wannacry | b4f28e32feb67eee2a8ce652e56653a8ac3e643e1a11cf16e00986e1e07423ed

System Information Discovery

Processes:

taskdl.exetaskse.execmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\Control Panel\International\Geo\Nation	taskdl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\Control Panel\International\Geo\Nation	taskse.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops startup file 2 IoCs

Processes:

WannaCry.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD4C55.tmp	WannaCry.EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD4C5C.tmp	WannaCry.EXE

Executes dropped EXE 64 IoCs

Processes:

vlc-3.0.20-win64.exevlc-cache-gen.exevlc.exeWannaCry.EXEtaskdl.exe@[email protected]@[email protected]taskhsvc.exetaskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskse.exetaskdl.exe@[email protected]taskse.exetaskdl.exe@[email protected]taskse.exetaskdl.exe@[email protected]taskse.exetaskdl.exe@[email protected]taskse.exetaskdl.exe@[email protected]taskse.exetaskdl.exe@[email protected]taskse.exetaskdl.exe@[email protected]taskse.exetaskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exe@[email protected]taskse.exetaskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]

pid	process
4716	vlc-3.0.20-win64.exe
3056	vlc-cache-gen.exe
5076	vlc.exe
5064	WannaCry.EXE
3288	taskdl.exe
2088	@[email protected]
1296	@[email protected]
3768	taskhsvc.exe
4424	taskdl.exe
3388	taskse.exe
1956	@[email protected]
3992	taskdl.exe
2180	taskse.exe
1560	@[email protected]
1500	taskdl.exe
1304	taskse.exe
1296	@[email protected]
4880	@[email protected]
2608	taskse.exe
1456	taskdl.exe
4816	@[email protected]
1552	taskse.exe
1264	taskdl.exe
4036	@[email protected]
3064	taskse.exe
4464	taskdl.exe
4472	@[email protected]
4720	taskse.exe
3748	taskdl.exe
3708	@[email protected]
644	taskse.exe
3268	taskdl.exe
1368	@[email protected]
4168	taskse.exe
2224	taskdl.exe
3652	@[email protected]
3928	taskse.exe
4820	taskdl.exe
3820	@[email protected]
2084	taskse.exe
1780	taskdl.exe
4024	taskse.exe
3524	@[email protected]
4424	taskdl.exe
5084	taskse.exe
500	@[email protected]
5080	taskdl.exe
2500	taskse.exe
1156	@[email protected]
4060	taskdl.exe
4984	taskse.exe
1800	@[email protected]
1040	taskdl.exe
2692	taskse.exe
2240	@[email protected]
4780	taskdl.exe
2952	@[email protected]
1112	taskse.exe
1408	taskdl.exe
4260	taskse.exe
2136	@[email protected]
2172	taskdl.exe
3924	taskse.exe
3844	@[email protected]

Loads dropped DLL 64 IoCs

Processes:

vlc-3.0.20-win64.exevlc-cache-gen.exe

pid	process
4716	vlc-3.0.20-win64.exe
4716	vlc-3.0.20-win64.exe
4716	vlc-3.0.20-win64.exe
4716	vlc-3.0.20-win64.exe
4716	vlc-3.0.20-win64.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe
3056	vlc-cache-gen.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

1040 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1040	icacls.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

Processes:

regsvr32.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9BE31822-FDAD-461B-AD51-BE1D1C159921}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9BE31822-FDAD-461B-AD51-BE1D1C159921}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9BE31822-FDAD-461B-AD51-BE1D1C159921}\InprocServer32\ = "C:\\Program Files\\VideoLAN\\VLC\\axvlc.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9BE31822-FDAD-461B-AD51-BE1D1C159921}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fqknnxxefjyk175 = "\"C:\\Users\\Admin\\Downloads\\tasksche.exe\""	reg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

WannaCry.EXE@[email protected]

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	WannaCry.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Drops file in Program Files directory 64 IoCs

Processes:

vlc-3.0.20-win64.exe

description	ioc	process
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\librawvideo_plugin.dll	vlc-3.0.20-win64.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_rgb_plugin.dll	vlc-3.0.20-win64.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\Back-48.png	vlc-3.0.20-win64.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\brx\	vlc-3.0.20-win64.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\	vlc-3.0.20-win64.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\	vlc-3.0.20-win64.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\	vlc-3.0.20-win64.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ps\	vlc-3.0.20-win64.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\liblibass_plugin.dll	vlc-3.0.20-win64.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libwebvtt_plugin.dll	vlc-3.0.20-win64.exe
File created	C:\Program Files\VideoLAN\VLC\COPYING.txt	vlc-3.0.20-win64.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libsdp_plugin.dll	vlc-3.0.20-win64.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpegvideo_plugin.dll	vlc-3.0.20-win64.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libsubstx3g_plugin.dll	vlc-3.0.20-win64.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sq\	vlc-3.0.20-win64.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\	vlc-3.0.20-win64.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libanaglyph_plugin.dll	vlc-3.0.20-win64.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\	vlc-3.0.20-win64.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_a52_plugin.dll	vlc-3.0.20-win64.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\vlc.mo	vlc-3.0.20-win64.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\vlc.mo	vlc-3.0.20-win64.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\	vlc-3.0.20-win64.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\	vlc-3.0.20-win64.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\	vlc-3.0.20-win64.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\visualization\libprojectm_plugin.dll	vlc-3.0.20-win64.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libau_plugin.dll	vlc-3.0.20-win64.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\vlc.mo	vlc-3.0.20-win64.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libfps_plugin.dll	vlc-3.0.20-win64.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\vlc.mo	vlc-3.0.20-win64.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\reader\filename.luac	vlc-3.0.20-win64.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libh26x_plugin.dll	vlc-3.0.20-win64.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\vlc.mo	vlc-3.0.20-win64.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cgg\	vlc-3.0.20-win64.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_splitter\libwall_plugin.dll	vlc-3.0.20-win64.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\vlc.mo	vlc-3.0.20-win64.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\	vlc-3.0.20-win64.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libsdl_image_plugin.dll	vlc-3.0.20-win64.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libuleaddvaudio_plugin.dll	vlc-3.0.20-win64.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_splitter\libpanoramix_plugin.dll	vlc-3.0.20-win64.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libgl_plugin.dll	vlc-3.0.20-win64.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_setid_plugin.dll	vlc-3.0.20-win64.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libplaylist_plugin.dll	vlc-3.0.20-win64.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\misc\libaudioscrobbler_plugin.dll	vlc-3.0.20-win64.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\spu\libremoteosd_plugin.dll	vlc-3.0.20-win64.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\logger\libfile_logger_plugin.dll	vlc-3.0.20-win64.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libscaletempo_plugin.dll	vlc-3.0.20-win64.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libinvert_plugin.dll	vlc-3.0.20-win64.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_output\libgl_plugin.dll	vlc-3.0.20-win64.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libaraw_plugin.dll	vlc-3.0.20-win64.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hr\	vlc-3.0.20-win64.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ne\	vlc-3.0.20-win64.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png	vlc-3.0.20-win64.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\dummy.luac	vlc-3.0.20-win64.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_chromecast_plugin.dll	vlc-3.0.20-win64.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\vlc.mo	vlc-3.0.20-win64.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\vlc.mo	vlc-3.0.20-win64.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libsap_plugin.dll	vlc-3.0.20-win64.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libdxva2_plugin.dll	vlc-3.0.20-win64.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libpng_plugin.dll	vlc-3.0.20-win64.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\control\libnetsync_plugin.dll	vlc-3.0.20-win64.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tl\LC_MESSAGES\vlc.mo	vlc-3.0.20-win64.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\Video-48.png	vlc-3.0.20-win64.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ks_IN\	vlc-3.0.20-win64.exe
File created	C:\Program Files\VideoLAN\VLC\skins\fonts\FreeSansBold.ttf	vlc-3.0.20-win64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

System Information Discovery

Processes:

msedge.exemsedge.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

3880 taskkill.exe
4100 taskkill.exe

pid	process
3880	taskkill.exe
4100	taskkill.exe

Modifies registry class 64 IoCs

Processes:

vlc-3.0.20-win64.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mpc\shell\Open\MultiSelectModel = "Player"	vlc-3.0.20-win64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\.mts\ = "VLC.mts"	vlc-3.0.20-win64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.s3m\shell\PlayWithVLC	vlc-3.0.20-win64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.wv\shell\PlayWithVLC\ = "Play with VLC media player"	vlc-3.0.20-win64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mlp	vlc-3.0.20-win64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.spx\DefaultIcon	vlc-3.0.20-win64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.b4s\DefaultIcon\ = "\"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe\",0"	vlc-3.0.20-win64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mlp\shell\PlayWithVLC\MultiSelectModel = "Player"	vlc-3.0.20-win64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.qcp\shell\PlayWithVLC\command\ = "\"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe\" --started-from-file --no-playlist-enqueue \"%1\""	vlc-3.0.20-win64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mov\shell\AddToPlaylistVLC\ = "Add to VLC media player's Playlist"	vlc-3.0.20-win64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.ogx\shell\AddToPlaylistVLC\command\ = "\"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe\" --started-from-file --playlist-enqueue \"%1\""	vlc-3.0.20-win64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.3gp2\shell	vlc-3.0.20-win64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AAEDF0B-D333-4B27-A0C6-BBF31413A42E}\TypeLib\ = "{DF2BBE39-40A8-433B-A279-073F48DA94B6}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.amv\shell\AddToPlaylistVLC\command\ = "\"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe\" --started-from-file --playlist-enqueue \"%1\""	vlc-3.0.20-win64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.rec\shell\PlayWithVLC\MultiSelectModel = "Player"	vlc-3.0.20-win64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.a52\DefaultIcon	vlc-3.0.20-win64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.zip\shell\ = "Open"	vlc-3.0.20-win64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9BE31822-FDAD-461B-AD51-BE1D1C159921}\ToolboxBitmap32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.pls\shell\AddToPlaylistVLC\MultiSelectModel = "Player"	vlc-3.0.20-win64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.aob\shell\AddToPlaylistVLC\command\ = "\"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe\" --started-from-file --playlist-enqueue \"%1\""	vlc-3.0.20-win64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.dv\shell\AddToPlaylistVLC\command\ = "\"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe\" --started-from-file --playlist-enqueue \"%1\""	vlc-3.0.20-win64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.nsv\shell\AddToPlaylistVLC	vlc-3.0.20-win64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mpa\shell\Open\command\ = "\"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe\" --started-from-file \"%1\""	vlc-3.0.20-win64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mpeg4\shell\Open\ = "Play"	vlc-3.0.20-win64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.flac\shell\PlayWithVLC\ = "Play with VLC media player"	vlc-3.0.20-win64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mp3\shell\AddToPlaylistVLC\ = "Add to VLC media player's Playlist"	vlc-3.0.20-win64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.tp\shell\PlayWithVLC\command	vlc-3.0.20-win64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.tp\shell\Open	vlc-3.0.20-win64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.3gp2\shell\Open	vlc-3.0.20-win64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mka\shell\AddToPlaylistVLC\MultiSelectModel = "Player"	vlc-3.0.20-win64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mpc\shell\AddToPlaylistVLC\command\ = "\"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe\" --started-from-file --playlist-enqueue \"%1\""	vlc-3.0.20-win64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mxf\shell\PlayWithVLC\ = "Play with VLC media player"	vlc-3.0.20-win64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.rmvb\shell\Open\command	vlc-3.0.20-win64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A4A20C2-93F3-44E8-8644-BEB2E3487E84}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.m2v\shell\AddToPlaylistVLC	vlc-3.0.20-win64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.ram\shell\AddToPlaylistVLC\MultiSelectModel = "Player"	vlc-3.0.20-win64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.caf\shell\Open\command\ = "\"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe\" --started-from-file \"%1\""	vlc-3.0.20-win64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.wpl\shell\Open\ = "Play"	vlc-3.0.20-win64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5AF314CF-8849-4A79-A3FC-8DE6625D9E72}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BC97469F-CB11-4037-8DCE-5FC9F5F85307}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mts\shell\AddToPlaylistVLC\MultiSelectModel = "Player"	vlc-3.0.20-win64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.m2t\ = "M2T Video File (VLC)"	vlc-3.0.20-win64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DF48072F-5EF8-434E-9B40-E2F3AE759B5F}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.wv\shell\PlayWithVLC\command\ = "\"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe\" --started-from-file --no-playlist-enqueue \"%1\""	vlc-3.0.20-win64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mpc\shell\Open\command\ = "\"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe\" --started-from-file \"%1\""	vlc-3.0.20-win64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.f4v\ = "F4V Video File (VLC)"	vlc-3.0.20-win64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.ogm\shell\Open\MultiSelectModel = "Player"	vlc-3.0.20-win64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.ogx\shell\AddToPlaylistVLC\command	vlc-3.0.20-win64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BC97469F-CB11-4037-8DCE-5FC9F5F85307}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.aiff	vlc-3.0.20-win64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mlp\shell\AddToPlaylistVLC\ = "Add to VLC media player's Playlist"	vlc-3.0.20-win64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.rmi\shell\ = "Open"	vlc-3.0.20-win64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.vro	vlc-3.0.20-win64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mpeg4\shell\PlayWithVLC\Icon = "\"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe\",0"	vlc-3.0.20-win64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.a52	vlc-3.0.20-win64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.tod\shell\Open\MultiSelectModel = "Player"	vlc-3.0.20-win64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.m2ts\shell\Open\MultiSelectModel = "Player"	vlc-3.0.20-win64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.drc\shell\PlayWithVLC\ = "Play with VLC media player"	vlc-3.0.20-win64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.tta	vlc-3.0.20-win64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mpeg\DefaultIcon	vlc-3.0.20-win64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{49E0DBD1-9440-466C-9C97-95C67190C603}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.3gpp\shell\Open\command	vlc-3.0.20-win64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.gxf\shell\Open\command\ = "\"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe\" --started-from-file \"%1\""	vlc-3.0.20-win64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.m4v\shell\AddToPlaylistVLC\ = "Add to VLC media player's Playlist"	vlc-3.0.20-win64.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4332 reg.exe
NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 354950.crdownload:SmartScreen msedge.exe
Suspicious behavior: AddClipboardFormatListener 3 IoCs

Processes:

vlc-3.0.20-win64.exetaskdl.exevlc.exe

pid process

4716 vlc-3.0.20-win64.exe
3288 taskdl.exe
5076 vlc.exe

pid	process
4332	reg.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 354950.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exevlc-3.0.20-win64.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exeConhost.exetaskhsvc.exemsedge.exemsedge.exe

pid	process
4196	msedge.exe
4196	msedge.exe
3832	msedge.exe
3832	msedge.exe
4952	identity_helper.exe
4952	identity_helper.exe
1844	msedge.exe
1844	msedge.exe
4716	vlc-3.0.20-win64.exe
4716	vlc-3.0.20-win64.exe
4716	vlc-3.0.20-win64.exe
4716	vlc-3.0.20-win64.exe
4716	vlc-3.0.20-win64.exe
4676	msedge.exe
4676	msedge.exe
4768	msedge.exe
4768	msedge.exe
2176	identity_helper.exe
2176	identity_helper.exe
5048	msedge.exe
5048	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
2936	Conhost.exe
2936	Conhost.exe
3768	taskhsvc.exe
3768	taskhsvc.exe
3768	taskhsvc.exe
3768	taskhsvc.exe
3768	taskhsvc.exe
3768	taskhsvc.exe
4776	msedge.exe
4776	msedge.exe
5004	msedge.exe
5004	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

vlc-3.0.20-win64.exetaskdl.exe

pid process

4716 vlc-3.0.20-win64.exe
3288 taskdl.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 48 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid	process
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AUDIODG.EXEtaskkill.exetaskkill.exefirefox.exeWMIC.exevssvc.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exe

description	pid	process
Token: 33	4112	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4112	AUDIODG.EXE
Token: SeDebugPrivilege	3880	taskkill.exe
Token: SeDebugPrivilege	4100	taskkill.exe
Token: SeDebugPrivilege	4068	firefox.exe
Token: SeDebugPrivilege	4068	firefox.exe
Token: SeIncreaseQuotaPrivilege	440	WMIC.exe
Token: SeSecurityPrivilege	440	WMIC.exe
Token: SeTakeOwnershipPrivilege	440	WMIC.exe
Token: SeLoadDriverPrivilege	440	WMIC.exe
Token: SeSystemProfilePrivilege	440	WMIC.exe
Token: SeSystemtimePrivilege	440	WMIC.exe
Token: SeProfSingleProcessPrivilege	440	WMIC.exe
Token: SeIncBasePriorityPrivilege	440	WMIC.exe
Token: SeCreatePagefilePrivilege	440	WMIC.exe
Token: SeBackupPrivilege	440	WMIC.exe
Token: SeRestorePrivilege	440	WMIC.exe
Token: SeShutdownPrivilege	440	WMIC.exe
Token: SeDebugPrivilege	440	WMIC.exe
Token: SeSystemEnvironmentPrivilege	440	WMIC.exe
Token: SeRemoteShutdownPrivilege	440	WMIC.exe
Token: SeUndockPrivilege	440	WMIC.exe
Token: SeManageVolumePrivilege	440	WMIC.exe
Token: 33	440	WMIC.exe
Token: 34	440	WMIC.exe
Token: 35	440	WMIC.exe
Token: 36	440	WMIC.exe
Token: SeIncreaseQuotaPrivilege	440	WMIC.exe
Token: SeSecurityPrivilege	440	WMIC.exe
Token: SeTakeOwnershipPrivilege	440	WMIC.exe
Token: SeLoadDriverPrivilege	440	WMIC.exe
Token: SeSystemProfilePrivilege	440	WMIC.exe
Token: SeSystemtimePrivilege	440	WMIC.exe
Token: SeProfSingleProcessPrivilege	440	WMIC.exe
Token: SeIncBasePriorityPrivilege	440	WMIC.exe
Token: SeCreatePagefilePrivilege	440	WMIC.exe
Token: SeBackupPrivilege	440	WMIC.exe
Token: SeRestorePrivilege	440	WMIC.exe
Token: SeShutdownPrivilege	440	WMIC.exe
Token: SeDebugPrivilege	440	WMIC.exe
Token: SeSystemEnvironmentPrivilege	440	WMIC.exe
Token: SeRemoteShutdownPrivilege	440	WMIC.exe
Token: SeUndockPrivilege	440	WMIC.exe
Token: SeManageVolumePrivilege	440	WMIC.exe
Token: 33	440	WMIC.exe
Token: 34	440	WMIC.exe
Token: 35	440	WMIC.exe
Token: 36	440	WMIC.exe
Token: SeBackupPrivilege	4188	vssvc.exe
Token: SeRestorePrivilege	4188	vssvc.exe
Token: SeAuditPrivilege	4188	vssvc.exe
Token: SeTcbPrivilege	3388	taskse.exe
Token: SeTcbPrivilege	3388	taskse.exe
Token: SeTcbPrivilege	2180	taskse.exe
Token: SeTcbPrivilege	2180	taskse.exe
Token: SeTcbPrivilege	1304	taskse.exe
Token: SeTcbPrivilege	1304	taskse.exe
Token: SeTcbPrivilege	2608	taskse.exe
Token: SeTcbPrivilege	2608	taskse.exe
Token: SeTcbPrivilege	1552	taskse.exe
Token: SeTcbPrivilege	1552	taskse.exe
Token: SeTcbPrivilege	3064	taskse.exe
Token: SeTcbPrivilege	3064	taskse.exe
Token: SeTcbPrivilege	4720	taskse.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exeGooseDesktop.exevlc-3.0.20-win64.exetaskdl.exevlc.exefirefox.exemsedge.exe

pid	process
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
4344	GooseDesktop.exe
4716	vlc-3.0.20-win64.exe
4716	vlc-3.0.20-win64.exe
4716	vlc-3.0.20-win64.exe
4716	vlc-3.0.20-win64.exe
4716	vlc-3.0.20-win64.exe
4716	vlc-3.0.20-win64.exe
4716	vlc-3.0.20-win64.exe
4716	vlc-3.0.20-win64.exe
4716	vlc-3.0.20-win64.exe
4716	vlc-3.0.20-win64.exe
3288	taskdl.exe
3288	taskdl.exe
3288	taskdl.exe
3288	taskdl.exe
5076	vlc.exe
5076	vlc.exe
5076	vlc.exe
5076	vlc.exe
4068	firefox.exe
4068	firefox.exe
4068	firefox.exe
4068	firefox.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exevlc-3.0.20-win64.exetaskdl.exevlc.exefirefox.exemsedge.exe

pid	process
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
4716	vlc-3.0.20-win64.exe
4716	vlc-3.0.20-win64.exe
4716	vlc-3.0.20-win64.exe
4716	vlc-3.0.20-win64.exe
4716	vlc-3.0.20-win64.exe
4716	vlc-3.0.20-win64.exe
4716	vlc-3.0.20-win64.exe
4716	vlc-3.0.20-win64.exe
4716	vlc-3.0.20-win64.exe
3288	taskdl.exe
3288	taskdl.exe
3288	taskdl.exe
5076	vlc.exe
5076	vlc.exe
5076	vlc.exe
4068	firefox.exe
4068	firefox.exe
4068	firefox.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe

Suspicious use of SetWindowsHookEx 43 IoCs

pid	process
4716	vlc-3.0.20-win64.exe
3288	taskdl.exe
5076	vlc.exe
4068	firefox.exe
2088	@[email protected]
2088	@[email protected]
1296	@[email protected]
1296	@[email protected]
1956	@[email protected]
1956	@[email protected]
1560	@[email protected]
1296	@[email protected]
4880	@[email protected]
4816	@[email protected]
4036	@[email protected]
4472	@[email protected]
3708	@[email protected]
1368	@[email protected]
3652	@[email protected]
3820	@[email protected]
3524	@[email protected]
500	@[email protected]
1156	@[email protected]
1800	@[email protected]
2240	@[email protected]
2952	@[email protected]
2136	@[email protected]
3844	@[email protected]
4060	@[email protected]
1800	@[email protected]
3084	@[email protected]
3996	@[email protected]
3432	@[email protected]
3228	@[email protected]
4344	@[email protected]
784	@[email protected]
2796	@[email protected]
3456	@[email protected]
4332	@[email protected]
4468	@[email protected]
4472	@[email protected]
4748	@[email protected]
1808	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3832 wrote to memory of 4420	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 4420	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3420	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3420	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3420	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3420	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3420	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3420	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3420	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3420	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3420	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3420	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3420	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3420	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3420	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3420	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3420	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3420	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3420	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3420	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3420	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3420	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3420	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3420	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3420	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3420	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3420	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3420	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3420	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3420	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3420	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3420	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3420	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3420	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3420	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3420	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3420	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3420	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3420	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3420	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3420	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3420	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 4196	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 4196	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3944	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3944	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3944	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3944	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3944	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3944	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3944	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3944	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3944	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3944	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3944	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3944	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3944	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3944	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3944	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3944	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3944	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3944	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3944	3832	msedge.exe	msedge.exe
PID 3832 wrote to memory of 3944	3832	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

4616 attrib.exe
4004 attrib.exe

pid	process
4616	attrib.exe
4004	attrib.exe

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Read me! Honk.txt"
1⤵
PID:1980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc887146f8,0x7ffc88714708,0x7ffc88714718
2⤵
PID:4420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,17752669217169502905,9319914607659017318,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
2⤵
PID:3420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,17752669217169502905,9319914607659017318,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2200,17752669217169502905,9319914607659017318,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
2⤵
PID:3944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,17752669217169502905,9319914607659017318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
2⤵
PID:2808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,17752669217169502905,9319914607659017318,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
2⤵
PID:2400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,17752669217169502905,9319914607659017318,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
2⤵
PID:4252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,17752669217169502905,9319914607659017318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
2⤵
PID:1252

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,17752669217169502905,9319914607659017318,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3404 /prefetch:8
2⤵
PID:1148

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,17752669217169502905,9319914607659017318,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3404 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,17752669217169502905,9319914607659017318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
2⤵
PID:4172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,17752669217169502905,9319914607659017318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
2⤵
PID:3924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,17752669217169502905,9319914607659017318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:1
2⤵
PID:4320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,17752669217169502905,9319914607659017318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2068 /prefetch:1
2⤵
PID:5108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,17752669217169502905,9319914607659017318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
2⤵
PID:4864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,17752669217169502905,9319914607659017318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
2⤵
PID:3708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,17752669217169502905,9319914607659017318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
2⤵
PID:1308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,17752669217169502905,9319914607659017318,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
2⤵
PID:2288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,17752669217169502905,9319914607659017318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
2⤵
PID:4200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,17752669217169502905,9319914607659017318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1804 /prefetch:1
2⤵
PID:4964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,17752669217169502905,9319914607659017318,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
2⤵
PID:1596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,17752669217169502905,9319914607659017318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
2⤵
PID:4476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,17752669217169502905,9319914607659017318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
2⤵
PID:420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,17752669217169502905,9319914607659017318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
2⤵
PID:2896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,17752669217169502905,9319914607659017318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2068 /prefetch:1
2⤵
PID:2288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,17752669217169502905,9319914607659017318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:1
2⤵
PID:1532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2200,17752669217169502905,9319914607659017318,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6152 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,17752669217169502905,9319914607659017318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
2⤵
PID:1544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2200,17752669217169502905,9319914607659017318,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5780 /prefetch:8
2⤵
PID:4092

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3964

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1988

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1476

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2280

C:\Users\Admin\Desktop\DesktopGoose v0.31\GooseDesktop.exe
"C:\Users\Admin\Desktop\DesktopGoose v0.31\GooseDesktop.exe"
1⤵
PID:4352

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4bc 0x300
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4112

C:\Users\Admin\Desktop\DesktopGoose v0.31\GooseDesktop.exe
"C:\Users\Admin\Desktop\DesktopGoose v0.31\GooseDesktop.exe"
1⤵
PID:2896

C:\Users\Admin\Desktop\DesktopGoose v0.31\GooseDesktop.exe
"C:\Users\Admin\Desktop\DesktopGoose v0.31\GooseDesktop.exe"
1⤵
- Suspicious use of FindShellTrayWindow
PID:4344

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\DesktopGoose v0.31\config.ini
1⤵
PID:4752

C:\Users\Admin\Desktop\DesktopGoose v0.31\GooseDesktop.exe
"C:\Users\Admin\Desktop\DesktopGoose v0.31\GooseDesktop.exe"
1⤵
PID:508

C:\Users\Admin\Desktop\DesktopGoose v0.31\GooseDesktop.exe
"C:\Users\Admin\Desktop\DesktopGoose v0.31\GooseDesktop.exe"
1⤵
PID:4756

C:\Users\Admin\Desktop\DesktopGoose v0.31\GooseDesktop.exe
"C:\Users\Admin\Desktop\DesktopGoose v0.31\GooseDesktop.exe"
1⤵
PID:2360

C:\Users\Admin\Desktop\DesktopGoose v0.31\GooseDesktop.exe
"C:\Users\Admin\Desktop\DesktopGoose v0.31\GooseDesktop.exe"
1⤵
PID:4284

C:\Users\Admin\Desktop\DesktopGoose v0.31\GooseDesktop.exe
"C:\Users\Admin\Desktop\DesktopGoose v0.31\GooseDesktop.exe"
1⤵
PID:1264

C:\Users\Admin\Desktop\DesktopGoose v0.31\GooseDesktop.exe
"C:\Users\Admin\Desktop\DesktopGoose v0.31\GooseDesktop.exe"
1⤵
PID:4116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\DesktopGoose v0.31\Close Goose.bat" "
1⤵
PID:1964

C:\Windows\system32\taskkill.exe
taskkill /f /im goosedesktop.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3880

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\DesktopGoose v0.31\config.ini
1⤵
PID:1224

C:\Users\Admin\Desktop\DesktopGoose v0.31\GooseDesktop.exe
"C:\Users\Admin\Desktop\DesktopGoose v0.31\GooseDesktop.exe"
1⤵
PID:776

C:\Users\Admin\Desktop\DesktopGoose v0.31\GooseDesktop.exe
"C:\Users\Admin\Desktop\DesktopGoose v0.31\GooseDesktop.exe"
1⤵
PID:680

C:\Users\Admin\Desktop\DesktopGoose v0.31\GooseDesktop.exe
"C:\Users\Admin\Desktop\DesktopGoose v0.31\GooseDesktop.exe"
1⤵
PID:4948

C:\Users\Admin\Desktop\DesktopGoose v0.31\GooseDesktop.exe
"C:\Users\Admin\Desktop\DesktopGoose v0.31\GooseDesktop.exe"
1⤵
PID:4972

C:\Users\Admin\Desktop\DesktopGoose v0.31\GooseDesktop.exe
"C:\Users\Admin\Desktop\DesktopGoose v0.31\GooseDesktop.exe"
1⤵
PID:4636

C:\Users\Admin\Desktop\DesktopGoose v0.31\GooseDesktop.exe
"C:\Users\Admin\Desktop\DesktopGoose v0.31\GooseDesktop.exe"
1⤵
PID:3224

C:\Users\Admin\Desktop\DesktopGoose v0.31\GooseDesktop.exe
"C:\Users\Admin\Desktop\DesktopGoose v0.31\GooseDesktop.exe"
1⤵
PID:3532

C:\Users\Admin\Desktop\DesktopGoose v0.31\GooseDesktop.exe
"C:\Users\Admin\Desktop\DesktopGoose v0.31\GooseDesktop.exe"
1⤵
PID:3944

C:\Users\Admin\Desktop\DesktopGoose v0.31\GooseDesktop.exe
"C:\Users\Admin\Desktop\DesktopGoose v0.31\GooseDesktop.exe"
1⤵
PID:3416

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\WaitBackup.mpa"
1⤵
PID:4716

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\MergeLock.asx"
1⤵
PID:3288

C:\Users\Admin\AppData\Local\Temp\vlc-3.0.20-win64.exe
"C:\Users\Admin\AppData\Local\Temp\vlc-3.0.20-win64.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4716

C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe
"C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe" C:\Program Files\VideoLAN\VLC\plugins
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3056

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\VideoLAN\VLC\axvlc.dll"
3⤵
PID:4188

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files\VideoLAN\VLC\axvlc.dll"
4⤵
- Registers COM server for autorun
- Modifies registry class
PID:3164

C:\Windows\explorer.exe
"C:\Windows\explorer.exe" "C:\Program Files\VideoLAN\VLC\vlc.exe"
3⤵
PID:4168

C:\Users\Admin\Desktop\DesktopGoose v0.31\GooseDesktop.exe
"C:\Users\Admin\Desktop\DesktopGoose v0.31\GooseDesktop.exe"
1⤵
PID:464

C:\Users\Admin\Desktop\DesktopGoose v0.31\GooseDesktop.exe
"C:\Users\Admin\Desktop\DesktopGoose v0.31\GooseDesktop.exe"
1⤵
PID:1476

C:\Users\Admin\Desktop\DesktopGoose v0.31\GooseDesktop.exe
"C:\Users\Admin\Desktop\DesktopGoose v0.31\GooseDesktop.exe"
1⤵
PID:4952

C:\Users\Admin\Desktop\DesktopGoose v0.31\GooseDesktop.exe
"C:\Users\Admin\Desktop\DesktopGoose v0.31\GooseDesktop.exe"
1⤵
PID:3660

C:\Users\Admin\Desktop\DesktopGoose v0.31\GooseDesktop.exe
"C:\Users\Admin\Desktop\DesktopGoose v0.31\GooseDesktop.exe"
1⤵
PID:588

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3388

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\DesktopGoose v0.31\Close Goose.bat" "
1⤵
PID:4188

C:\Windows\system32\taskkill.exe
taskkill /f /im goosedesktop.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4100

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4820

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4068

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4068.0.276677281\422107" -parentBuildID 20221007134813 -prefsHandle 1904 -prefMapHandle 1896 -prefsLen 20808 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d6dc582-aa99-4b92-88bf-569c18535a94} 4068 "\\.\pipe\gecko-crash-server-pipe.4068" 2004 29a602bef58 gpu
3⤵
PID:3380

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4068.1.1017106648\995864238" -parentBuildID 20221007134813 -prefsHandle 2360 -prefMapHandle 2356 -prefsLen 20844 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f64794da-f781-48bd-b023-09ed09c87cc5} 4068 "\\.\pipe\gecko-crash-server-pipe.4068" 2380 29a53872858 socket
3⤵
- Checks processor information in registry
PID:2092

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4068.2.1932785858\736888996" -childID 1 -isForBrowser -prefsHandle 3432 -prefMapHandle 3428 -prefsLen 20947 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b9c6ca8-5508-40c4-919e-71dbd712ade5} 4068 "\\.\pipe\gecko-crash-server-pipe.4068" 2908 29a640b2358 tab
3⤵
PID:4036

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4068.3.1387664073\857047649" -childID 2 -isForBrowser -prefsHandle 1056 -prefMapHandle 1040 -prefsLen 26126 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dfede0a3-84bc-4b7b-8c57-376c5c210a86} 4068 "\\.\pipe\gecko-crash-server-pipe.4068" 1064 29a53862558 tab
3⤵
PID:1536

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4068.4.1633325210\752125159" -childID 3 -isForBrowser -prefsHandle 4604 -prefMapHandle 4600 -prefsLen 26185 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7cfc921c-b078-455f-8ab1-3efaa955bf27} 4068 "\\.\pipe\gecko-crash-server-pipe.4068" 4584 29a65fb5c58 tab
3⤵
PID:3672

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4068.5.410957249\1885591848" -childID 4 -isForBrowser -prefsHandle 5092 -prefMapHandle 5032 -prefsLen 26185 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29a47193-5243-4761-9a4e-a8fb2a2baeda} 4068 "\\.\pipe\gecko-crash-server-pipe.4068" 5096 29a6689e558 tab
3⤵
PID:4820

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4068.6.1500682346\363921696" -childID 5 -isForBrowser -prefsHandle 5244 -prefMapHandle 5248 -prefsLen 26185 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {44e0110d-06fd-49c5-81cb-6614aa698e3f} 4068 "\\.\pipe\gecko-crash-server-pipe.4068" 5236 29a6689eb58 tab
3⤵
PID:1888

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4068.7.361126273\1743889576" -childID 6 -isForBrowser -prefsHandle 5436 -prefMapHandle 5440 -prefsLen 26185 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {22a487e4-0384-4711-9e2a-d36149912616} 4068 "\\.\pipe\gecko-crash-server-pipe.4068" 5428 29a668a1858 tab
3⤵
PID:652

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4068.8.1845533426\120725160" -childID 7 -isForBrowser -prefsHandle 5828 -prefMapHandle 5820 -prefsLen 26441 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b6a9db9-5522-4a41-a235-27bab7f0b628} 4068 "\\.\pipe\gecko-crash-server-pipe.4068" 5788 29a668b5458 tab
3⤵
PID:1852

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4068.9.609838184\994810734" -parentBuildID 20221007134813 -prefsHandle 5980 -prefMapHandle 5996 -prefsLen 26706 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e501461a-6bae-4c6b-b352-16475fd470b4} 4068 "\\.\pipe\gecko-crash-server-pipe.4068" 3956 29a62756258 rdd
3⤵
PID:3144

C:\Users\Admin\Desktop\DesktopGoose v0.31\GooseDesktop.exe
"C:\Users\Admin\Desktop\DesktopGoose v0.31\GooseDesktop.exe"
1⤵
PID:2292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc887146f8,0x7ffc88714708,0x7ffc88714718
1⤵
PID:760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2216,11008876664735378062,14868962121186360902,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,11008876664735378062,14868962121186360902,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:2
2⤵
PID:3148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2216,11008876664735378062,14868962121186360902,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
2⤵
PID:3004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11008876664735378062,14868962121186360902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
2⤵
PID:3552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11008876664735378062,14868962121186360902,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
2⤵
PID:2940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11008876664735378062,14868962121186360902,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3988 /prefetch:1
2⤵
PID:236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11008876664735378062,14868962121186360902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
2⤵
PID:4804

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,11008876664735378062,14868962121186360902,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3316 /prefetch:8
2⤵
PID:4028

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,11008876664735378062,14868962121186360902,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3316 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11008876664735378062,14868962121186360902,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
2⤵
PID:1852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11008876664735378062,14868962121186360902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
2⤵
PID:4352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11008876664735378062,14868962121186360902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
2⤵
PID:3476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11008876664735378062,14868962121186360902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
2⤵
PID:4992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11008876664735378062,14868962121186360902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3684 /prefetch:1
2⤵
PID:1620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11008876664735378062,14868962121186360902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
2⤵
PID:2028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11008876664735378062,14868962121186360902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
2⤵
PID:4312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11008876664735378062,14868962121186360902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
2⤵
PID:1520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2216,11008876664735378062,14868962121186360902,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5532 /prefetch:8
2⤵
PID:4516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11008876664735378062,14868962121186360902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
2⤵
PID:1148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11008876664735378062,14868962121186360902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
2⤵
PID:2852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11008876664735378062,14868962121186360902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
2⤵
PID:4724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11008876664735378062,14868962121186360902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
2⤵
PID:4252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11008876664735378062,14868962121186360902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6276 /prefetch:1
2⤵
PID:3428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2216,11008876664735378062,14868962121186360902,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6288 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2216,11008876664735378062,14868962121186360902,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6252 /prefetch:8
2⤵
PID:2856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11008876664735378062,14868962121186360902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
2⤵
PID:3600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,11008876664735378062,14868962121186360902,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6536 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11008876664735378062,14868962121186360902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
2⤵
PID:2056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2216,11008876664735378062,14868962121186360902,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6844 /prefetch:8
2⤵
PID:4720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2216,11008876664735378062,14868962121186360902,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6236 /prefetch:8
2⤵
PID:2936

C:\Users\Admin\Downloads\WannaCry.EXE
"C:\Users\Admin\Downloads\WannaCry.EXE"
2⤵
- Drops startup file
- Executes dropped EXE
- Sets desktop wallpaper using registry
PID:5064

C:\Windows\SysWOW64\attrib.exe
attrib +h .
3⤵
- Views/modifies file attributes
PID:4616

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:1040

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2936

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 223811702433929.bat
3⤵
- Checks computer location settings
PID:2028

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
4⤵
PID:1908

C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
3⤵
- Views/modifies file attributes
PID:4004

C:\Users\Admin\Downloads\@[email protected]
@[email protected] co
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2088

C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3768

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
3⤵
PID:1976

C:\Users\Admin\Downloads\@[email protected]
@[email protected] vs
4⤵
PID:1296

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
5⤵
PID:4288

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:440

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:4424

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "fqknnxxefjyk175" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
3⤵
PID:4392

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "fqknnxxefjyk175" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
4⤵
- Adds Run key to start application
- Modifies registry key
PID:4332

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:1956

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3388

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:3992

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1560

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:1500

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1296

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1304

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4880

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:1456

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4816

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:1264

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3064

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4036

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:4464

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4472

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4720

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:3748

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
PID:644

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3708

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:3268

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
PID:4168

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1368

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:2224

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
PID:3928

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3652

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:4820

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
PID:2084

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3820

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:1780

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
PID:4024

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3524

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:4424

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
PID:5084

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:500

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:5080

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
PID:2500

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1156

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:4060

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
PID:4984

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1800

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:1040

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
PID:2692

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2240

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:4780

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
PID:1112

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2952

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:1408

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
PID:4260

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2136

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:2172

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
PID:3924

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3844

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
PID:2092

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
PID:5068

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Suspicious use of SetWindowsHookEx
PID:4060

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
PID:2984

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
PID:3412

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Suspicious use of SetWindowsHookEx
PID:1800

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
PID:2240

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
PID:2752

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Suspicious use of SetWindowsHookEx
PID:3084

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
PID:1864

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
PID:2236

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Suspicious use of SetWindowsHookEx
PID:3996

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
PID:3400

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
PID:4048

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Suspicious use of SetWindowsHookEx
PID:3432

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
PID:3552

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
PID:2004

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Suspicious use of SetWindowsHookEx
PID:3228

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
PID:996

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
PID:5088

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Suspicious use of SetWindowsHookEx
PID:4344

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
PID:4052

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
PID:4060

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Suspicious use of SetWindowsHookEx
PID:784

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
PID:2984

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
PID:2772

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Suspicious use of SetWindowsHookEx
PID:2796

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
PID:3288

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
PID:3944

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Suspicious use of SetWindowsHookEx
PID:3456

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
PID:3672

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Suspicious use of SetWindowsHookEx
PID:4332

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
PID:3380

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
PID:1124

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
PID:4692

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Suspicious use of SetWindowsHookEx
PID:4468

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
PID:500

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
PID:2940

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Suspicious use of SetWindowsHookEx
PID:4472

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
PID:4272

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
PID:2052

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Suspicious use of SetWindowsHookEx
PID:4748

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
PID:2108

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
PID:4228

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Suspicious use of SetWindowsHookEx
PID:1808

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
PID:844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11008876664735378062,14868962121186360902,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7036 /prefetch:1
2⤵
PID:1824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11008876664735378062,14868962121186360902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:1
2⤵
PID:4756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11008876664735378062,14868962121186360902,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6932 /prefetch:1
2⤵
PID:3972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11008876664735378062,14868962121186360902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:1
2⤵
PID:2828

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2476

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4256

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2788

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:5004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc887146f8,0x7ffc88714708,0x7ffc88714718
2⤵
PID:4868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,11142009137881381069,16099239227179138950,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,11142009137881381069,16099239227179138950,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
2⤵
PID:4700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,11142009137881381069,16099239227179138950,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
2⤵
PID:1420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,11142009137881381069,16099239227179138950,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
2⤵
PID:2520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,11142009137881381069,16099239227179138950,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
2⤵
PID:2024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,11142009137881381069,16099239227179138950,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:1
2⤵
PID:1248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,11142009137881381069,16099239227179138950,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
2⤵
PID:504

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1408

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1532

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4288

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

System Information Discovery