker 2\plugins\ExtendedTools.dll processhacker-2.39-setup.tmp File opened for modification C:\Program Files\Process Hacker 2\plugins\ToolStatus.dll processhacker-2.39-setup.tmp File created C:\Program Files\Process Hacker 2\is-JQ22T.tmp processhacker-2.39-setup.tmp File created C:\Program Files\Process Hacker 2\is-6OERM.tmp processhacker-2.39-setup.tmp File opened for modification C:\Program Files\Process Hacker 2\plugins\HardwareDevices.dll processhacker-2.39-setup.tmp File opened for modification C:\Program Files\Process Hacker 2\plugins\UserNotes.dll processhacker-2.39-setup.tmp File created C:\Program Files\Process Hacker 2\x86\is-5141O.tmp processhacker-2.39-setup.tmp File opened for modification C:\Program Files\Process Hacker 2\x86\ProcessHacker.exe processhacker-2.39-setup.tmp File created C:\Program Files\Process Hacker 2\unins000.dat processhacker-2.39-setup.tmp File created C:\Program Files\Process Hacker 2\is-MG8SI.tmp processhacker-2.39-setup.tmp File created C:\Program Files\Process Hacker 2\is-67IQE.tmp processhacker-2.39-setup.tmp File created C:\Program Files\Process Hacker 2\plugins\is-9RLS3.tmp processhacker-2.39-setup.tmp File created C:\Program Files\Process Hacker 2\plugins\is-9B2GE.tmp processhacker-2.39-setup.tmp File created C:\Program Files (x86)\Windows\Error file remover\fatalerror.exe msiexec.exe File created C:\Program Files\Process Hacker 2\is-OMKD8.tmp processhacker-2.39-setup.tmp File created C:\Program Files\Process Hacker 2\plugins\is-VTE6P.tmp processhacker-2.39-setup.tmp File created C:\Program Files\Process Hacker 2\plugins\is-0C3NB.tmp processhacker-2.39-setup.tmp File created C:\Program Files\Process Hacker 2\plugins\is-O2UE4.tmp processhacker-2.39-setup.tmp File created C:\Program Files\Process Hacker 2\is-5O7EA.tmp processhacker-2.39-setup.tmp File created C:\Program Files (x86)\Windows\Error file remover\Windows Logoff Sound.wav msiexec.exe File opened for modification C:\Program Files\Process Hacker 2\plugins\Updater.dll processhacker-2.39-setup.tmp File created C:\Program Files\Process Hacker 2\is-4BJHM.tmp processhacker-2.39-setup.tmp File created C:\Program Files\Process Hacker 2\plugins\is-IN3NV.tmp processhacker-2.39-setup.tmp File created C:\Program Files\Process Hacker 2\plugins\is-TG3FD.tmp processhacker-2.39-setup.tmp File opened for modification C:\Program Files\Process Hacker 2\plugins\ExtendedServices.dll processhacker-2.39-setup.tmp File opened for modification C:\Program Files\Process Hacker 2\x86\plugins\DotNetTools.dll processhacker-2.39-setup.tmp File created C:\Program Files\Process Hacker 2\is-7AG7K.tmp processhacker-2.39-setup.tmp File created C:\Program Files\Process Hacker 2\plugins\is-VEMPG.tmp processhacker-2.39-setup.tmp File created C:\Program Files\Process Hacker 2\plugins\is-QL21E.tmp processhacker-2.39-setup.tmp File opened for modification C:\Program Files\Process Hacker 2\plugins\NetworkTools.dll processhacker-2.39-setup.tmp File opened for modification C:\Program Files\Process Hacker 2\peview.exe processhacker-2.39-setup.tmp File opened for modification C:\Program Files\Process Hacker 2\plugins\OnlineChecks.dll processhacker-2.39-setup.tmp File opened for modification C:\Program Files\Process Hacker 2\plugins\WindowExplorer.dll processhacker-2.39-setup.tmp File created C:\Program Files\Process Hacker 2\is-K0729.tmp processhacker-2.39-setup.tmp File created C:\Program Files\Process Hacker 2\plugins\is-7VS4U.tmp processhacker-2.39-setup.tmp File created C:\Program Files\Process Hacker 2\x86\plugins\is-IP4VC.tmp processhacker-2.39-setup.tmp File opened for modification C:\Program Files\Process Hacker 2\plugins\DotNetTools.dll processhacker-2.39-setup.tmp File opened for modification C:\Program Files\Process Hacker 2\plugins\SbieSupport.dll processhacker-2.39-setup.tmp File created C:\Program Files\Process Hacker 2\is-4CC8E.tmp processhacker-2.39-setup.tmp File created C:\Program Files\Process Hacker 2\plugins\is-6HG7E.tmp processhacker-2.39-setup.tmp File created C:\Program Files\Process Hacker 2\plugins\is-26VHT.tmp processhacker-2.39-setup.tmp File opened for modification C:\Program Files\Process Hacker 2\unins000.dat processhacker-2.39-setup.tmp -
Drops file in Windows directory 26 IoCs
description ioc Process File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\SourceHash{C452D4E2-DE24-48B6-B5C3-ACB240A01606} msiexec.exe File opened for modification C:\Windows\Installer\MSI4F36.tmp msiexec.exe File created C:\Windows\infpub.dat [email protected] File opened for modification C:\Windows\infpub.dat rundll32.exe File opened for modification C:\Windows\Installer\MSI48D3.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI49CF.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4806.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI48A3.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI4C83.tmp msiexec.exe File opened for modification C:\Windows\430A.tmp rundll32.exe File created C:\Windows\Installer\e6145c3.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI4749.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4A9B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4BC5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4C04.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4C53.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4D5F.tmp msiexec.exe File created C:\Windows\Tasks\sys.job MsiExec.exe File opened for modification C:\Windows\Installer\MSI4E79.tmp msiexec.exe File opened for modification C:\Windows\Installer\e6145c3.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI4941.tmp msiexec.exe File created C:\Windows\cscc.dat rundll32.exe File created C:\Windows\dispci.exe rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 2324 3428 WerFault.exe 164 5692 5584 WerFault.exe 168 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4372 schtasks.exe 1508 schtasks.exe -
Enumerates system info in registry 2 TTPs 15 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Kills process with taskkill 1 IoCs
pid Process 1628 taskkill.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\MINIE IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "288340931" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998627" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "291466507" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{3C9B45B4-6C56-11ED-A0EE-D64C4877EDD1} = "0" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998627" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\TypedURLs beast.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "288340931" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30998627" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000002000000010000000083ffff0083ffffffffffffffffffff00000000000000005802000058020000 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000002000000010000000083ffff0083ffffffffffffffffffff3b0200005200000093040000aa020000 IEXPLORE.EXE -
Modifies data under HKEY_USERS 57 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{2339e045-0000-0000-0000-d01200000000}\NukeOnDelete = "0" LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US\CachedLanguageName = "@Winlangdb.dll,-1121" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409 LogonUI.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@%SystemRoot%\system32\shell32.dll,-50176 = "File Operation" LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\CLSID = "{00000000-0000-0000-0000-000000000000}" LogonUI.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{2339e045-0000-0000-0000-d01200000000}\MaxCapacity = "15140" LogonUI.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\LANGUAGE LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\ShowCasing = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Keyboard Layout\Substitutes LogonUI.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "223" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31} LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\Language\00000000 = "00000409" LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload\1 = "00000409" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\ASSEMBLYITEM\0X00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000 LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{40DD6E20-7C17-11CE-A804-00AA003CA9F6} {000214FC-0000-0000-C000-000000000046} 0xFFFF = 01000000000000002687dd586400d901 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "2" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{2339e045-0000-0000-0000-d01200000000} LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\Profile = "{00000000-0000-0000-0000-000000000000}" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31} LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\KeyboardLayout = "67699721" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\Language LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem LogonUI.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\ASSEMBLYITEM\0X00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31} LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@Winlangdb.dll,-1121 = "English (United States)" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\TIP LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000 LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\Languages = 65006e002d005500530000000000 LogonUI.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\ShowShiftLock = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\HiddenDummyLayouts LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US\0409:00000409 = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" notepad.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "18874369" explorer.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" notepad.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" notepad.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" explorer.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\SniffedFolderType = "Generic" notepad.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-929662420-1054238289-2961194603-1000\{A40285D5-9D33-46FC-AD89-74247B6D7FE5} chrome.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell notepad.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 03000000010000000200000000000000ffffffff notepad.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 02000000030000000100000000000000ffffffff notepad.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" notepad.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48" explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-929662420-1054238289-2961194603-1000\{91651606-B369-4CE0-95A3-E894AFA8B170} chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" notepad.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\HotKey = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\SniffedFolderType = "Generic" notepad.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU beast.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000000000002000000ffffffff notepad.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" explorer.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell beast.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ notepad.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000010000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU notepad.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell notepad.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 notepad.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" notepad.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} notepad.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000000000002000000ffffffff beast.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings notepad.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3 notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" notepad.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings control.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\ShowCmd = "1" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 14001f706806ee260aa0d7449371beb064c986830000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202 notepad.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WFlags = "0" explorer.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = 00000000ffffffff explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\SniffedFolderType = "Documents" notepad.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" notepad.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" notepad.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" notepad.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-929662420-1054238289-2961194603-1000\{5A0E5826-0471-47D9-9F75-474887A5E219} chrome.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3 notepad.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" notepad.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} explorer.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 5140 reg.exe 1224 reg.exe 1656 reg.exe 5136 reg.exe 724 reg.exe 3984 reg.exe 3656 reg.exe 1756 reg.exe 5500 reg.exe 1188 reg.exe 420 reg.exe 4920 reg.exe 2304 reg.exe 5212 reg.exe 5888 reg.exe 5200 reg.exe 4076 reg.exe 5012 reg.exe 5768 reg.exe 1120 reg.exe 2752 reg.exe 6012 reg.exe 5784 reg.exe 4976 reg.exe 2132 reg.exe 2720 reg.exe 3768 reg.exe 5468 reg.exe 4528 reg.exe 1836 reg.exe 1140 reg.exe 3480 reg.exe 536 reg.exe 1472 reg.exe 6000 reg.exe 5456 reg.exe 424 reg.exe 2304 reg.exe 2132 reg.exe 3104 reg.exe 748 reg.exe 1828 reg.exe 5080 reg.exe 960 reg.exe 2848 reg.exe 1268 reg.exe 3256 reg.exe 3932 reg.exe 400 reg.exe 5768 reg.exe 1812 reg.exe 6040 reg.exe 5320 reg.exe 4012 reg.exe 3024 reg.exe 5232 reg.exe 1912 reg.exe 1076 reg.exe 868 reg.exe 4688 reg.exe 4060 reg.exe 5052 reg.exe 6036 reg.exe 400 reg.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 beast.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 beast.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 beast.exe -
Opens file in notepad (likely ransom note) 3 IoCs
pid Process 984 NOTEPAD.EXE 1120 Notepad.exe 4104 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4932 explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1656 chrome.exe 1656 chrome.exe 5028 chrome.exe 5028 chrome.exe 4588 chrome.exe 4588 chrome.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3056 chrome.exe 3056 chrome.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 908 chrome.exe 908 chrome.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 7 IoCs
pid Process 3624 taskmgr.exe 1672 beast.exe 1952 beast.exe 4804 kCwIAoUQ.exe 5076 PCEkcUwA.exe 1036 notepad.exe 5796 kCwIAoUQ.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 640 Process not Found 640 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 52 IoCs
pid Process 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5412 chrome.exe 5412 chrome.exe 5412 chrome.exe 5412 chrome.exe 5412 chrome.exe 5412 chrome.exe 5412 chrome.exe 5328 chrome.exe 5328 chrome.exe 5328 chrome.exe 5328 chrome.exe 5328 chrome.exe 5328 chrome.exe 5328 chrome.exe 5524 chrome.exe 5524 chrome.exe 5524 chrome.exe 5524 chrome.exe 5524 chrome.exe 5524 chrome.exe 5524 chrome.exe 5524 chrome.exe 5524 chrome.exe 1412 chrome.exe 1412 chrome.exe 1412 chrome.exe 1412 chrome.exe 1412 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3624 taskmgr.exe Token: SeSystemProfilePrivilege 3624 taskmgr.exe Token: SeCreateGlobalPrivilege 3624 taskmgr.exe Token: SeShutdownPrivilege 4728 control.exe Token: SeCreatePagefilePrivilege 4728 control.exe Token: SeShutdownPrivilege 4932 explorer.exe Token: SeCreatePagefilePrivilege 4932 explorer.exe Token: SeDebugPrivilege 1672 beast.exe Token: SeIncBasePriorityPrivilege 1672 beast.exe Token: 33 1672 beast.exe Token: SeLoadDriverPrivilege 1672 beast.exe Token: SeProfSingleProcessPrivilege 1672 beast.exe Token: SeRestorePrivilege 1672 beast.exe Token: SeShutdownPrivilege 1672 beast.exe Token: SeTakeOwnershipPrivilege 1672 beast.exe Token: SeDebugPrivilege 1952 beast.exe Token: SeIncBasePriorityPrivilege 1952 beast.exe Token: 33 1952 beast.exe Token: SeLoadDriverPrivilege 1952 beast.exe Token: SeProfSingleProcessPrivilege 1952 beast.exe Token: SeRestorePrivilege 1952 beast.exe Token: SeShutdownPrivilege 1952 beast.exe Token: SeTakeOwnershipPrivilege 1952 beast.exe Token: 33 804 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 804 AUDIODG.EXE Token: SeRestorePrivilege 748 7zG.exe Token: 35 748 7zG.exe Token: SeSecurityPrivilege 748 7zG.exe Token: SeSecurityPrivilege 748 7zG.exe Token: SeDebugPrivilege 1940 beast.exe Token: SeIncBasePriorityPrivilege 1940 beast.exe Token: 33 1940 beast.exe Token: SeLoadDriverPrivilege 1940 beast.exe Token: SeProfSingleProcessPrivilege 1940 beast.exe Token: SeRestorePrivilege 1940 beast.exe Token: SeShutdownPrivilege 1940 beast.exe Token: SeTakeOwnershipPrivilege 1940 beast.exe Token: SeDebugPrivilege 1628 taskkill.exe Token: SeDebugPrivilege 4432 beast.exe Token: SeIncBasePriorityPrivilege 4432 beast.exe Token: 33 4432 beast.exe Token: SeLoadDriverPrivilege 4432 beast.exe Token: SeProfSingleProcessPrivilege 4432 beast.exe Token: SeRestorePrivilege 4432 beast.exe Token: SeShutdownPrivilege 4432 beast.exe Token: SeTakeOwnershipPrivilege 4432 beast.exe Token: SeRestorePrivilege 4224 7zG.exe Token: 35 4224 7zG.exe Token: SeSecurityPrivilege 4224 7zG.exe Token: SeSecurityPrivilege 4224 7zG.exe Token: SeSecurityPrivilege 5460 msiexec.exe Token: SeCreateTokenPrivilege 5324 [email protected] Token: SeAssignPrimaryTokenPrivilege 5324 [email protected] Token: SeLockMemoryPrivilege 5324 [email protected] Token: SeIncreaseQuotaPrivilege 5324 [email protected] Token: SeMachineAccountPrivilege 5324 [email protected] Token: SeTcbPrivilege 5324 [email protected] Token: SeSecurityPrivilege 5324 [email protected] Token: SeTakeOwnershipPrivilege 5324 [email protected] Token: SeLoadDriverPrivilege 5324 [email protected] Token: SeSystemProfilePrivilege 5324 [email protected] Token: SeSystemtimePrivilege 5324 [email protected] Token: SeProfSingleProcessPrivilege 5324 [email protected] Token: SeIncBasePriorityPrivilege 5324 [email protected] -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 5028 chrome.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 3624 taskmgr.exe 5028 chrome.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 5028 chrome.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe 3624 taskmgr.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
pid Process 3912 IEXPLORE.EXE 3912 IEXPLORE.EXE 4384 IEXPLORE.EXE 4384 IEXPLORE.EXE 3912 IEXPLORE.EXE 4384 IEXPLORE.EXE 4384 IEXPLORE.EXE 1036 notepad.exe 1036 notepad.exe 1036 notepad.exe 1036 notepad.exe 1036 notepad.exe 2988 notepad.exe 2988 notepad.exe 1868 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5028 wrote to memory of 1336 5028 chrome.exe 82 PID 5028 wrote to memory of 1336 5028 chrome.exe 82 PID 5028 wrote to memory of 4236 5028 chrome.exe 84 PID 5028 wrote to memory of 4236 5028 chrome.exe 84 PID 5028 wrote to memory of 4236 5028 chrome.exe 84 PID 5028 wrote to memory of 4236 5028 chrome.exe 84 PID 5028 wrote to memory of 4236 5028 chrome.exe 84 PID 5028 wrote to memory of 4236 5028 chrome.exe 84 PID 5028 wrote to memory of 4236 5028 chrome.exe 84 PID 5028 wrote to memory of 4236 5028 chrome.exe 84 PID 5028 wrote to memory of 4236 5028 chrome.exe 84 PID 5028 wrote to memory of 4236 5028 chrome.exe 84 PID 5028 wrote to memory of 4236 5028 chrome.exe 84 PID 5028 wrote to memory of 4236 5028 chrome.exe 84 PID 5028 wrote to memory of 4236 5028 chrome.exe 84 PID 5028 wrote to memory of 4236 5028 chrome.exe 84 PID 5028 wrote to memory of 4236 5028 chrome.exe 84 PID 5028 wrote to memory of 4236 5028 chrome.exe 84 PID 5028 wrote to memory of 4236 5028 chrome.exe 84 PID 5028 wrote to memory of 4236 5028 chrome.exe 84 PID 5028 wrote to memory of 4236 5028 chrome.exe 84 PID 5028 wrote to memory of 4236 5028 chrome.exe 84 PID 5028 wrote to memory of 4236 5028 chrome.exe 84 PID 5028 wrote to memory of 4236 5028 chrome.exe 84 PID 5028 wrote to memory of 4236 5028 chrome.exe 84 PID 5028 wrote to memory of 4236 5028 chrome.exe 84 PID 5028 wrote to memory of 4236 5028 chrome.exe 84 PID 5028 wrote to memory of 4236 5028 chrome.exe 84 PID 5028 wrote to memory of 4236 5028 chrome.exe 84 PID 5028 wrote to memory of 4236 5028 chrome.exe 84 PID 5028 wrote to memory of 4236 5028 chrome.exe 84 PID 5028 wrote to memory of 4236 5028 chrome.exe 84 PID 5028 wrote to memory of 4236 5028 chrome.exe 84 PID 5028 wrote to memory of 4236 5028 chrome.exe 84 PID 5028 wrote to memory of 4236 5028 chrome.exe 84 PID 5028 wrote to memory of 4236 5028 chrome.exe 84 PID 5028 wrote to memory of 4236 5028 chrome.exe 84 PID 5028 wrote to memory of 4236 5028 chrome.exe 84 PID 5028 wrote to memory of 4236 5028 chrome.exe 84 PID 5028 wrote to memory of 4236 5028 chrome.exe 84 PID 5028 wrote to memory of 4236 5028 chrome.exe 84 PID 5028 wrote to memory of 4236 5028 chrome.exe 84 PID 5028 wrote to memory of 1656 5028 chrome.exe 85 PID 5028 wrote to memory of 1656 5028 chrome.exe 85 PID 5028 wrote to memory of 3424 5028 chrome.exe 86 PID 5028 wrote to memory of 3424 5028 chrome.exe 86 PID 5028 wrote to memory of 3424 5028 chrome.exe 86 PID 5028 wrote to memory of 3424 5028 chrome.exe 86 PID 5028 wrote to memory of 3424 5028 chrome.exe 86 PID 5028 wrote to memory of 3424 5028 chrome.exe 86 PID 5028 wrote to memory of 3424 5028 chrome.exe 86 PID 5028 wrote to memory of 3424 5028 chrome.exe 86 PID 5028 wrote to memory of 3424 5028 chrome.exe 86 PID 5028 wrote to memory of 3424 5028 chrome.exe 86 PID 5028 wrote to memory of 3424 5028 chrome.exe 86 PID 5028 wrote to memory of 3424 5028 chrome.exe 86 PID 5028 wrote to memory of 3424 5028 chrome.exe 86 PID 5028 wrote to memory of 3424 5028 chrome.exe 86 PID 5028 wrote to memory of 3424 5028 chrome.exe 86 PID 5028 wrote to memory of 3424 5028 chrome.exe 86 PID 5028 wrote to memory of 3424 5028 chrome.exe 86 PID 5028 wrote to memory of 3424 5028 chrome.exe 86 PID 5028 wrote to memory of 3424 5028 chrome.exe 86 PID 5028 wrote to memory of 3424 5028 chrome.exe 86 -
System policy modification 1 TTPs 22 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System [email protected]
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://drive.google.com/uc?export=download&confirm=no_antivirus&id=1u-QY29jwsxXFxY5OOF4jWT1owIH4dgXw1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcf0ad4f50,0x7ffcf0ad4f60,0x7ffcf0ad4f702⤵PID:1336
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1592,14910627162832451790,11475898870084251357,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1632 /prefetch:22⤵PID:4236
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1592,14910627162832451790,11475898870084251357,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1692 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1656
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1592,14910627162832451790,11475898870084251357,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2300 /prefetch:82⤵PID:3424
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,14910627162832451790,11475898870084251357,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3028 /prefetch:12⤵PID:1016
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,14910627162832451790,11475898870084251357,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3036 /prefetch:12⤵PID:4204
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,14910627162832451790,11475898870084251357,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4336 /prefetch:82⤵PID:2752
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1592,14910627162832451790,11475898870084251357,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4928 /prefetch:82⤵PID:2836
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1592,14910627162832451790,11475898870084251357,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5076 /prefetch:82⤵PID:3508
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,14910627162832451790,11475898870084251357,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4812 /prefetch:82⤵PID:4800
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1592,14910627162832451790,11475898870084251357,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5556 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4588
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1592,14910627162832451790,11475898870084251357,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3056
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,14910627162832451790,11475898870084251357,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5428 /prefetch:82⤵PID:3836
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,14910627162832451790,11475898870084251357,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5684 /prefetch:82⤵PID:3748
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,14910627162832451790,11475898870084251357,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5548 /prefetch:82⤵PID:4436
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,14910627162832451790,11475898870084251357,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2696 /prefetch:12⤵PID:2536
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1592,14910627162832451790,11475898870084251357,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5968 /prefetch:82⤵PID:908
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,14910627162832451790,11475898870084251357,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3696 /prefetch:82⤵PID:896
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,14910627162832451790,11475898870084251357,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4256 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:908
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,14910627162832451790,11475898870084251357,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2400 /prefetch:12⤵PID:896
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,14910627162832451790,11475898870084251357,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:12⤵PID:2868
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,14910627162832451790,11475898870084251357,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2200 /prefetch:12⤵PID:3508
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,14910627162832451790,11475898870084251357,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=980 /prefetch:82⤵PID:3472
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1656
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,14910627162832451790,11475898870084251357,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3696 /prefetch:82⤵PID:4688
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2700
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,14910627162832451790,11475898870084251357,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:12⤵PID:2308
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1592,14910627162832451790,11475898870084251357,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3324 /prefetch:82⤵PID:3592
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1592,14910627162832451790,11475898870084251357,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:82⤵PID:4324
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1592,14910627162832451790,11475898870084251357,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3472 /prefetch:82⤵PID:1348
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1592,14910627162832451790,11475898870084251357,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5720 /prefetch:82⤵PID:4432
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,14910627162832451790,11475898870084251357,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5616 /prefetch:82⤵PID:1448
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,14910627162832451790,11475898870084251357,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:12⤵PID:2548
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,14910627162832451790,11475898870084251357,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵PID:4728
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,14910627162832451790,11475898870084251357,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:12⤵PID:3924
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1592,14910627162832451790,11475898870084251357,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 /prefetch:82⤵PID:2560
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,14910627162832451790,11475898870084251357,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:12⤵PID:1036
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,14910627162832451790,11475898870084251357,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:12⤵PID:500
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,14910627162832451790,11475898870084251357,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2400 /prefetch:12⤵PID:3448
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,14910627162832451790,11475898870084251357,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:12⤵PID:1088
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,14910627162832451790,11475898870084251357,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:12⤵PID:4024
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,14910627162832451790,11475898870084251357,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6712 /prefetch:12⤵PID:816
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,14910627162832451790,11475898870084251357,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6852 /prefetch:12⤵PID:2276
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,14910627162832451790,11475898870084251357,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7136 /prefetch:12⤵PID:4060
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,14910627162832451790,11475898870084251357,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6540 /prefetch:12⤵PID:4804
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,14910627162832451790,11475898870084251357,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6460 /prefetch:12⤵PID:1904
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,14910627162832451790,11475898870084251357,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7060 /prefetch:12⤵PID:5164
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,14910627162832451790,11475898870084251357,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:12⤵PID:5216
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,14910627162832451790,11475898870084251357,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7348 /prefetch:12⤵PID:5224
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,14910627162832451790,11475898870084251357,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7480 /prefetch:12⤵PID:5260
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1592,14910627162832451790,11475898870084251357,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5264 /prefetch:22⤵PID:5448
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1592,14910627162832451790,11475898870084251357,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5192 /prefetch:82⤵PID:5516
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1592,14910627162832451790,11475898870084251357,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6436 /prefetch:82⤵PID:5508
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1592,14910627162832451790,11475898870084251357,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 /prefetch:82⤵PID:5572
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1592,14910627162832451790,11475898870084251357,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6268 /prefetch:82⤵PID:5632
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1592,14910627162832451790,11475898870084251357,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6284 /prefetch:82⤵PID:5640
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1408
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3624
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 7163f0690e917690238ca5a741e4058b MHKe6oXf2UOFvW9DLK4LQw.0.1.0.0.01⤵PID:3748
-
C:\Windows\system32\control.exe"C:\Windows\system32\control.exe" SYSTEM1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4728
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵PID:3100
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:4932
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5860
-
C:\Users\Admin\Downloads\processhacker-2.39-setup.exe"C:\Users\Admin\Downloads\processhacker-2.39-setup.exe"1⤵
- Executes dropped EXE
PID:5892 -
C:\Users\Admin\AppData\Local\Temp\is-SSAF8.tmp\processhacker-2.39-setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-SSAF8.tmp\processhacker-2.39-setup.tmp" /SL5="$C0468,1874675,150016,C:\Users\Admin\Downloads\processhacker-2.39-setup.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5980
-
-
C:\Program Files\Process Hacker 2\beast.exe"C:\Program Files\Process Hacker 2\beast.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1672
-
C:\Users\Admin\Downloads\MSIAfterburner.exe"C:\Users\Admin\Downloads\MSIAfterburner.exe"1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3428 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 4362⤵
- Program crash
PID:2324
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3428 -ip 34281⤵PID:5552
-
C:\Users\Admin\Downloads\MSIAfterburner.exe"C:\Users\Admin\Downloads\MSIAfterburner.exe"1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5584 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5584 -s 4042⤵
- Program crash
PID:5692
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5584 -ip 55841⤵PID:5656
-
C:\Program Files\Process Hacker 2\beast.exe"C:\Program Files\Process Hacker 2\beast.exe"1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1952 -
C:\Windows\system32\userinit.exe"C:\Windows\system32\userinit.exe"2⤵PID:3892
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE3⤵PID:2392
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:5412 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x11c,0x120,0x124,0x10c,0x128,0x7ffcf0ad4f50,0x7ffcf0ad4f60,0x7ffcf0ad4f702⤵PID:5432
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1676,12775763264018846742,7851191686913972069,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1684 /prefetch:22⤵PID:5348
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1676,12775763264018846742,7851191686913972069,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1940 /prefetch:82⤵PID:2300
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1676,12775763264018846742,7851191686913972069,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:82⤵PID:5128
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,12775763264018846742,7851191686913972069,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2712 /prefetch:12⤵PID:5316
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,12775763264018846742,7851191686913972069,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2740 /prefetch:12⤵PID:3768
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,12775763264018846742,7851191686913972069,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:12⤵PID:5360
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1676,12775763264018846742,7851191686913972069,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4588 /prefetch:82⤵PID:5732
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1676,12775763264018846742,7851191686913972069,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4720 /prefetch:82⤵PID:1920
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1676,12775763264018846742,7851191686913972069,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4844 /prefetch:82⤵PID:4244
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1676,12775763264018846742,7851191686913972069,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4664 /prefetch:82⤵PID:4680
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1676,12775763264018846742,7851191686913972069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4656 /prefetch:82⤵PID:1160
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,12775763264018846742,7851191686913972069,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:12⤵PID:4916
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,12775763264018846742,7851191686913972069,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4036 /prefetch:12⤵PID:5832
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,12775763264018846742,7851191686913972069,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:12⤵PID:5812
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1676,12775763264018846742,7851191686913972069,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3152 /prefetch:82⤵
- Modifies registry class
PID:6100
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1676,12775763264018846742,7851191686913972069,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3144 /prefetch:82⤵PID:6084
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,12775763264018846742,7851191686913972069,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:12⤵PID:6024
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1676,12775763264018846742,7851191686913972069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:82⤵PID:2556
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5884
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1676,12775763264018846742,7851191686913972069,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5444 /prefetch:82⤵PID:4652
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1676,12775763264018846742,7851191686913972069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:82⤵PID:504
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1676,12775763264018846742,7851191686913972069,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5056 /prefetch:82⤵PID:3920
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1676,12775763264018846742,7851191686913972069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:82⤵PID:3428
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1676,12775763264018846742,7851191686913972069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 /prefetch:82⤵PID:5652
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4948
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4f8 0x4981⤵
- Suspicious use of AdjustPrivilegeToken
PID:804
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\ViraLock\" -spe -an -ai#7zMap2358:78:7zEvent102701⤵
- Suspicious use of AdjustPrivilegeToken
PID:748
-
C:\Users\Admin\Desktop\[email protected]PID:340
-
C:\Users\Admin\VSUsQoIc\kCwIAoUQ.exe"C:\Users\Admin\VSUsQoIc\kCwIAoUQ.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
PID:4804 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe" about:blank3⤵PID:5036
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3912 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3912 CREDAT:17410 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4384
-
-
-
-
-
C:\ProgramData\eEIUUUEU\PCEkcUwA.exe"C:\ProgramData\eEIUUUEU\PCEkcUwA.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
PID:5076 -
C:\Windows\SysWOW64\taskkill.exetaskkill /FI "USERNAME eq Admin" /F /IM kCwIAoUQ.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1628
-
-
C:\Users\Admin\VSUsQoIc\kCwIAoUQ.exe"C:\Users\Admin\VSUsQoIc\kCwIAoUQ.exe"3⤵
- Adds Run key to start application
PID:2672
-
-
C:\Windows\SysWOW64\notepad.exenotepad.exe "C:\Users\Admin\My Documents\myfile"3⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1036 -
C:\Program Files\Process Hacker 2\beast.exe"C:\Program Files\Process Hacker 2\beast.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4432
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"2⤵PID:5224
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock3⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"4⤵PID:5368
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock5⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"6⤵PID:2304
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock7⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"8⤵PID:2276
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock9⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"10⤵PID:5180
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock11⤵
- Executes dropped EXE
PID:5328 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"12⤵PID:5680
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock13⤵PID:420
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"14⤵PID:800
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock15⤵
- Executes dropped EXE
PID:3836 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"16⤵PID:3104
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock17⤵
- Executes dropped EXE
PID:5012 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"18⤵PID:4060
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock19⤵
- Executes dropped EXE
PID:620 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"20⤵PID:5188
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock21⤵
- Executes dropped EXE
PID:5476 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"22⤵PID:5940
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock23⤵
- Executes dropped EXE
PID:5284 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"24⤵PID:4448
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock25⤵
- Executes dropped EXE
PID:4512 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"26⤵PID:308
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock27⤵
- Executes dropped EXE
PID:3484 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"28⤵PID:5580
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock29⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"30⤵PID:5700
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock31⤵
- Executes dropped EXE
PID:5024 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"32⤵PID:5832
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock33⤵
- Executes dropped EXE
PID:4152 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"34⤵PID:5424
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock35⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"36⤵PID:5780
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock37⤵
- Executes dropped EXE
PID:4640 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"38⤵PID:4400
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock39⤵
- Executes dropped EXE
PID:5616 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"40⤵PID:3448
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock41⤵PID:5240
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"42⤵PID:5168
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock43⤵
- Executes dropped EXE
PID:32 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"44⤵PID:2956
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock45⤵PID:5036
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"46⤵PID:3592
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock47⤵
- Executes dropped EXE
PID:5972 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"48⤵PID:392
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock49⤵
- Executes dropped EXE
PID:6068 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"50⤵PID:5132
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock51⤵PID:4212
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"52⤵PID:1248
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock53⤵
- Executes dropped EXE
PID:3480 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"54⤵PID:1544
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock55⤵PID:4284
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"56⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:4920 -
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock57⤵PID:4556
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"58⤵PID:5172
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock59⤵
- Executes dropped EXE
PID:5236 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"60⤵PID:5300
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock61⤵
- Executes dropped EXE
PID:5988 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"62⤵PID:2248
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock63⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"64⤵PID:5248
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock65⤵
- Executes dropped EXE
PID:800 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"66⤵PID:5896
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock67⤵
- Executes dropped EXE
PID:5100 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"68⤵PID:5168
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock69⤵PID:5520
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"70⤵PID:4528
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock71⤵PID:5744
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"72⤵
- Modifies visibility of file extensions in Explorer
PID:2848 -
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock73⤵
- Executes dropped EXE
PID:3216 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"74⤵PID:4392
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock75⤵
- Executes dropped EXE
PID:5664 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"76⤵PID:5152
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock77⤵PID:5916
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"78⤵
- Modifies visibility of file extensions in Explorer
PID:180 -
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock79⤵
- Executes dropped EXE
PID:5700 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"80⤵
- Modifies visibility of file extensions in Explorer
PID:340 -
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock81⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:5488 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"82⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
PID:4212 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV183⤵
- UAC bypass
PID:5860
-
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock83⤵PID:2720
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"84⤵PID:5572
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock85⤵PID:1496
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"86⤵PID:4512
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock87⤵
- Executes dropped EXE
PID:392 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"88⤵PID:1652
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock89⤵PID:900
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"90⤵PID:3988
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV191⤵PID:3256
-
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock91⤵PID:2992
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"92⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:4392 -
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock93⤵
- Executes dropped EXE
PID:3852 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"94⤵PID:2128
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV195⤵PID:4128
-
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock95⤵PID:5324
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"96⤵PID:1980
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock97⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- System policy modification
PID:6000 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"98⤵PID:4104
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock99⤵
- Executes dropped EXE
PID:724 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"100⤵PID:2700
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock101⤵
- Executes dropped EXE
PID:5128 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"102⤵PID:5416
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock103⤵
- Executes dropped EXE
PID:6024 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"104⤵PID:2828
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock105⤵
- Executes dropped EXE
PID:5552 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"106⤵PID:1664
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock107⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"108⤵PID:5144
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1109⤵PID:5572
-
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock109⤵
- Executes dropped EXE
PID:4020 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"110⤵PID:3196
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock111⤵
- Executes dropped EXE
PID:3968 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"112⤵PID:5280
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1113⤵PID:5896
-
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock113⤵PID:5580
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"114⤵PID:536
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock115⤵PID:4828
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"116⤵PID:2204
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock117⤵
- Executes dropped EXE
PID:5744 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"118⤵PID:4660
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1119⤵PID:4528
-
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock119⤵PID:1544
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"120⤵PID:5828
-
C:\Users\Admin\Desktop\[email protected]C:\Users\Admin\Desktop\Endermanch@ViraLock121⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:4360
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-