cryptolocker | 8bccc78422858ec95ce2b9b29e53c1ae4aacfd37fdcc35d38e90410ef8cd8c0b

System Information Discovery

Processes:

winzip28-downwz.exewinzip28-downwz.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\International\Geo\Nation	winzip28-downwz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\International\Geo\Nation	winzip28-downwz.exe

Drops startup file 3 IoCs

Processes:

explorer.exeRansomware.WannaCry44pt0r.v2.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\38867a69.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDB605.tmp	Ransomware.WannaCry44pt0r.v2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDB60C.tmp	Ransomware.WannaCry44pt0r.v2.exe

Executes dropped EXE 64 IoCs

Processes:

winrar-x64-700.exewinrar-x64-700.exewinrar-x64-700.exewinzip28-downwz.exewinzip28-downwz.exewinzip28-downwz.exewinzip28-downwz.exewinrar-x64-700.exeRansomware.CryptoLocker.exe{34184A33-0407-212E-3320-09040709E2C2}.exe{34184A33-0407-212E-3320-09040709E2C2}.exeRansomware.WannaCry44pt0r.v2.exetaskdl.exe@[email protected]@[email protected]taskhsvc.exe@[email protected]@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exe@[email protected]taskse.exetaskdl.exe{34184A33-0407-212E-3320-09040709E2C2}.exe{34184A33-0407-212E-3320-09040709E2C2}.exe{34184A33-0407-212E-3320-09040709E2C2}.exe{34184A33-0407-212E-3320-09040709E2C2}.exe{34184A33-0407-212E-3320-09040709E2C2}.exe{34184A33-0407-212E-3320-09040709E2C2}.exe{34184A33-0407-212E-3320-09040709E2C2}.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exe

pid	process
4888	winrar-x64-700.exe
4488	winrar-x64-700.exe
3876	winrar-x64-700.exe
3508	winzip28-downwz.exe
1820	winzip28-downwz.exe
3152	winzip28-downwz.exe
4608	winzip28-downwz.exe
4220	winrar-x64-700.exe
1292	Ransomware.CryptoLocker.exe
5300	{34184A33-0407-212E-3320-09040709E2C2}.exe
5396	{34184A33-0407-212E-3320-09040709E2C2}.exe
5736	Ransomware.WannaCry44pt0r.v2.exe
3680	taskdl.exe
2824	@[email protected]
5892	@[email protected]
2664	taskhsvc.exe
5376	@[email protected]
4392	@[email protected]
3220	taskdl.exe
6076	taskse.exe
5104	@[email protected]
2292	taskdl.exe
2632	taskse.exe
4492	@[email protected]
1596	taskdl.exe
6064	taskse.exe
1264	@[email protected]
4436	taskdl.exe
6116	taskse.exe
2072	@[email protected]
2396	taskse.exe
2804	@[email protected]
4248	taskdl.exe
2940	taskse.exe
2436	@[email protected]
5760	taskdl.exe
5808	taskse.exe
5456	@[email protected]
1312	taskdl.exe
2548	taskse.exe
6032	@[email protected]
3316	taskdl.exe
4892	taskse.exe
5984	@[email protected]
5216	taskdl.exe
2404	taskse.exe
1892	@[email protected]
4388	taskdl.exe
4080	@[email protected]
960	taskse.exe
5944	taskdl.exe
304	{34184A33-0407-212E-3320-09040709E2C2}.exe
5808	{34184A33-0407-212E-3320-09040709E2C2}.exe
6004	{34184A33-0407-212E-3320-09040709E2C2}.exe
1316	{34184A33-0407-212E-3320-09040709E2C2}.exe
5416	{34184A33-0407-212E-3320-09040709E2C2}.exe
4248	{34184A33-0407-212E-3320-09040709E2C2}.exe
3876	{34184A33-0407-212E-3320-09040709E2C2}.exe
2732	taskse.exe
3408	@[email protected]
2100	taskdl.exe
2804	taskse.exe
5476	@[email protected]
828	taskdl.exe

Loads dropped DLL 7 IoCs

Processes:

taskhsvc.exe

pid process

2664 taskhsvc.exe
2664 taskhsvc.exe
2664 taskhsvc.exe
2664 taskhsvc.exe
2664 taskhsvc.exe
2664 taskhsvc.exe
2664 taskhsvc.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

5172 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2664	taskhsvc.exe
2664	taskhsvc.exe
2664	taskhsvc.exe
2664	taskhsvc.exe
2664	taskhsvc.exe
2664	taskhsvc.exe
2664	taskhsvc.exe

pid	process
5172	icacls.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

WScript.exeWScript.exeWScript.exeexplorer.exereg.exeWScript.exe{34184A33-0407-212E-3320-09040709E2C2}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\WinDLL = "C:\\Windows\\WinDLL.vbs"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\WinDLL = "C:\\Windows\\WinDLL.vbs"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSKernel = "C:\\Windows\\System32\\MSKernel.vbs"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\WinDLL = "C:\\Windows\\WinDLL.vbs"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Windows\CurrentVersion\Run\38867a6 = "C:\\38867a69\\38867a69.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Windows\CurrentVersion\Run\38867a69 = "C:\\Users\\Admin\\AppData\\Roaming\\38867a69.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vatcnugcm513 = "\"C:\\Users\\Admin\\Desktop\\tasksche.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSKernel = "C:\\Windows\\System32\\MSKernel.vbs"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\WinDLL = "C:\\Windows\\WinDLL.vbs"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe"	{34184A33-0407-212E-3320-09040709E2C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSKernel = "C:\\Windows\\System32\\MSKernel.vbs"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSKernel = "C:\\Windows\\System32\\MSKernel.vbs"	WScript.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

unregmp2.exe

description	ioc	process
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

Processes:

flow	ioc
126	camo.githubusercontent.com
127	camo.githubusercontent.com
135	raw.githubusercontent.com
136	raw.githubusercontent.com
910	camo.githubusercontent.com
911	camo.githubusercontent.com
1647	raw.githubusercontent.com
128	camo.githubusercontent.com
129	camo.githubusercontent.com
130	camo.githubusercontent.com
1167	raw.githubusercontent.com

Looks up external IP address via web service 19 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
1	ip-addr.es
594	ip-addr.es
2594	ip-addr.es
2685	ip-addr.es
226	ip-addr.es
889	ip-addr.es
2781	ip-addr.es
2485	ip-addr.es
52	ip-addr.es
1252	ip-addr.es
1367	ip-addr.es
2364	ip-addr.es
1648	ip-addr.es
1792	ip-addr.es
2185	ip-addr.es
3	ip-addr.es
115	ip-addr.es
155	ip-addr.es
770	ip-addr.es

Drops file in System32 directory 64 IoCs

Processes:

WScript.exeWScript.exeWScript.exeWScript.exe

description	ioc	process
File opened for modification	C:\Windows\System32\RACHUNK.TXT.vbs	WScript.exe
File opened for modification	C:\Windows\System32\oobe\FirstLogonAnim.html.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\en-US\prnqctl.vbs	WScript.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\default.help.txt.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prnmngr.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\prnport.vbs	WScript.exe
File opened for modification	C:\Windows\System32\oobe\FirstLogonAnim.html.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\es-ES\prnmngr.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\en-US\prnqctl.vbs	WScript.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\en-US\default.help.txt.vbs	WScript.exe
File created	C:\Windows\SysWOW64\slmgr.vbs	WScript.exe
File opened for modification	C:\Windows\SysWOW64\WindowsCodecsRaw.txt	WScript.exe
File opened for modification	C:\Windows\system32\RACHUNEK.HTM	WScript.exe
File opened for modification	C:\Windows\system32\catroot2\dberr.txt	WScript.exe
File opened for modification	C:\Windows\System32\MSKernel.vbs	WScript.exe
File opened for modification	C:\Windows\system32\MailContactsCalendarSync\LiveDomainList.txt	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\prncnfg.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\pubprn.vbs	WScript.exe
File opened for modification	C:\Windows\system32\WindowsCodecsRaw.txt	WScript.exe
File opened for modification	C:\Windows\System32\MSDRM\MsoIrmProtector.xls.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\it-IT\prndrvr.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\it-IT\prnqctl.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\ja-JP\prnmngr.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\es-ES\prncnfg.vbs	WScript.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\default.help.txt	WScript.exe
File opened for modification	C:\Windows\System32\RACHUNK.TXT.vbs	WScript.exe
File opened for modification	C:\Windows\System32\RACHUNK.TXT.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\pubprn.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prnmngr.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prnport.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\pubprn.vbs	WScript.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnokcl2.inf_amd64_1e45a4f567fdae98\OKV4ClassUSB_0000.js	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\es-ES\prnjobs.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\prnjobs.vbs	WScript.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\default.help.txt	WScript.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnokcl2.inf_amd64_1e45a4f567fdae98\OKV4ClassUSB_0000.js	WScript.exe
File opened for modification	C:\Windows\system32\MailContactsCalendarSync\LiveDomainList.txt	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\es-ES\prnjobs.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\ja-JP\prncnfg.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\prnmngr.vbs	WScript.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\default.help.txt	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prnqctl.vbs	WScript.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsacl1.inf_amd64_8adcb7af71f53089\saacusb.vbs	WScript.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_faa2804656671550\MPDW-constraints.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\de-DE\pubprn.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\es-ES\prncnfg.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\it-IT\prndrvr.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\ja-JP\prncnfg.vbs	WScript.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrccl1.inf_amd64_dfe2d643f3e20cd0\rcusbbidi.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\prnqctl.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\prnqctl.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prndrvr.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prnmngr.vbs	WScript.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhpcl1.inf_amd64_c6040b9adc0369af\amd64\hpbxusbbidiwb.js	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\es-ES\prndrvr.vbs	WScript.exe
File created	C:\Windows\SysWOW64\winrm.vbs	WScript.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhpcl3.inf_amd64_0e666fb8f1b0545e\amd64\hppcl6usbext.js	WScript.exe
File opened for modification	C:\Windows\system32\WindowsPowerShell\v1.0\ja-JP\default.help.txt	WScript.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\en-US\default.help.txt.vbs	WScript.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\ja-JP\default.help.txt.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\prnmngr.vbs	WScript.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\default.help.txt.vbs	WScript.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prndlcl1.inf_amd64_dbe82d5f3b18ec9a\deacusb.vbs	WScript.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prncacla.inf_amd64_65d72b0cf837d4c1\Amd64\CNB_BIDIUSBJS1.JS	WScript.exe

Sets desktop wallpaper using registry 2 TTPs 3 IoCs

ransomware

Defacement

T1491

Modify Registry

Processes:

Ransomware.WannaCry44pt0r.v2.exe@[email protected]@[email protected]

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	Ransomware.WannaCry44pt0r.v2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Drops file in Program Files directory 64 IoCs

Processes:

WScript.exeWScript.exeWScript.exeWScript.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\StarClub\challenge_tripeaks.jpg	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\Klondike\Goal_1.jpg.vbs	WScript.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\zh-cn\ui-strings.vbs	WScript.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer_eula.txt.vbs	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeCreation\WesternDeck4.jpg	WScript.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\nb-no\ui-strings.vbs	WScript.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\ui-strings.vbs	WScript.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sv-se\ui-strings.vbs	WScript.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\nl-nl\ui-strings.js	WScript.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\uk-ua\ui-strings.vbs	WScript.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fi-fi\ui-strings.vbs	WScript.exe
File created	C:\Program Files\7-Zip\Lang\he.txt.vbs	WScript.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Effects\Dust.jpg.vbs	WScript.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\COPYING.txt	WScript.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\nb-no\ui-strings.js	WScript.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\BOLDSTRI.ELM.vbs	WScript.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-ae\ui-strings.js	WScript.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Themes\autumn.jpg	WScript.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\README_th_en_CA_v2.txt.vbs	WScript.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ja-jp\ui-strings.vbs	WScript.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	WScript.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EVRGREEN\PREVIEW.GIF.vbs	WScript.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons_ie8.gif.vbs	WScript.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sv-se\ui-strings.vbs	WScript.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\client_eula.txt.vbs	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.Awards\Assets\Sign_in_size.jpg	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\Klondike\Tips_1.jpg	WScript.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\da-dk\ui-strings.vbs	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\MainPageState2\dailyChallenge_bp_920.jpg.vbs	WScript.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\ui-strings.js	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\TextureBitmaps\whmarble.jpg	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Fues\Upsell_Image.jpg	WScript.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SONORA\PREVIEW.GIF.vbs	WScript.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\rhp\combinepdf-selector.js	WScript.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\bg1.jpg.vbs	WScript.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\uk-ua\ui-strings.vbs	WScript.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\da-dk\ui-strings.js	WScript.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\BOMB.WAV.vbs	WScript.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-il\ui-strings.vbs	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Backgrounds\Aquarium.jpg.vbs	WScript.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nl-nl\ui-strings.vbs	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeCreation\AquariumDeck4.jpg	WScript.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\trash.gif	WScript.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\added.txt	WScript.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fr-ma\ui-strings.vbs	WScript.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	WScript.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\home-view\selector.vbs	WScript.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tg.txt	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\DailyChallenges\SmallKlondikeTile.jpg	WScript.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-gb\ui-strings.vbs	WScript.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sk-sk\ui-strings.js	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\AppCore\Location\Shifter\Relicensing Statement.txt.vbs	WScript.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\selector.vbs	WScript.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	WScript.exe
File created	C:\Program Files\Common Files\microsoft shared\Stationery\OrangeCircles.jpg	WScript.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\TableTextServiceYi.txt	WScript.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-il\ui-strings.vbs	WScript.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt.vbs	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\MainPageState2\see_all_bp_920.jpg.vbs	WScript.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ca-es\ui-strings.vbs	WScript.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\tr-tr\ui-strings.js	WScript.exe

Drops file in Windows directory 64 IoCs

Processes:

WScript.exeWScript.exeWScript.exeWScript.exe

description	ioc	process
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\RetailDemo\retailDemoShutdownsInclusive.html.vbs	WScript.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.15063.0_none_13cc520b866eaf57\oobewelcome-vm.js	WScript.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.15063.0_en-us_6d9c8cc1c70769c1\500-17.htm.vbs	WScript.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_101f5fa4ba0071c8\404-9.htm.vbs	WScript.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_9c6cd4f8844d6921\404-13.htm.vbs	WScript.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.15063.0_none_224b97ad28ee338b\LearnMore.html	WScript.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\FreeCell\Goal_2.jpg.vbs	WScript.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\UpsellFooterBannerDesktop.jpg	WScript.exe
File created	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\it-IT\assets\ErrorPages\proxyerror.htm.vbs	WScript.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.15063.0_none_13cc520b866eaf57\oobezdp-vm.vbs	WScript.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\DailyChallenges\LobbyTiles\Freecell_bp_809.jpg	WScript.exe
File opened for modification	C:\Windows\Media\Windows Battery Low.wav	WScript.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_2d1701b3928f96c2\acr_error.htm.vbs	WScript.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Livetiles\MicrosoftSolitaireWideTile.scale-200.jpg.vbs	WScript.exe
File opened for modification	C:\Windows\Media\Alarm03.wav	WScript.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\de-DE\assets\ErrorPages\defaultbrowser.htm.vbs	WScript.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..che.desktop.cortana_31bf3856ad364e35_10.0.15063.0_none_d2e87c3d4b5230ae\1.txt.vbs	WScript.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\Spider\Control_1.jpg.vbs	WScript.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\deselectedTab_1x1.gif.vbs	WScript.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\de-DE\assets\ApplicationGuard\LearnMore.html	WScript.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\views\errorHandler.html	WScript.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\oobeoemregistration-main.html.vbs	WScript.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.15063.0_none_13cc520b866eaf57\retailDemoMsaInclusive.html	WScript.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.15063.0_en-us_6d9c8cc1c70769c1\403-10.htm	WScript.exe
File opened for modification	C:\Windows\Media\Alarm07.wav.vbs	WScript.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\en-US\assets\ErrorPages\http_403.htm	WScript.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\ThankYou\GenericEnglish-1.jpg	WScript.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.15063.0_none_13cc520b866eaf57\HostedApplication.vbs	WScript.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..icfirstrun.appxmain_31bf3856ad364e35_10.0.15063.0_none_83dc6003e01c7937\WalkRoomBoundary.jpg.vbs	WScript.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_101f5fa4ba0071c8\404-10.htm	WScript.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.15063.0_none_224b97ad28ee338b\flags.htm	WScript.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.Xaml.Toolkit\Assets\GameOverPopUp_D.wav.vbs	WScript.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\Tips_4.jpg.vbs	WScript.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.15063.0_none_13cc520b866eaf57\ooberegion-main.html	WScript.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_a0c98c5fc8429f69\unknownprotocol.htm	WScript.exe
File created	C:\Windows\InfusedApps\Frameworks\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe\Microsoft.Advertising\ormma.vbs	WScript.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.15063.0_none_13cc520b866eaf57\default-progress-vm.js	WScript.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_101f5fa4ba0071c8\404-15.htm	WScript.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mail-app_31bf3856ad364e35_10.0.15063.0_none_026c06c18883ec63\Roses.htm.vbs	WScript.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\DailyChallenges\LargeFreecellTile.jpg.vbs	WScript.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\it-IT\assets\ErrorPages\proxyerror.htm	WScript.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.15063.0_none_13cc520b866eaf57\default-frame-template.html	WScript.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_2d1701b3928f96c2\unknownprotocol.htm	WScript.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\ja-JP\assets\ErrorPages\unknownprotocol.htm	WScript.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\RetailDemo\retailDemoAdmin.vbs	WScript.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.15063.0_none_13cc520b866eaf57\oobeerror-vm.js	WScript.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_101f5fa4ba0071c8\403-8.htm	WScript.exe
File created	C:\Windows\Media\Ring07.wav.vbs	WScript.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\fr-FR\assets\ErrorPages\BlockSite.htm	WScript.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_9c6cd4f8844d6921\403.htm.vbs	WScript.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.15063.0_de-de_5555e383e66b8b9d\WpcBlockFrame.htm.vbs	WScript.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Premium_base.jpg.vbs	WScript.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\ErrorPages\pdferror.html.vbs	WScript.exe
File created	C:\Windows\Media\Alarm07.wav.vbs	WScript.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.15063.0_none_13cc520b866eaf57\oobezdp-page.js	WScript.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_101f5fa4ba0071c8\403-14.htm	WScript.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.15063.0_en-us_fe46b97cd5499762\dnserror.html	WScript.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.15063.0_it-it_8af182a69f7484e7\tlserror.htm	WScript.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_2d1701b3928f96c2\WpcBlockFrame.htm.vbs	WScript.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Classic\classic_background_full.jpg	WScript.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\Spider\Tips_5.jpg.vbs	WScript.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\9.jpg	WScript.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\TriPeaks\Goal_3.jpg	WScript.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\oobelicense-vm.js	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4220 1820 WerFault.exe winzip28-downwz.exe

pid	pid_target	process	target process
4220	1820	WerFault.exe	winzip28-downwz.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

taskmgr.exetaskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

System Information Discovery

Processes:

chrome.exechrome.exechrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

2796 vssadmin.exe
5956 vssadmin.exe

pid	process
2796	vssadmin.exe
5956	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

Processes:

WScript.exeWScript.exeWScript.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Internet Explorer\Main	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Internet Explorer\Main	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Internet Explorer\Main	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Internet Explorer\Main	WScript.exe

Modifies Internet Explorer start page 1 TTPs 4 IoCs

stealer

Modify Registry

Processes:

WScript.exeWScript.exeWScript.exeWScript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDGjkhYUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg/WIN-BUGSFIX.exe"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDGjkhYUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg/WIN-BUGSFIX.exe"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "www.playboy.com"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "www.playboy.com"	WScript.exe

Modifies data under HKEY_USERS 4 IoCs

Processes:

chrome.exechrome.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133553782986583686"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 64 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000020000000100000006000000050000000400000003000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 02000000000000000100000006000000050000000400000003000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 01000000030000000200000000000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 02000000010000000600000005000000040000000300000000000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202020202020202	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 01000000030000000200000000000000ffffffff	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202020202020202	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 01000000030000000200000000000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000010000000200000006000000050000000400000003000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe100000008027dfe0a064da01da634c1ea864da01da634c1ea864da0114000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202020202020202	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

5996 reg.exe
Opens file in notepad (likely ransom note) 5 IoCs
ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXENOTEPAD.EXENOTEPAD.EXENOTEPAD.EXE

pid process

5116 NOTEPAD.EXE
5296 NOTEPAD.EXE
3108 NOTEPAD.EXE
4400 NOTEPAD.EXE
3544 NOTEPAD.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

5888 vlc.exe

pid	process
5996	reg.exe

pid	process
5116	NOTEPAD.EXE
5296	NOTEPAD.EXE
3108	NOTEPAD.EXE
4400	NOTEPAD.EXE
3544	NOTEPAD.EXE

pid	process
5888	vlc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exetaskmgr.exechrome.exetaskhsvc.exechrome.exechrome.exechrome.exetaskmgr.exe

pid	process
516	chrome.exe
516	chrome.exe
516	chrome.exe
3680	chrome.exe
3680	chrome.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
744	chrome.exe
744	chrome.exe
2664	taskhsvc.exe
2664	taskhsvc.exe
2664	taskhsvc.exe
2664	taskhsvc.exe
2664	taskhsvc.exe
2664	taskhsvc.exe
5468	chrome.exe
5468	chrome.exe
5492	chrome.exe
5492	chrome.exe
5276	chrome.exe
5276	chrome.exe
2144	taskmgr.exe
2144	taskmgr.exe
2144	taskmgr.exe
2144	taskmgr.exe
2144	taskmgr.exe
2144	taskmgr.exe
2144	taskmgr.exe
2144	taskmgr.exe
2144	taskmgr.exe
2144	taskmgr.exe
2144	taskmgr.exe
2144	taskmgr.exe
2144	taskmgr.exe
2144	taskmgr.exe
2144	taskmgr.exe
2144	taskmgr.exe
2144	taskmgr.exe
2144	taskmgr.exe
2144	taskmgr.exe
2144	taskmgr.exe
2144	taskmgr.exe
2144	taskmgr.exe
2144	taskmgr.exe
2144	taskmgr.exe
2144	taskmgr.exe
2144	taskmgr.exe
2144	taskmgr.exe
2144	taskmgr.exe
2144	taskmgr.exe
2144	taskmgr.exe
2144	taskmgr.exe
2144	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 6 IoCs

Processes:

chrome.exevlc.exe@[email protected]chrome.exechrome.exetaskmgr.exe

pid process

5320 chrome.exe
5888 vlc.exe
5376 @[email protected]
5476 chrome.exe
1880 chrome.exe
2144 taskmgr.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

Ransomware.CryptoWall.exeexplorer.exe

pid process

2836 Ransomware.CryptoWall.exe
1452 explorer.exe

pid	process
5320	chrome.exe
5888	vlc.exe
5376	@[email protected]
5476	chrome.exe
1880	chrome.exe
2144	taskmgr.exe

pid	process
2836	Ransomware.CryptoWall.exe
1452	explorer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

Processes:

chrome.exechrome.exe

pid	process
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

vssvc.exechrome.exe

description	pid	process
Token: SeBackupPrivilege	308	vssvc.exe
Token: SeRestorePrivilege	308	vssvc.exe
Token: SeAuditPrivilege	308	vssvc.exe
Token: SeShutdownPrivilege	516	chrome.exe
Token: SeCreatePagefilePrivilege	516	chrome.exe
Token: SeShutdownPrivilege	516	chrome.exe
Token: SeCreatePagefilePrivilege	516	chrome.exe
Token: SeShutdownPrivilege	516	chrome.exe
Token: SeCreatePagefilePrivilege	516	chrome.exe
Token: SeShutdownPrivilege	516	chrome.exe
Token: SeCreatePagefilePrivilege	516	chrome.exe
Token: SeShutdownPrivilege	516	chrome.exe
Token: SeCreatePagefilePrivilege	516	chrome.exe
Token: SeShutdownPrivilege	516	chrome.exe
Token: SeCreatePagefilePrivilege	516	chrome.exe
Token: SeShutdownPrivilege	516	chrome.exe
Token: SeCreatePagefilePrivilege	516	chrome.exe
Token: SeShutdownPrivilege	516	chrome.exe
Token: SeCreatePagefilePrivilege	516	chrome.exe
Token: SeShutdownPrivilege	516	chrome.exe
Token: SeCreatePagefilePrivilege	516	chrome.exe
Token: SeShutdownPrivilege	516	chrome.exe
Token: SeCreatePagefilePrivilege	516	chrome.exe
Token: SeShutdownPrivilege	516	chrome.exe
Token: SeCreatePagefilePrivilege	516	chrome.exe
Token: SeShutdownPrivilege	516	chrome.exe
Token: SeCreatePagefilePrivilege	516	chrome.exe
Token: SeShutdownPrivilege	516	chrome.exe
Token: SeCreatePagefilePrivilege	516	chrome.exe
Token: SeShutdownPrivilege	516	chrome.exe
Token: SeCreatePagefilePrivilege	516	chrome.exe
Token: SeShutdownPrivilege	516	chrome.exe
Token: SeCreatePagefilePrivilege	516	chrome.exe
Token: SeShutdownPrivilege	516	chrome.exe
Token: SeCreatePagefilePrivilege	516	chrome.exe
Token: SeShutdownPrivilege	516	chrome.exe
Token: SeCreatePagefilePrivilege	516	chrome.exe
Token: SeShutdownPrivilege	516	chrome.exe
Token: SeCreatePagefilePrivilege	516	chrome.exe
Token: SeShutdownPrivilege	516	chrome.exe
Token: SeCreatePagefilePrivilege	516	chrome.exe
Token: SeShutdownPrivilege	516	chrome.exe
Token: SeCreatePagefilePrivilege	516	chrome.exe
Token: SeShutdownPrivilege	516	chrome.exe
Token: SeCreatePagefilePrivilege	516	chrome.exe
Token: SeShutdownPrivilege	516	chrome.exe
Token: SeCreatePagefilePrivilege	516	chrome.exe
Token: SeShutdownPrivilege	516	chrome.exe
Token: SeCreatePagefilePrivilege	516	chrome.exe
Token: SeShutdownPrivilege	516	chrome.exe
Token: SeCreatePagefilePrivilege	516	chrome.exe
Token: SeShutdownPrivilege	516	chrome.exe
Token: SeCreatePagefilePrivilege	516	chrome.exe
Token: SeShutdownPrivilege	516	chrome.exe
Token: SeCreatePagefilePrivilege	516	chrome.exe
Token: SeShutdownPrivilege	516	chrome.exe
Token: SeCreatePagefilePrivilege	516	chrome.exe
Token: SeShutdownPrivilege	516	chrome.exe
Token: SeCreatePagefilePrivilege	516	chrome.exe
Token: SeShutdownPrivilege	516	chrome.exe
Token: SeCreatePagefilePrivilege	516	chrome.exe
Token: SeShutdownPrivilege	516	chrome.exe
Token: SeCreatePagefilePrivilege	516	chrome.exe
Token: SeShutdownPrivilege	516	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe

Suspicious use of SetWindowsHookEx 53 IoCs

Processes:

winrar-x64-700.exewinrar-x64-700.exewinrar-x64-700.exewinzip28-downwz.exewinzip28-downwz.exewinrar-x64-700.exechrome.exechrome.exechrome.exechrome.exevlc.exechrome.exechrome.exechrome.exe@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]chrome.exe@[email protected]chrome.exechrome.exe@[email protected]OpenWith.exe@[email protected]@[email protected]@[email protected]chrome.exe@[email protected]chrome.exechrome.exe@[email protected]

pid	process
4888	winrar-x64-700.exe
4888	winrar-x64-700.exe
4488	winrar-x64-700.exe
4488	winrar-x64-700.exe
4488	winrar-x64-700.exe
3876	winrar-x64-700.exe
3876	winrar-x64-700.exe
3876	winrar-x64-700.exe
3152	winzip28-downwz.exe
4608	winzip28-downwz.exe
4220	winrar-x64-700.exe
4220	winrar-x64-700.exe
4220	winrar-x64-700.exe
5320	chrome.exe
5320	chrome.exe
5320	chrome.exe
2204	chrome.exe
1376	chrome.exe
5384	chrome.exe
5888	vlc.exe
1540	chrome.exe
5980	chrome.exe
2196	chrome.exe
2824	@[email protected]
2824	@[email protected]
5892	@[email protected]
5892	@[email protected]
5376	@[email protected]
5376	@[email protected]
4392	@[email protected]
5104	@[email protected]
4492	@[email protected]
1264	@[email protected]
2072	@[email protected]
2804	@[email protected]
2436	@[email protected]
5456	@[email protected]
6032	@[email protected]
5476	chrome.exe
5984	@[email protected]
5784	chrome.exe
4564	chrome.exe
1892	@[email protected]
2740	OpenWith.exe
4080	@[email protected]
3408	@[email protected]
3408	@[email protected]
5476	@[email protected]
1880	chrome.exe
6652	@[email protected]
2376	chrome.exe
1480	chrome.exe
6484	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Ransomware.CryptoWall.exeexplorer.exechrome.exe

description	pid	process	target process
PID 2836 wrote to memory of 1452	2836	Ransomware.CryptoWall.exe	explorer.exe
PID 2836 wrote to memory of 1452	2836	Ransomware.CryptoWall.exe	explorer.exe
PID 2836 wrote to memory of 1452	2836	Ransomware.CryptoWall.exe	explorer.exe
PID 1452 wrote to memory of 2208	1452	explorer.exe	svchost.exe
PID 1452 wrote to memory of 2208	1452	explorer.exe	svchost.exe
PID 1452 wrote to memory of 2208	1452	explorer.exe	svchost.exe
PID 1452 wrote to memory of 2796	1452	explorer.exe	vssadmin.exe
PID 1452 wrote to memory of 2796	1452	explorer.exe	vssadmin.exe
PID 1452 wrote to memory of 2796	1452	explorer.exe	vssadmin.exe
PID 516 wrote to memory of 2284	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 2284	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 2496	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 2496	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 2496	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 2496	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 2496	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 2496	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 2496	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 2496	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 2496	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 2496	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 2496	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 2496	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 2496	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 2496	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 2496	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 2496	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 2496	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 2496	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 2496	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 2496	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 2496	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 2496	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 2496	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 2496	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 2496	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 2496	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 2496	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 2496	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 2496	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 2496	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 2496	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 2496	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 2496	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 2496	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 2496	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 2496	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 2496	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 2496	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 3264	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 3264	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 2176	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 2176	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 2176	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 2176	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 2176	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 2176	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 2176	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 2176	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 2176	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 2176	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 2176	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 2176	516	chrome.exe	chrome.exe
PID 516 wrote to memory of 2176	516	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

3008 attrib.exe
5796 attrib.exe

pid	process
3008	attrib.exe
5796	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Ransomware.CryptoWall.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware.CryptoWall.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2836

C:\Windows\syswow64\explorer.exe
"C:\Windows\syswow64\explorer.exe"
2⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\syswow64\svchost.exe
-k netsvcs
3⤵
PID:2208

C:\Windows\syswow64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:2796

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:308

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff9c5559758,0x7ff9c5559768,0x7ff9c5559778
2⤵
PID:2284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1488 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:2
2⤵
PID:2496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1828 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:8
2⤵
PID:3264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1668 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:8
2⤵
PID:2176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2836 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:4632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2844 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:2308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3968 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:1480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4884 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:8
2⤵
PID:4124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:8
2⤵
PID:1760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4908 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:8
2⤵
PID:3316

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
2⤵
PID:700

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x7ff77f2e7688,0x7ff77f2e7698,0x7ff77f2e76a8
3⤵
PID:2792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4540 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:4884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3036 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:2336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4020 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:2940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1500 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:8
2⤵
PID:1308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1080 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4972 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:8
2⤵
PID:4608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:8
2⤵
PID:2728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5208 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:3384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5520 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=4116 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:4104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=3156 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:1456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5852 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:8
2⤵
PID:2064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5488 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:8
2⤵
PID:4132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6044 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:8
2⤵
PID:4088

C:\Users\Admin\Downloads\winrar-x64-700.exe
"C:\Users\Admin\Downloads\winrar-x64-700.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3852 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:8
2⤵
PID:3068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5516 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:8
2⤵
PID:3216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:8
2⤵
PID:4608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=5088 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:2204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=5132 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:4916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=5016 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:2364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=3988 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:3704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=6468 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:4312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6496 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:8
2⤵
PID:3792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6860 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:8
2⤵
PID:1132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6628 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:8
2⤵
PID:4128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6972 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:8
2⤵
PID:3980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7004 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:8
2⤵
PID:3528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6604 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:8
2⤵
PID:1436

C:\Users\Admin\Downloads\winzip28-downwz.exe
"C:\Users\Admin\Downloads\winzip28-downwz.exe"
2⤵
- Executes dropped EXE
PID:3508

C:\Users\Admin\AppData\Local\Temp\e5d96a5\winzip28-downwz.exe
run=1 shortcut="C:\Users\Admin\Downloads\winzip28-downwz.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:1820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 1812
4⤵
- Program crash
PID:4220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --mojo-platform-channel-handle=5144 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:3068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=6556 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:3508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=7024 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:1504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=6256 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:3904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --mojo-platform-channel-handle=7156 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --mojo-platform-channel-handle=6640 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:3892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5208 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:8
2⤵
PID:1760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:8
2⤵
PID:3220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --mojo-platform-channel-handle=5952 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:1452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --mojo-platform-channel-handle=6324 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:2064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --mojo-platform-channel-handle=5868 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:4544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --mojo-platform-channel-handle=5488 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:2920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --mojo-platform-channel-handle=4896 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:3372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --mojo-platform-channel-handle=6048 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:1904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --mojo-platform-channel-handle=5888 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:1168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --mojo-platform-channel-handle=7692 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:2140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7904 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --mojo-platform-channel-handle=7896 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:5648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --mojo-platform-channel-handle=7880 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:5728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8224 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:8
2⤵
PID:5736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --mojo-platform-channel-handle=8216 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:5436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --mojo-platform-channel-handle=5624 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:5928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --mojo-platform-channel-handle=7464 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:3812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --mojo-platform-channel-handle=7604 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --mojo-platform-channel-handle=7612 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:5724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7968 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:8
2⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3756 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:8
2⤵
PID:6036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6404 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:8
2⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --mojo-platform-channel-handle=7496 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:5324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --mojo-platform-channel-handle=2044 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:5372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --mojo-platform-channel-handle=7888 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:5532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --mojo-platform-channel-handle=4700 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:3788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --mojo-platform-channel-handle=5900 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:3128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --mojo-platform-channel-handle=8112 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:5160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --mojo-platform-channel-handle=5804 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:6116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:8
2⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8072 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:8
2⤵
PID:3812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --mojo-platform-channel-handle=7708 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:5652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --mojo-platform-channel-handle=6076 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:5788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --mojo-platform-channel-handle=7516 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:5776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --mojo-platform-channel-handle=8584 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:5952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --mojo-platform-channel-handle=7672 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:5544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=81 --mojo-platform-channel-handle=7948 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:5548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=82 --mojo-platform-channel-handle=5512 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:1860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=83 --mojo-platform-channel-handle=5608 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:5608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=84 --mojo-platform-channel-handle=7768 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:2348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=85 --mojo-platform-channel-handle=7732 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:3144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=86 --mojo-platform-channel-handle=7724 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:4244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=87 --mojo-platform-channel-handle=8888 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:5460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=88 --mojo-platform-channel-handle=1572 --field-trial-handle=1736,i,3418880589018713271,3406580719285387839,131072 /prefetch:1
2⤵
PID:5876

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4864

C:\Users\Admin\Downloads\winrar-x64-700.exe
"C:\Users\Admin\Downloads\winrar-x64-700.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4488

C:\Users\Admin\Downloads\winrar-x64-700.exe
"C:\Users\Admin\Downloads\winrar-x64-700.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3876

C:\Users\Admin\Downloads\winzip28-downwz.exe
"C:\Users\Admin\Downloads\winzip28-downwz.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3152

C:\Users\Admin\AppData\Local\Temp\e5de448\winzip28-downwz.exe
run=1 shortcut="C:\Users\Admin\Downloads\winzip28-downwz.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4608

C:\Users\Admin\Downloads\winrar-x64-700.exe
"C:\Users\Admin\Downloads\winrar-x64-700.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4220

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:1552

C:\Users\Admin\Desktop\Ransomware.CryptoLocker.exe
"C:\Users\Admin\Desktop\Ransomware.CryptoLocker.exe"
1⤵
- Executes dropped EXE
PID:1292

C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Desktop\Ransomware.CryptoLocker.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5300

C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w00000210
3⤵
- Executes dropped EXE
PID:5396

C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w00000210
3⤵
- Executes dropped EXE
PID:304

C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w00000210
4⤵
- Executes dropped EXE
PID:5808

C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w00000210
4⤵
- Executes dropped EXE
PID:6004

C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w00000210
5⤵
- Executes dropped EXE
PID:1316

C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w00000210
5⤵
- Executes dropped EXE
PID:5416

C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w00000210
6⤵
- Executes dropped EXE
PID:4248

C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w00000210
6⤵
- Executes dropped EXE
PID:3876

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
1⤵
PID:4220

C:\Program Files (x86)\Windows Media Player\setup_wm.exe
"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
2⤵
PID:6096

C:\Windows\SysWOW64\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
2⤵
PID:6092

C:\Windows\System32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
3⤵
- Enumerates connected drives
PID:5576

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\SubmitUnpublish.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:5116

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5888

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\11.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:5296

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\11.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff9c5559758,0x7ff9c5559768,0x7ff9c5559778
2⤵
PID:240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=1868,i,4969771749454408482,13496940907865706068,131072 /prefetch:2
2⤵
PID:228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1808 --field-trial-handle=1868,i,4969771749454408482,13496940907865706068,131072 /prefetch:8
2⤵
PID:5076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2100 --field-trial-handle=1868,i,4969771749454408482,13496940907865706068,131072 /prefetch:8
2⤵
PID:828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2992 --field-trial-handle=1868,i,4969771749454408482,13496940907865706068,131072 /prefetch:1
2⤵
PID:5352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3000 --field-trial-handle=1868,i,4969771749454408482,13496940907865706068,131072 /prefetch:1
2⤵
PID:2016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3920 --field-trial-handle=1868,i,4969771749454408482,13496940907865706068,131072 /prefetch:1
2⤵
PID:5872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3948 --field-trial-handle=1868,i,4969771749454408482,13496940907865706068,131072 /prefetch:1
2⤵
PID:5460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3108 --field-trial-handle=1868,i,4969771749454408482,13496940907865706068,131072 /prefetch:8
2⤵
PID:5320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3104 --field-trial-handle=1868,i,4969771749454408482,13496940907865706068,131072 /prefetch:8
2⤵
PID:2348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4908 --field-trial-handle=1868,i,4969771749454408482,13496940907865706068,131072 /prefetch:8
2⤵
PID:5132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5088 --field-trial-handle=1868,i,4969771749454408482,13496940907865706068,131072 /prefetch:1
2⤵
PID:5668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4064 --field-trial-handle=1868,i,4969771749454408482,13496940907865706068,131072 /prefetch:1
2⤵
PID:4592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3800 --field-trial-handle=1868,i,4969771749454408482,13496940907865706068,131072 /prefetch:1
2⤵
PID:2636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3932 --field-trial-handle=1868,i,4969771749454408482,13496940907865706068,131072 /prefetch:1
2⤵
PID:1964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3796 --field-trial-handle=1868,i,4969771749454408482,13496940907865706068,131072 /prefetch:1
2⤵
PID:2760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5208 --field-trial-handle=1868,i,4969771749454408482,13496940907865706068,131072 /prefetch:1
2⤵
PID:1888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5376 --field-trial-handle=1868,i,4969771749454408482,13496940907865706068,131072 /prefetch:8
2⤵
PID:5808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 --field-trial-handle=1868,i,4969771749454408482,13496940907865706068,131072 /prefetch:8
2⤵
PID:5796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=4776 --field-trial-handle=1868,i,4969771749454408482,13496940907865706068,131072 /prefetch:1
2⤵
PID:5456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=5568 --field-trial-handle=1868,i,4969771749454408482,13496940907865706068,131072 /prefetch:1
2⤵
PID:1316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=5784 --field-trial-handle=1868,i,4969771749454408482,13496940907865706068,131072 /prefetch:1
2⤵
PID:2984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5948 --field-trial-handle=1868,i,4969771749454408482,13496940907865706068,131072 /prefetch:1
2⤵
PID:5000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=6232 --field-trial-handle=1868,i,4969771749454408482,13496940907865706068,131072 /prefetch:1
2⤵
PID:5864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=6668 --field-trial-handle=1868,i,4969771749454408482,13496940907865706068,131072 /prefetch:1
2⤵
PID:1064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=6680 --field-trial-handle=1868,i,4969771749454408482,13496940907865706068,131072 /prefetch:1
2⤵
PID:4668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=2252 --field-trial-handle=1868,i,4969771749454408482,13496940907865706068,131072 /prefetch:1
2⤵
PID:2340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5852 --field-trial-handle=1868,i,4969771749454408482,13496940907865706068,131072 /prefetch:8
2⤵
PID:5312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6908 --field-trial-handle=1868,i,4969771749454408482,13496940907865706068,131072 /prefetch:8
2⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 --field-trial-handle=1868,i,4969771749454408482,13496940907865706068,131072 /prefetch:8
2⤵
PID:6128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2624 --field-trial-handle=1868,i,4969771749454408482,13496940907865706068,131072 /prefetch:8
2⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3196 --field-trial-handle=1868,i,4969771749454408482,13496940907865706068,131072 /prefetch:8
2⤵
PID:5996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3396 --field-trial-handle=1868,i,4969771749454408482,13496940907865706068,131072 /prefetch:8
2⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5924 --field-trial-handle=1868,i,4969771749454408482,13496940907865706068,131072 /prefetch:8
2⤵
PID:6132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3264 --field-trial-handle=1868,i,4969771749454408482,13496940907865706068,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=3248 --field-trial-handle=1868,i,4969771749454408482,13496940907865706068,131072 /prefetch:1
2⤵
PID:5144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=2556 --field-trial-handle=1868,i,4969771749454408482,13496940907865706068,131072 /prefetch:1
2⤵
PID:3608

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4268

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\11.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4400

C:\Users\Admin\Desktop\Ransomware.WannaCry44pt0r.v2.exe
"C:\Users\Admin\Desktop\Ransomware.WannaCry44pt0r.v2.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Sets desktop wallpaper using registry
PID:5736

C:\Windows\SysWOW64\attrib.exe
attrib +h .
2⤵
- Views/modifies file attributes
PID:3008

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:5172

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:3680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 29431710905485.bat
2⤵
PID:992

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
3⤵
PID:2504

C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
2⤵
- Views/modifies file attributes
PID:5796

C:\Users\Admin\Desktop\@[email protected]
@[email protected] co
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2824

C:\Users\Admin\Desktop\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2664

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
2⤵
PID:2612

C:\Users\Admin\Desktop\@[email protected]
@[email protected] vs
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5892

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
PID:2380

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:5956

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
PID:2780

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:3220

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
PID:6076

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5104

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "vatcnugcm513" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f
2⤵
PID:5156

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "vatcnugcm513" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f
3⤵
- Adds Run key to start application
- Modifies registry key
PID:5996

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2292

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
PID:2632

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4492

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4436

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
PID:6116

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2072

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
PID:2396

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2804

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4248

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
PID:2940

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2436

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:5760

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
PID:5808

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5456

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1312

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
PID:2548

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6032

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:3316

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
PID:4892

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5984

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:5216

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
PID:2404

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1892

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4388

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
PID:960

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4080

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:5944

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
PID:2732

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:3408

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2100

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
PID:2804

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5476

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:828

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
PID:6316

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:6652

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:4060

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
PID:6116

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:6484

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:6560

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
PID:1164

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
PID:996

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:2064

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
PID:2596

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
PID:7020

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:5600

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
PID:1344

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
PID:4028

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:2632

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
PID:6344

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
PID:4768

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:4060

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
PID:6356

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
PID:6660

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:6468

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
PID:2076

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
PID:6948

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:892

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
PID:3396

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
PID:5780

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:6072

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
PID:5344

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
PID:3468

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:6764

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
PID:6568

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
PID:5260

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:6732

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
PID:3600

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
PID:5820

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:6420

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
PID:2544

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
PID:1568

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:5252

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
PID:6860

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
PID:6676

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:3068

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
PID:7080

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
PID:5352

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:1856

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
PID:4572

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
PID:6708

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:2236

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
PID:984

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
PID:5768

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:1040

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
PID:1972

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
PID:5740

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:6552

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
PID:2440

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
PID:2292

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:5316

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
PID:5496

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
PID:960

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:7044

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
PID:6500

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
PID:3396

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\11.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3544

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5604

C:\Users\Admin\Desktop\@[email protected]
"C:\Users\Admin\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5376

C:\Users\Public\Desktop\@[email protected]
"C:\Users\Public\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:4956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff9c5559758,0x7ff9c5559768,0x7ff9c5559778
2⤵
PID:5220

C:\Users\Admin\Desktop\taskdl.exe
"C:\Users\Admin\Desktop\taskdl.exe"
1⤵
- Executes dropped EXE
PID:1596

C:\Users\Admin\Desktop\taskse.exe
"C:\Users\Admin\Desktop\taskse.exe"
1⤵
- Executes dropped EXE
PID:6064

C:\Users\Admin\Desktop\@[email protected]
"C:\Users\Admin\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1264

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\@[email protected]
1⤵
PID:5180

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\@[email protected]
1⤵
PID:5560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff9c5559758,0x7ff9c5559768,0x7ff9c5559778
2⤵
PID:2540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1396 --field-trial-handle=1788,i,17599603212300057315,14813041232038408482,131072 /prefetch:2
2⤵
PID:5812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1852 --field-trial-handle=1788,i,17599603212300057315,14813041232038408482,131072 /prefetch:8
2⤵
PID:5156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2100 --field-trial-handle=1788,i,17599603212300057315,14813041232038408482,131072 /prefetch:8
2⤵
PID:5748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3092 --field-trial-handle=1788,i,17599603212300057315,14813041232038408482,131072 /prefetch:1
2⤵
PID:1772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3108 --field-trial-handle=1788,i,17599603212300057315,14813041232038408482,131072 /prefetch:1
2⤵
PID:304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4452 --field-trial-handle=1788,i,17599603212300057315,14813041232038408482,131072 /prefetch:1
2⤵
PID:5592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4676 --field-trial-handle=1788,i,17599603212300057315,14813041232038408482,131072 /prefetch:1
2⤵
PID:5556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3092 --field-trial-handle=1788,i,17599603212300057315,14813041232038408482,131072 /prefetch:8
2⤵
PID:6060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3092 --field-trial-handle=1788,i,17599603212300057315,14813041232038408482,131072 /prefetch:8
2⤵
PID:396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4836 --field-trial-handle=1788,i,17599603212300057315,14813041232038408482,131072 /prefetch:1
2⤵
PID:5480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4552 --field-trial-handle=1788,i,17599603212300057315,14813041232038408482,131072 /prefetch:1
2⤵
PID:5360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4868 --field-trial-handle=1788,i,17599603212300057315,14813041232038408482,131072 /prefetch:1
2⤵
PID:844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5156 --field-trial-handle=1788,i,17599603212300057315,14813041232038408482,131072 /prefetch:1
2⤵
PID:5988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5532 --field-trial-handle=1788,i,17599603212300057315,14813041232038408482,131072 /prefetch:1
2⤵
PID:5072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5556 --field-trial-handle=1788,i,17599603212300057315,14813041232038408482,131072 /prefetch:1
2⤵
PID:2516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5700 --field-trial-handle=1788,i,17599603212300057315,14813041232038408482,131072 /prefetch:8
2⤵
PID:5856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5712 --field-trial-handle=1788,i,17599603212300057315,14813041232038408482,131072 /prefetch:8
2⤵
PID:5840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5896 --field-trial-handle=1788,i,17599603212300057315,14813041232038408482,131072 /prefetch:1
2⤵
PID:5548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=3384 --field-trial-handle=1788,i,17599603212300057315,14813041232038408482,131072 /prefetch:1
2⤵
PID:5144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=5980 --field-trial-handle=1788,i,17599603212300057315,14813041232038408482,131072 /prefetch:1
2⤵
PID:5184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=5012 --field-trial-handle=1788,i,17599603212300057315,14813041232038408482,131072 /prefetch:1
2⤵
PID:1540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=6184 --field-trial-handle=1788,i,17599603212300057315,14813041232038408482,131072 /prefetch:1
2⤵
PID:1776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6576 --field-trial-handle=1788,i,17599603212300057315,14813041232038408482,131072 /prefetch:8
2⤵
PID:5232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5704 --field-trial-handle=1788,i,17599603212300057315,14813041232038408482,131072 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3088 --field-trial-handle=1788,i,17599603212300057315,14813041232038408482,131072 /prefetch:8
2⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6932 --field-trial-handle=1788,i,17599603212300057315,14813041232038408482,131072 /prefetch:8
2⤵
PID:4872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2576 --field-trial-handle=1788,i,17599603212300057315,14813041232038408482,131072 /prefetch:8
2⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6848 --field-trial-handle=1788,i,17599603212300057315,14813041232038408482,131072 /prefetch:8
2⤵
PID:1548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6904 --field-trial-handle=1788,i,17599603212300057315,14813041232038408482,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6512 --field-trial-handle=1788,i,17599603212300057315,14813041232038408482,131072 /prefetch:8
2⤵
PID:5408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=4440 --field-trial-handle=1788,i,17599603212300057315,14813041232038408482,131072 /prefetch:1
2⤵
PID:1596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=5496 --field-trial-handle=1788,i,17599603212300057315,14813041232038408482,131072 /prefetch:1
2⤵
PID:2504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 --field-trial-handle=1788,i,17599603212300057315,14813041232038408482,131072 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=5704 --field-trial-handle=1788,i,17599603212300057315,14813041232038408482,131072 /prefetch:1
2⤵
PID:1516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=7116 --field-trial-handle=1788,i,17599603212300057315,14813041232038408482,131072 /prefetch:1
2⤵
PID:2568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=908 --field-trial-handle=1788,i,17599603212300057315,14813041232038408482,131072 /prefetch:1
2⤵
PID:4572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=5260 --field-trial-handle=1788,i,17599603212300057315,14813041232038408482,131072 /prefetch:1
2⤵
PID:840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 --field-trial-handle=1788,i,17599603212300057315,14813041232038408482,131072 /prefetch:8
2⤵
PID:3600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=7276 --field-trial-handle=1788,i,17599603212300057315,14813041232038408482,131072 /prefetch:1
2⤵
PID:4392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=5452 --field-trial-handle=1788,i,17599603212300057315,14813041232038408482,131072 /prefetch:1
2⤵
PID:4696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 --field-trial-handle=1788,i,17599603212300057315,14813041232038408482,131072 /prefetch:8
2⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --mojo-platform-channel-handle=6396 --field-trial-handle=1788,i,17599603212300057315,14813041232038408482,131072 /prefetch:1
2⤵
PID:2128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --mojo-platform-channel-handle=6288 --field-trial-handle=1788,i,17599603212300057315,14813041232038408482,131072 /prefetch:1
2⤵
PID:148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --mojo-platform-channel-handle=5116 --field-trial-handle=1788,i,17599603212300057315,14813041232038408482,131072 /prefetch:1
2⤵
PID:6712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --mojo-platform-channel-handle=7108 --field-trial-handle=1788,i,17599603212300057315,14813041232038408482,131072 /prefetch:1
2⤵
PID:6920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --mojo-platform-channel-handle=7116 --field-trial-handle=1788,i,17599603212300057315,14813041232038408482,131072 /prefetch:1
2⤵
PID:6200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --mojo-platform-channel-handle=5232 --field-trial-handle=1788,i,17599603212300057315,14813041232038408482,131072 /prefetch:1
2⤵
PID:4612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --mojo-platform-channel-handle=7720 --field-trial-handle=1788,i,17599603212300057315,14813041232038408482,131072 /prefetch:1
2⤵
PID:5776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --mojo-platform-channel-handle=7920 --field-trial-handle=1788,i,17599603212300057315,14813041232038408482,131072 /prefetch:1
2⤵
PID:6660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4440 --field-trial-handle=1788,i,17599603212300057315,14813041232038408482,131072 /prefetch:8
2⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7064 --field-trial-handle=1788,i,17599603212300057315,14813041232038408482,131072 /prefetch:8
2⤵
PID:1884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --mojo-platform-channel-handle=7772 --field-trial-handle=1788,i,17599603212300057315,14813041232038408482,131072 /prefetch:1
2⤵
PID:5532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --mojo-platform-channel-handle=5248 --field-trial-handle=1788,i,17599603212300057315,14813041232038408482,131072 /prefetch:1
2⤵
PID:5184

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:600

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2740

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Worm.ILOVE44YOU.txt.vbs"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
PID:5552

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Worm.ILOVE44YOU.txt.vbs"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
PID:5872

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Worm.ILOVE44YOU.txt.vbs"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
PID:3976

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Worm.ILOVE44YOU.txt.vbs"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
PID:1744

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:2144

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\@[email protected]"
1⤵
PID:7040

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\Virus.Melissa.doc" /o ""
1⤵
PID:2192

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2732

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:6484

C:\Users\Admin\Desktop\TaskData\Tor\tor.exe
"C:\Users\Admin\Desktop\TaskData\Tor\tor.exe"
1⤵
PID:6820

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:6148

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:1884

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

File and Directory Permissions Modification

T1222

Modify Registry

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

System Information Discovery