wannacry | 920841766c2da541592a0ae874c8528cdb6b3009b5f1873c4d19bacbb116ac40

System Information Discovery

Processes:

AnyDesk.exeAnyDesk.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Drops startup file 2 IoCs

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD1467.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD147E.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Executes dropped EXE 32 IoCs

Processes:

AnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exetaskdl.exe@[email protected]@[email protected]@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exe

pid	process
2792	AnyDesk.exe
4852	AnyDesk.exe
3020	AnyDesk.exe
2452	AnyDesk.exe
412	taskdl.exe
2956	@[email protected]
4660	@[email protected]
656	@[email protected]
4552	taskdl.exe
4388	taskse.exe
4368	@[email protected]
1876	taskdl.exe
1700	taskse.exe
4660	@[email protected]
412	taskse.exe
3520	@[email protected]
4908	taskdl.exe
5284	taskse.exe
5328	@[email protected]
5412	taskdl.exe
3004	taskse.exe
5124	@[email protected]
5508	taskdl.exe
3760	taskse.exe
6140	@[email protected]
5140	taskdl.exe
3348	taskse.exe
5644	@[email protected]
1420	taskdl.exe
5836	taskse.exe
5892	@[email protected]
5688	taskdl.exe

Loads dropped DLL 2 IoCs

Processes:

AnyDesk.exeAnyDesk.exe

pid process

3020 AnyDesk.exe
4852 AnyDesk.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

4436 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3020	AnyDesk.exe
4852	AnyDesk.exe

pid	process
4436	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\piiacqqpkwwf146 = "\"C:\\Users\\Admin\\Desktop\\tasksche.exe\""	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 15 IoCs

Processes:

AnyDesk.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db	AnyDesk.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

Processes:

@[email protected]ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

DeadCodeLauncher.exe

pid process

2492 DeadCodeLauncher.exe
2492 DeadCodeLauncher.exe

Drops file in Windows directory 5 IoCs

Processes:

taskmgr.exemspaint.exetaskmgr.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\4183903823\810424605.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	taskmgr.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File created	C:\Windows\rescache\_merged\4183903823\810424605.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	taskmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

taskmgr.exetaskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 21 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

firefox.exefirefox.exefirefox.exeAnyDesk.exetaskmgr.exetaskmgr.exeDeadCodeLauncher.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	DeadCodeLauncher.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	DeadCodeLauncher.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31071382"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001b9511bb08f2894680485c516635480700000000020000000000106600000001000020000000c82c39c39e2541dcb2ec8439808307327f015c6ade54d4637de6b779cb3bc694000000000e8000000002000020000000cf1ee25e2f7e0093241608d3a40f60802e811ca66e88dd4c4500f8a19acb9f7a200000003f5ffd5fc372a8bf60ea888f72f82ddca8977b7df08261e75f5cd1146727b971400000003a80db27f58abd84d4deab4aa5cba0f87b9013cd068d4dde9ec5df51195bb5931874572bc2f9f44419d0bbfc328d01ceeed3eb23cb8820e8d354f7f37239bcb7	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3536534344"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FE730E0D-8889-11EE-8D2D-CE141FFDD20C} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31071382"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001b9511bb08f2894680485c51663548070000000002000000000010660000000100002000000031ae7e57d365e97984d530258887e2c7c1bdb0a6786812224e818c6a9508311d000000000e800000000200002000000046264fc49764b4c3f305872fc5d65a9de81221c03dea1c2949cddb94203f49322000000090b7f5935fe687e8b6f431e888da9d51effa54a04b1f389618792054c2801a284000000007fc3802295b2a728a4078dff7221e28acc25f9b4747c54c640a6c4d0bfe614034f6167ed4ee76c60497ad31eb61c0e88452a2c4c19fb3bd6755f23a0f60de7d	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e04329d3961cda01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3536534344"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 602923d3961cda01	iexplore.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133450571417669334"	chrome.exe

Modifies registry class 2 IoCs

Processes:

firefox.exefirefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings	firefox.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2520 reg.exe

pid	process
2520	reg.exe

NTFS ADS 2 IoCs

Processes:

firefox.exefirefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\Ransomware.WannaCry.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\petya.zip:Zone.Identifier	firefox.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

AnyDesk.exevlc.exe

pid process

3020 AnyDesk.exe
3348 vlc.exe

pid	process
3020	AnyDesk.exe
3348	vlc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

DeadCodeLauncher.exemspaint.exechrome.exeAnyDesk.exetaskmgr.exe

pid	process
2492	DeadCodeLauncher.exe
2492	DeadCodeLauncher.exe
2492	DeadCodeLauncher.exe
2492	DeadCodeLauncher.exe
1328	mspaint.exe
1328	mspaint.exe
428	chrome.exe
428	chrome.exe
4852	AnyDesk.exe
4852	AnyDesk.exe
4852	AnyDesk.exe
4852	AnyDesk.exe
4852	AnyDesk.exe
4852	AnyDesk.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

Processes:

DeadCodeLauncher.exevlc.exe@[email protected]AnyDesk.exe

pid process

2492 DeadCodeLauncher.exe
3348 vlc.exe
2956 @[email protected]
2452 AnyDesk.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

chrome.exe

pid process

428 chrome.exe
428 chrome.exe
428 chrome.exe
428 chrome.exe
428 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exeAUDIODG.EXE

description	pid	process
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: 33	3736	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3736	AUDIODG.EXE
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exeAnyDesk.exetaskmgr.exe

pid	process
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
3020	AnyDesk.exe
3020	AnyDesk.exe
3020	AnyDesk.exe
3020	AnyDesk.exe
3020	AnyDesk.exe
3020	AnyDesk.exe
428	chrome.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exeAnyDesk.exetaskmgr.exe

pid	process
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
3020	AnyDesk.exe
3020	AnyDesk.exe
3020	AnyDesk.exe
3020	AnyDesk.exe
3020	AnyDesk.exe
3020	AnyDesk.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe
1040	taskmgr.exe

Suspicious use of SetWindowsHookEx 43 IoCs

Processes:

mspaint.exeAnyDesk.exeiexplore.exeIEXPLORE.EXEvlc.exefirefox.exefirefox.exe@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]

pid	process
1328	mspaint.exe
1328	mspaint.exe
1328	mspaint.exe
1328	mspaint.exe
2452	AnyDesk.exe
2452	AnyDesk.exe
3400	iexplore.exe
3400	iexplore.exe
1744	IEXPLORE.EXE
1744	IEXPLORE.EXE
3348	vlc.exe
1244	firefox.exe
1244	firefox.exe
1244	firefox.exe
1244	firefox.exe
1244	firefox.exe
1244	firefox.exe
1244	firefox.exe
712	firefox.exe
712	firefox.exe
712	firefox.exe
712	firefox.exe
712	firefox.exe
712	firefox.exe
712	firefox.exe
712	firefox.exe
712	firefox.exe
712	firefox.exe
2956	@[email protected]
2956	@[email protected]
4660	@[email protected]
656	@[email protected]
4368	@[email protected]
4660	@[email protected]
3520	@[email protected]
5328	@[email protected]
712	firefox.exe
712	firefox.exe
712	firefox.exe
5124	@[email protected]
6140	@[email protected]
5644	@[email protected]
5892	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 428 wrote to memory of 3220	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 3220	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 3880	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 3880	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 3880	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 3880	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 3880	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 3880	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 3880	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 3880	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 3880	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 3880	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 3880	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 3880	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 3880	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 3880	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 3880	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 3880	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 3880	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 3880	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 3880	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 3880	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 3880	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 3880	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 3880	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 3880	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 3880	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 3880	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 3880	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 3880	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 3880	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 3880	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 3880	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 3880	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 3880	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 3880	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 3880	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 3880	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 3880	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 3880	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 2648	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 2648	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 4460	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 4460	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 4460	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 4460	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 4460	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 4460	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 4460	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 4460	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 4460	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 4460	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 4460	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 4460	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 4460	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 4460	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 4460	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 4460	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 4460	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 4460	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 4460	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 4460	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 4460	428	chrome.exe	chrome.exe
PID 428 wrote to memory of 4460	428	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

4452 attrib.exe
3296 attrib.exe

pid	process
4452	attrib.exe
3296	attrib.exe

C:\Users\Admin\AppData\Local\Temp\DeadCodeLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\DeadCodeLauncher.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:2492

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\UnblockLock.emf"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1328

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
1⤵
PID:4400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xd0,0xd4,0xd8,0xac,0xdc,0x7ffb87cd9758,0x7ffb87cd9768,0x7ffb87cd9778
2⤵
PID:3220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2068 --field-trial-handle=1860,i,13778361605822373200,12545000797701129236,131072 /prefetch:8
2⤵
PID:4460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1796 --field-trial-handle=1860,i,13778361605822373200,12545000797701129236,131072 /prefetch:8
2⤵
PID:2648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1516 --field-trial-handle=1860,i,13778361605822373200,12545000797701129236,131072 /prefetch:2
2⤵
PID:3880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3080 --field-trial-handle=1860,i,13778361605822373200,12545000797701129236,131072 /prefetch:1
2⤵
PID:1916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2952 --field-trial-handle=1860,i,13778361605822373200,12545000797701129236,131072 /prefetch:1
2⤵
PID:1100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4392 --field-trial-handle=1860,i,13778361605822373200,12545000797701129236,131072 /prefetch:1
2⤵
PID:4484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4576 --field-trial-handle=1860,i,13778361605822373200,12545000797701129236,131072 /prefetch:8
2⤵
PID:4364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4708 --field-trial-handle=1860,i,13778361605822373200,12545000797701129236,131072 /prefetch:8
2⤵
PID:2060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4876 --field-trial-handle=1860,i,13778361605822373200,12545000797701129236,131072 /prefetch:8
2⤵
PID:4336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5028 --field-trial-handle=1860,i,13778361605822373200,12545000797701129236,131072 /prefetch:8
2⤵
PID:2480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4556 --field-trial-handle=1860,i,13778361605822373200,12545000797701129236,131072 /prefetch:8
2⤵
PID:3668

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
2⤵
PID:2964

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x24c,0x250,0x254,0x228,0x258,0x7ff7ae697688,0x7ff7ae697698,0x7ff7ae6976a8
3⤵
PID:4080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 --field-trial-handle=1860,i,13778361605822373200,12545000797701129236,131072 /prefetch:8
2⤵
PID:2192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5160 --field-trial-handle=1860,i,13778361605822373200,12545000797701129236,131072 /prefetch:1
2⤵
PID:760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4688 --field-trial-handle=1860,i,13778361605822373200,12545000797701129236,131072 /prefetch:1
2⤵
PID:2536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4500 --field-trial-handle=1860,i,13778361605822373200,12545000797701129236,131072 /prefetch:8
2⤵
PID:304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3796 --field-trial-handle=1860,i,13778361605822373200,12545000797701129236,131072 /prefetch:8
2⤵
PID:5116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3016 --field-trial-handle=1860,i,13778361605822373200,12545000797701129236,131072 /prefetch:8
2⤵
PID:3724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5496 --field-trial-handle=1860,i,13778361605822373200,12545000797701129236,131072 /prefetch:8
2⤵
PID:4876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 --field-trial-handle=1860,i,13778361605822373200,12545000797701129236,131072 /prefetch:8
2⤵
PID:4228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4412 --field-trial-handle=1860,i,13778361605822373200,12545000797701129236,131072 /prefetch:8
2⤵
PID:608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3596 --field-trial-handle=1860,i,13778361605822373200,12545000797701129236,131072 /prefetch:8
2⤵
PID:4364

C:\Users\Admin\Downloads\AnyDesk.exe
"C:\Users\Admin\Downloads\AnyDesk.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
PID:2792

C:\Users\Admin\Downloads\AnyDesk.exe
"C:\Users\Admin\Downloads\AnyDesk.exe" --local-control
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3020

C:\Users\Admin\Downloads\AnyDesk.exe
"C:\Users\Admin\Downloads\AnyDesk.exe" --local-service
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4852

C:\Users\Admin\Downloads\AnyDesk.exe
"C:\Users\Admin\Downloads\AnyDesk.exe" --backend
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2452

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5096

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2e4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3736

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1040

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\ResetCompare.xsl
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3400

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3400 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1744

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\FormatOut.mp4"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3348

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:3216

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:1244

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1244.0.745212098\850963526" -parentBuildID 20221007134813 -prefsHandle 1688 -prefMapHandle 1680 -prefsLen 20936 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {295cde1b-0738-4bbf-85b5-37f74fa41b4a} 1244 "\\.\pipe\gecko-crash-server-pipe.1244" 1764 21c342d6858 gpu
3⤵
PID:600

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1244.1.1202027740\2059616995" -parentBuildID 20221007134813 -prefsHandle 2108 -prefMapHandle 2104 -prefsLen 21017 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd3109b5-3f23-4d17-9ef6-368f98775960} 1244 "\\.\pipe\gecko-crash-server-pipe.1244" 2120 21c29072b58 socket
3⤵
- Checks processor information in registry
PID:4440

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1244.2.722820339\656415005" -childID 1 -isForBrowser -prefsHandle 2572 -prefMapHandle 3008 -prefsLen 21055 -prefMapSize 232675 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3dd63bbb-6620-4b86-82d7-554d52d6cc15} 1244 "\\.\pipe\gecko-crash-server-pipe.1244" 2488 21c382a5058 tab
3⤵
PID:4980

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1244.3.1378530709\1879235846" -childID 2 -isForBrowser -prefsHandle 3556 -prefMapHandle 3548 -prefsLen 26480 -prefMapSize 232675 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {922098d8-7867-48b5-af16-f56666452953} 1244 "\\.\pipe\gecko-crash-server-pipe.1244" 3568 21c29062b58 tab
3⤵
PID:208

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1244.4.1744884734\403199531" -childID 3 -isForBrowser -prefsHandle 4296 -prefMapHandle 3840 -prefsLen 26539 -prefMapSize 232675 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad393a6b-1993-4962-a45c-84f079fc1ede} 1244 "\\.\pipe\gecko-crash-server-pipe.1244" 4316 21c3a1cdd58 tab
3⤵
PID:4800

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1244.5.1627757716\1816096577" -childID 4 -isForBrowser -prefsHandle 4688 -prefMapHandle 2660 -prefsLen 26618 -prefMapSize 232675 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c6e2e5c-85b9-4761-9e7f-677d6f2a292b} 1244 "\\.\pipe\gecko-crash-server-pipe.1244" 2628 21c29030b58 tab
3⤵
PID:812

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1244.7.1880302337\1834139406" -childID 6 -isForBrowser -prefsHandle 4896 -prefMapHandle 4892 -prefsLen 26618 -prefMapSize 232675 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5b9146c-53b7-47e0-aea3-ce947fc1f664} 1244 "\\.\pipe\gecko-crash-server-pipe.1244" 5016 21c3a8e2b58 tab
3⤵
PID:1916

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1244.6.690398390\219295650" -childID 5 -isForBrowser -prefsHandle 4912 -prefMapHandle 4916 -prefsLen 26618 -prefMapSize 232675 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b690578b-ae29-499c-aa79-a66aded9fe01} 1244 "\\.\pipe\gecko-crash-server-pipe.1244" 4996 21c3a8e4658 tab
3⤵
PID:3656

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1244.8.1399113101\399048843" -childID 7 -isForBrowser -prefsHandle 5636 -prefMapHandle 5632 -prefsLen 26874 -prefMapSize 232675 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {566c0e7e-778b-4ae4-b4f8-78a6252529e7} 1244 "\\.\pipe\gecko-crash-server-pipe.1244" 5644 21c3c7f6c58 tab
3⤵
PID:3028

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1244.9.507561139\904358085" -childID 8 -isForBrowser -prefsHandle 4868 -prefMapHandle 4700 -prefsLen 27139 -prefMapSize 232675 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {26bccb87-ae40-49c9-8df6-47ed04199e64} 1244 "\\.\pipe\gecko-crash-server-pipe.1244" 4856 21c39259a58 tab
3⤵
PID:1308

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
PID:2956

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2280

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4692

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:712

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="712.0.606548033\1720009122" -parentBuildID 20221007134813 -prefsHandle 1564 -prefMapHandle 1556 -prefsLen 21461 -prefMapSize 232814 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d0bf980-f6cc-48ea-9339-329d43a17b2a} 712 "\\.\pipe\gecko-crash-server-pipe.712" 1660 1d456bfb658 gpu
3⤵
PID:1392

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="712.1.2023078915\1633820686" -parentBuildID 20221007134813 -prefsHandle 1988 -prefMapHandle 1976 -prefsLen 21506 -prefMapSize 232814 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f0a2f26-1a50-4ff4-a51d-9d56653aaac5} 712 "\\.\pipe\gecko-crash-server-pipe.712" 2000 1d456837e58 socket
3⤵
PID:4000

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="712.2.579341465\1409977136" -childID 1 -isForBrowser -prefsHandle 2764 -prefMapHandle 2740 -prefsLen 21967 -prefMapSize 232814 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e6bf7c6-e264-4277-9dc7-40471f3ed2ee} 712 "\\.\pipe\gecko-crash-server-pipe.712" 2640 1d45ab73f58 tab
3⤵
PID:2536

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="712.3.1084425412\728412574" -childID 2 -isForBrowser -prefsHandle 3440 -prefMapHandle 3436 -prefsLen 27327 -prefMapSize 232814 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {47b4b88b-1954-4d23-86ab-6629c9676b78} 712 "\\.\pipe\gecko-crash-server-pipe.712" 3468 1d45bad5858 tab
3⤵
PID:4684

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="712.4.586408592\1442041841" -childID 3 -isForBrowser -prefsHandle 4020 -prefMapHandle 4016 -prefsLen 27327 -prefMapSize 232814 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1741f88-8b4c-46cf-ac20-1e4ed94a7b3a} 712 "\\.\pipe\gecko-crash-server-pipe.712" 3976 1d45c52be58 tab
3⤵
PID:2152

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="712.7.1566335247\1328664704" -childID 6 -isForBrowser -prefsHandle 4796 -prefMapHandle 4800 -prefsLen 27327 -prefMapSize 232814 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {66cf6eae-fd5b-4a66-aed2-3265d41590e7} 712 "\\.\pipe\gecko-crash-server-pipe.712" 4788 1d45d3da258 tab
3⤵
PID:812

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="712.6.1255701301\1493850317" -childID 5 -isForBrowser -prefsHandle 4604 -prefMapHandle 4608 -prefsLen 27327 -prefMapSize 232814 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c6beb300-fcc9-4751-9ac8-3c1d9dc9aa07} 712 "\\.\pipe\gecko-crash-server-pipe.712" 4596 1d45c176b58 tab
3⤵
PID:4016

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="712.5.206916728\2041233779" -childID 4 -isForBrowser -prefsHandle 4012 -prefMapHandle 4432 -prefsLen 27327 -prefMapSize 232814 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {29d39cf9-1140-4942-8e2d-b43dfe4b4a72} 712 "\\.\pipe\gecko-crash-server-pipe.712" 4424 1d45955f858 tab
3⤵
PID:884

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="712.8.827444509\18571452" -childID 7 -isForBrowser -prefsHandle 5444 -prefMapHandle 5428 -prefsLen 27327 -prefMapSize 232814 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bbe07162-59e0-46cc-bce6-bfda84639a14} 712 "\\.\pipe\gecko-crash-server-pipe.712" 5236 1d45e7b4358 tab
3⤵
PID:3260

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="712.9.1901938262\37277387" -childID 8 -isForBrowser -prefsHandle 5608 -prefMapHandle 5612 -prefsLen 27336 -prefMapSize 232814 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {789acb55-fb51-4dbc-bcf8-9642f96d6d91} 712 "\\.\pipe\gecko-crash-server-pipe.712" 5616 1d45e48ee58 tab
3⤵
PID:1580

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="712.10.1194916943\2004917771" -parentBuildID 20221007134813 -prefsHandle 6116 -prefMapHandle 6112 -prefsLen 27336 -prefMapSize 232814 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ca71c5a-3d33-4c23-85f9-0f1e65bccb7c} 712 "\\.\pipe\gecko-crash-server-pipe.712" 6124 1d45e4ade58 rdd
3⤵
PID:5224

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="712.11.2051826059\612576922" -childID 9 -isForBrowser -prefsHandle 6296 -prefMapHandle 6288 -prefsLen 27336 -prefMapSize 232814 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d888524-b2d7-4365-8c41-bc71dcd633ea} 712 "\\.\pipe\gecko-crash-server-pipe.712" 6316 1d45e4af058 tab
3⤵
PID:5300

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="712.12.1006701131\2120585532" -childID 10 -isForBrowser -prefsHandle 4740 -prefMapHandle 4756 -prefsLen 27336 -prefMapSize 232814 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7edaacb7-f04b-4176-b6a8-9e3f0eb12077} 712 "\\.\pipe\gecko-crash-server-pipe.712" 4716 1d45d3ddb58 tab
3⤵
PID:5916

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="712.13.1166062759\1267142297" -childID 11 -isForBrowser -prefsHandle 4816 -prefMapHandle 4944 -prefsLen 27345 -prefMapSize 232814 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa4db6eb-1709-47ce-99ff-c05fa20448be} 712 "\\.\pipe\gecko-crash-server-pipe.712" 4144 1d45f6fd058 tab
3⤵
PID:5532

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="712.14.101481519\30433659" -childID 12 -isForBrowser -prefsHandle 6268 -prefMapHandle 6320 -prefsLen 27345 -prefMapSize 232814 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {381128f1-899f-4acc-bb50-75bfb930c105} 712 "\\.\pipe\gecko-crash-server-pipe.712" 6100 1d460706e58 tab
3⤵
PID:2132

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="712.15.594884478\419130903" -childID 13 -isForBrowser -prefsHandle 10960 -prefMapHandle 10964 -prefsLen 27345 -prefMapSize 232814 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b95dc13-fcf1-42c9-b8a2-2456ad3fe706} 712 "\\.\pipe\gecko-crash-server-pipe.712" 10952 1d45e3d2558 tab
3⤵
PID:3516

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="712.16.896852606\1895323091" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 8840 -prefMapHandle 8780 -prefsLen 27345 -prefMapSize 232814 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ee9f4ca-c721-4bbc-94c4-f25f986643c2} 712 "\\.\pipe\gecko-crash-server-pipe.712" 10960 1d45efb6d58 utility
3⤵
PID:5732

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="712.17.1524296447\1217016203" -childID 14 -isForBrowser -prefsHandle 8716 -prefMapHandle 8840 -prefsLen 27345 -prefMapSize 232814 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {efe09a2c-caa1-49d6-afc0-1080e9fefb44} 712 "\\.\pipe\gecko-crash-server-pipe.712" 8820 1d45f6fb558 tab
3⤵
PID:5676

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="712.18.304804734\605292337" -childID 15 -isForBrowser -prefsHandle 8480 -prefMapHandle 4760 -prefsLen 27345 -prefMapSize 232814 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {660cd6b8-56e9-4a78-9630-e5b0dafb4aaf} 712 "\\.\pipe\gecko-crash-server-pipe.712" 5604 1d45d3ddb58 tab
3⤵
PID:5692

C:\Users\Admin\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
PID:2208

C:\Windows\SysWOW64\attrib.exe
attrib +h .
2⤵
- Views/modifies file attributes
PID:4452

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:4436

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 71231700583824.bat
2⤵
PID:2692

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
3⤵
PID:508

C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
2⤵
- Views/modifies file attributes
PID:3296

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
2⤵
PID:1752

C:\Users\Admin\Desktop\@[email protected]
@[email protected] vs
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:656

C:\Users\Admin\Desktop\@[email protected]
@[email protected] co
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4660

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4552

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
PID:4388

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "piiacqqpkwwf146" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f
2⤵
PID:2712

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "piiacqqpkwwf146" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f
3⤵
- Adds Run key to start application
- Modifies registry key
PID:2520

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4368

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1876

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4660

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
PID:1700

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
PID:412

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3520

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4908

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
PID:5284

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5328

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:5412

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
PID:3004

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5124

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:5508

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
PID:3760

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6140

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:5140

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
PID:3348

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5644

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1420

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5892

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
PID:5836

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:5688

C:\Users\Admin\Desktop\@[email protected]
"C:\Users\Admin\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2956

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\@[email protected]
1⤵
PID:4868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery