wannacry | hxxp://google[.]com

System Information Discovery

Processes:

tor-browser-windows-x86_64-portable-13.0.14.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	tor-browser-windows-x86_64-portable-13.0.14.exe

Drops startup file 12 IoCs

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDE1DB.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDE1E2.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDBF87.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDBF8E.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDA0F4.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD9687.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD968E.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDB58C.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDB593.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDAB73.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDAB7A.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDA0ED.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Executes dropped EXE 64 IoCs

Processes:

taskdl.exe@[email protected]@[email protected]taskhsvc.exetaskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskse.exe@[email protected]taskdl.exetor-browser-windows-x86_64-portable-13.0.14.exetaskse.exe@[email protected]taskdl.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exetor.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exelyrebird.exefirefox.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exefirefox.exefirefox.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exefirefox.exetaskse.exe@[email protected]taskdl.exefirefox.exetaskse.exe@[email protected]taskdl.exe

pid	process
1388	taskdl.exe
4668	@[email protected]
1932	@[email protected]
4856	taskhsvc.exe
5216	taskdl.exe
2420	taskse.exe
5704	@[email protected]
2968	taskdl.exe
2428	taskse.exe
180	@[email protected]
2372	taskdl.exe
2912	taskse.exe
1712	@[email protected]
5968	taskse.exe
1200	@[email protected]
1772	taskdl.exe
5228	tor-browser-windows-x86_64-portable-13.0.14.exe
3752	taskse.exe
5236	@[email protected]
4280	taskdl.exe
4440	firefox.exe
1452	firefox.exe
5372	firefox.exe
3740	firefox.exe
5892	firefox.exe
5308	tor.exe
5936	firefox.exe
1932	firefox.exe
6372	firefox.exe
6432	firefox.exe
6400	firefox.exe
7116	taskse.exe
7124	@[email protected]
7148	taskdl.exe
7148	taskse.exe
3536	@[email protected]
1508	taskdl.exe
3588	lyrebird.exe
5968	firefox.exe
6800	taskse.exe
5144	@[email protected]
6892	taskdl.exe
6172	taskse.exe
5956	@[email protected]
6192	taskdl.exe
6452	firefox.exe
7144	firefox.exe
4200	taskse.exe
5740	@[email protected]
6028	taskdl.exe
2156	taskse.exe
6288	@[email protected]
3992	taskdl.exe
6644	taskse.exe
6416	@[email protected]
5680	taskdl.exe
6404	firefox.exe
2904	taskse.exe
1532	@[email protected]
1632	taskdl.exe
4368	firefox.exe
4004	taskse.exe
2696	@[email protected]
6460	taskdl.exe

Loads dropped DLL 64 IoCs

Processes:

taskhsvc.exetor-browser-windows-x86_64-portable-13.0.14.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exe

pid	process
4856	taskhsvc.exe
4856	taskhsvc.exe
4856	taskhsvc.exe
4856	taskhsvc.exe
4856	taskhsvc.exe
4856	taskhsvc.exe
4856	taskhsvc.exe
4856	taskhsvc.exe
5228	tor-browser-windows-x86_64-portable-13.0.14.exe
5228	tor-browser-windows-x86_64-portable-13.0.14.exe
5228	tor-browser-windows-x86_64-portable-13.0.14.exe
4440	firefox.exe
1452	firefox.exe
1452	firefox.exe
1452	firefox.exe
1452	firefox.exe
1452	firefox.exe
1452	firefox.exe
1452	firefox.exe
1452	firefox.exe
1452	firefox.exe
1452	firefox.exe
1452	firefox.exe
5372	firefox.exe
5372	firefox.exe
5372	firefox.exe
5372	firefox.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5936	firefox.exe
5936	firefox.exe
5936	firefox.exe
5936	firefox.exe
3740	firefox.exe
3740	firefox.exe
5892	firefox.exe
5892	firefox.exe
1932	firefox.exe
1932	firefox.exe
1932	firefox.exe
1932	firefox.exe
1932	firefox.exe
1932	firefox.exe
6372	firefox.exe
6372	firefox.exe
6372	firefox.exe
6372	firefox.exe
6432	firefox.exe
6432	firefox.exe
6432	firefox.exe
6432	firefox.exe
6400	firefox.exe
6400	firefox.exe
6400	firefox.exe
6400	firefox.exe
6372	firefox.exe
6372	firefox.exe
6400	firefox.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

400 icacls.exe

pid	process
400	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fylozfgiislz175 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_Ransomware.WannaCry.zip\\tasksche.exe\""	reg.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

firefox.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA firefox.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

240 raw.githubusercontent.com
265 raw.githubusercontent.com

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	firefox.exe

flow	ioc
240	raw.githubusercontent.com
265	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

Processes:

chrome.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe@[email protected]

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

Processes:

msedge.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

6932 taskkill.exe
4080 taskkill.exe
6148 taskkill.exe
3536 taskkill.exe
1020 taskkill.exe

pid	process
6932	taskkill.exe
4080	taskkill.exe
6148	taskkill.exe
3536	taskkill.exe
1020	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133592202774024772"	chrome.exe

Modifies registry class 2 IoCs

Processes:

chrome.exetor-browser-windows-x86_64-portable-13.0.14.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	tor-browser-windows-x86_64-portable-13.0.14.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2296 reg.exe

pid	process
2296	reg.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

Processes:

lyrebird.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	lyrebird.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	lyrebird.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	lyrebird.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exechrome.exemsedge.exechrome.exetaskhsvc.exelyrebird.exe

pid	process
1284	msedge.exe
1284	msedge.exe
1440	msedge.exe
1440	msedge.exe
3536	identity_helper.exe
3536	identity_helper.exe
1444	chrome.exe
1444	chrome.exe
5468	msedge.exe
5468	msedge.exe
5468	msedge.exe
5468	msedge.exe
5128	chrome.exe
5128	chrome.exe
5128	chrome.exe
5128	chrome.exe
4856	taskhsvc.exe
4856	taskhsvc.exe
4856	taskhsvc.exe
4856	taskhsvc.exe
4856	taskhsvc.exe
4856	taskhsvc.exe
3588	lyrebird.exe
3588	lyrebird.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

Processes:

msedge.exechrome.exe

pid	process
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exechrome.exe

pid	process
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe

Suspicious use of SendNotifyMessage 60 IoCs

Processes:

msedge.exechrome.exefirefox.exe

pid	process
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1452	firefox.exe
1452	firefox.exe
1452	firefox.exe
1452	firefox.exe
1452	firefox.exe
1452	firefox.exe
1452	firefox.exe
1452	firefox.exe
1452	firefox.exe
1452	firefox.exe
1452	firefox.exe
1452	firefox.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
4668	@[email protected]
4668	@[email protected]
1932	@[email protected]
1932	@[email protected]
5704	@[email protected]
5704	@[email protected]
180	@[email protected]
1712	@[email protected]
1200	@[email protected]
5236	@[email protected]
1452	firefox.exe
7124	@[email protected]
3536	@[email protected]
5144	@[email protected]
5956	@[email protected]
5740	@[email protected]
6288	@[email protected]
6416	@[email protected]
1532	@[email protected]
2696	@[email protected]
1664	@[email protected]
628	@[email protected]
6784	@[email protected]
6704	@[email protected]
5024	@[email protected]
3672	@[email protected]
6208	@[email protected]
6584	@[email protected]
1500	@[email protected]
6980	@[email protected]
4884	@[email protected]
6300	@[email protected]
1668	@[email protected]
2748	@[email protected]
6556	@[email protected]
2948	@[email protected]
5404	@[email protected]
6664	@[email protected]
4980	@[email protected]
5436	@[email protected]
1832	@[email protected]
5364	@[email protected]
6080	@[email protected]
808	@[email protected]
5440	@[email protected]
2856	@[email protected]
4984	@[email protected]
5900	@[email protected]
952	@[email protected]
6208	@[email protected]
6620	@[email protected]
6556	@[email protected]
644	@[email protected]
6348	@[email protected]
3096	@[email protected]
3120	@[email protected]
1228	@[email protected]
3560	@[email protected]
6484	@[email protected]
6600	@[email protected]
628	@[email protected]
4860	@[email protected]
6824	@[email protected]
7040	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1440 wrote to memory of 3568	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 3568	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 5104	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 5104	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 5104	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 5104	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 5104	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 5104	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 5104	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 5104	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 5104	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 5104	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 5104	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 5104	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 5104	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 5104	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 5104	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 5104	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 5104	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 5104	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 5104	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 5104	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 5104	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 5104	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 5104	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 5104	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 5104	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 5104	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 5104	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 5104	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 5104	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 5104	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 5104	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 5104	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 5104	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 5104	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 5104	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 5104	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 5104	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 5104	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 5104	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 5104	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 1284	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 1284	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4112	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4112	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4112	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4112	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4112	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4112	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4112	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4112	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4112	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4112	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4112	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4112	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4112	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4112	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4112	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4112	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4112	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4112	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4112	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4112	1440	msedge.exe	msedge.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 8 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

2436 attrib.exe
6436 attrib.exe
6260 attrib.exe
4964 attrib.exe
4284 attrib.exe
6644 attrib.exe
1712 attrib.exe
5484 attrib.exe

pid	process
2436	attrib.exe
6436	attrib.exe
6260	attrib.exe
4964	attrib.exe
4284	attrib.exe
6644	attrib.exe
1712	attrib.exe
5484	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe080f46f8,0x7ffe080f4708,0x7ffe080f4718
2⤵
PID:3568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,8186858892399823235,9736487612954973067,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
2⤵
PID:5104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,8186858892399823235,9736487612954973067,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,8186858892399823235,9736487612954973067,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2552 /prefetch:8
2⤵
PID:4112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8186858892399823235,9736487612954973067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
2⤵
PID:4228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8186858892399823235,9736487612954973067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
2⤵
PID:1636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8186858892399823235,9736487612954973067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
2⤵
PID:3252

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,8186858892399823235,9736487612954973067,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5064 /prefetch:8
2⤵
PID:1448

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,8186858892399823235,9736487612954973067,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5064 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8186858892399823235,9736487612954973067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
2⤵
PID:4292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8186858892399823235,9736487612954973067,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
2⤵
PID:2820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8186858892399823235,9736487612954973067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
2⤵
PID:1868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8186858892399823235,9736487612954973067,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
2⤵
PID:3176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8186858892399823235,9736487612954973067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
2⤵
PID:1448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8186858892399823235,9736487612954973067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
2⤵
PID:3112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8186858892399823235,9736487612954973067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
2⤵
PID:3784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,8186858892399823235,9736487612954973067,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3164 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5468

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1580

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffdf374cc40,0x7ffdf374cc4c,0x7ffdf374cc58
2⤵
PID:2396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1972,i,4957745983128442179,12892371525732748895,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1968 /prefetch:2
2⤵
PID:1448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2148,i,4957745983128442179,12892371525732748895,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2140 /prefetch:3
2⤵
PID:3948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2296,i,4957745983128442179,12892371525732748895,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2432 /prefetch:8
2⤵
PID:3964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,4957745983128442179,12892371525732748895,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3200 /prefetch:1
2⤵
PID:5200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3208,i,4957745983128442179,12892371525732748895,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3380 /prefetch:1
2⤵
PID:5208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3716,i,4957745983128442179,12892371525732748895,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3740 /prefetch:1
2⤵
PID:5388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4760,i,4957745983128442179,12892371525732748895,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4740 /prefetch:8
2⤵
PID:5508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4756,i,4957745983128442179,12892371525732748895,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4896 /prefetch:8
2⤵
PID:5536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4904,i,4957745983128442179,12892371525732748895,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4676 /prefetch:8
2⤵
PID:5824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4408,i,4957745983128442179,12892371525732748895,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4884 /prefetch:8
2⤵
PID:5880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5016,i,4957745983128442179,12892371525732748895,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5036 /prefetch:1
2⤵
PID:6032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4784,i,4957745983128442179,12892371525732748895,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3188 /prefetch:1
2⤵
PID:2804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3540,i,4957745983128442179,12892371525732748895,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3580 /prefetch:8
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:5128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5216,i,4957745983128442179,12892371525732748895,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3480 /prefetch:1
2⤵
PID:1104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5308,i,4957745983128442179,12892371525732748895,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3408 /prefetch:1
2⤵
PID:5140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3388,i,4957745983128442179,12892371525732748895,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5448 /prefetch:8
2⤵
PID:4340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5172,i,4957745983128442179,12892371525732748895,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5492 /prefetch:8
2⤵
PID:5600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=4896,i,4957745983128442179,12892371525732748895,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3420 /prefetch:1
2⤵
PID:3832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=4140,i,4957745983128442179,12892371525732748895,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4736 /prefetch:1
2⤵
PID:5152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5776,i,4957745983128442179,12892371525732748895,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3568 /prefetch:8
2⤵
PID:2264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=6004,i,4957745983128442179,12892371525732748895,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5968 /prefetch:1
2⤵
PID:2856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=6008,i,4957745983128442179,12892371525732748895,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=6096 /prefetch:1
2⤵
PID:4296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5200,i,4957745983128442179,12892371525732748895,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5236 /prefetch:8
2⤵
PID:3080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6152,i,4957745983128442179,12892371525732748895,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=6084 /prefetch:8
2⤵
PID:5376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=5708,i,4957745983128442179,12892371525732748895,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5444 /prefetch:1
2⤵
PID:5428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=6196,i,4957745983128442179,12892371525732748895,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5544 /prefetch:1
2⤵
PID:1596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5868,i,4957745983128442179,12892371525732748895,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3484 /prefetch:8
2⤵
PID:1332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5836,i,4957745983128442179,12892371525732748895,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1524 /prefetch:8
2⤵
PID:5352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6012,i,4957745983128442179,12892371525732748895,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3528 /prefetch:8
2⤵
PID:912

C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.0.14.exe
"C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.0.14.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:5228

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4440

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Checks processor information in registry
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1452

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1452.0.1184760347\998814642" -parentBuildID 20240416150000 -prefsHandle 2112 -prefMapHandle 1724 -prefsLen 19248 -prefMapSize 243660 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {554307d3-637d-434b-b924-c69e1fd3c226} 1452 gpu
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5372

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1452.1.640069944\889109558" -childID 1 -isForBrowser -prefsHandle 2844 -prefMapHandle 2840 -prefsLen 20081 -prefMapSize 243660 -jsInitHandle 1296 -jsInitLen 240916 -parentBuildID 20240416150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {a9dc9c77-480f-4aeb-bcbf-41dda1f0a169} 1452 tab
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3740

C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe" --defaults-torrc "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc-defaults" -f "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc" DataDirectory "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor" ClientOnionAuthDir "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\onion-auth" GeoIPFile "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip" GeoIPv6File "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip6" +__ControlPort 127.0.0.1:9151 HashedControlPassword 16:2d05376fd05b078760f4eca5ba8f72054d0e737518a11ab5db30e8fa71 +__SocksPort "127.0.0.1:9150 ExtendedErrors IPv6Traffic PreferIPv6 KeepAliveIsolateSOCKSAuth" __OwningControllerProcess 1452 DisableNetwork 1
5⤵
- Executes dropped EXE
PID:5308

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1452.2.937435354\488670704" -childID 2 -isForBrowser -prefsHandle 3488 -prefMapHandle 3484 -prefsLen 20899 -prefMapSize 243660 -jsInitHandle 1296 -jsInitLen 240916 -parentBuildID 20240416150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {84b35795-7788-4041-91b3-f3e96a517146} 1452 tab
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5892

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1452.3.1786611039\1950034365" -childID 3 -isForBrowser -prefsHandle 3680 -prefMapHandle 3684 -prefsLen 20976 -prefMapSize 243660 -jsInitHandle 1296 -jsInitLen 240916 -parentBuildID 20240416150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {04819233-2388-4055-8206-cdd11d955fa6} 1452 tab
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5936

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1452.4.144307569\374597517" -parentBuildID 20240416150000 -prefsHandle 3644 -prefMapHandle 3272 -prefsLen 22151 -prefMapSize 243660 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {998bab7b-61ca-4b42-9743-b489444ff9e7} 1452 rdd
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1932

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1452.5.1017092565\1358358367" -childID 4 -isForBrowser -prefsHandle 4060 -prefMapHandle 4040 -prefsLen 22199 -prefMapSize 243660 -jsInitHandle 1296 -jsInitLen 240916 -parentBuildID 20240416150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {068cc911-1e9f-4a44-abc7-f0fd7f846b39} 1452 tab
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6372

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1452.6.1382143126\856646186" -childID 5 -isForBrowser -prefsHandle 4332 -prefMapHandle 4328 -prefsLen 22199 -prefMapSize 243660 -jsInitHandle 1296 -jsInitLen 240916 -parentBuildID 20240416150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {e89359ff-4a73-42d0-8439-6148f46fe8a9} 1452 tab
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6400

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1452.7.819666244\1464722194" -childID 6 -isForBrowser -prefsHandle 4436 -prefMapHandle 4440 -prefsLen 22199 -prefMapSize 243660 -jsInitHandle 1296 -jsInitLen 240916 -parentBuildID 20240416150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {1272786d-599e-4e1a-a5a7-7a18f5d2a6aa} 1452 tab
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6432

C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\PluggableTransports\lyrebird.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\PluggableTransports\lyrebird.exe"
5⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:3588

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1452.8.145375201\1996878989" -childID 7 -isForBrowser -prefsHandle 1432 -prefMapHandle 1636 -prefsLen 22764 -prefMapSize 243660 -jsInitHandle 1296 -jsInitLen 240916 -parentBuildID 20240416150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {77468fe2-caa2-43a2-922e-2cfe8ffb89bd} 1452 tab
5⤵
- Executes dropped EXE
PID:5968

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1452.9.652202637\227487900" -childID 8 -isForBrowser -prefsHandle 4132 -prefMapHandle 4120 -prefsLen 22924 -prefMapSize 243660 -jsInitHandle 1296 -jsInitLen 240916 -parentBuildID 20240416150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {6fc4477d-1405-49a6-ad49-1af496d583c8} 1452 tab
5⤵
- Executes dropped EXE
PID:6452

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1452.10.361388123\569240630" -childID 9 -isForBrowser -prefsHandle 5008 -prefMapHandle 4504 -prefsLen 22924 -prefMapSize 243660 -jsInitHandle 1296 -jsInitLen 240916 -parentBuildID 20240416150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {07051525-c4c1-494e-a3a3-36040e78e265} 1452 tab
5⤵
- Executes dropped EXE
PID:7144

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1452.11.661628503\372697666" -childID 10 -isForBrowser -prefsHandle 4428 -prefMapHandle 4144 -prefsLen 22924 -prefMapSize 243660 -jsInitHandle 1296 -jsInitLen 240916 -parentBuildID 20240416150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {2d29d90a-f3d5-47d8-8100-b723fec7b9a1} 1452 tab
5⤵
- Executes dropped EXE
PID:6404

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1452.12.2060429035\1203967962" -childID 11 -isForBrowser -prefsHandle 4644 -prefMapHandle 4356 -prefsLen 22924 -prefMapSize 243660 -jsInitHandle 1296 -jsInitLen 240916 -parentBuildID 20240416150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {824039c8-2713-4e4b-88c8-9cba2a5bc505} 1452 tab
5⤵
- Executes dropped EXE
PID:4368

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1452.13.1803306072\1060980393" -childID 12 -isForBrowser -prefsHandle 4932 -prefMapHandle 4040 -prefsLen 22924 -prefMapSize 243660 -jsInitHandle 1296 -jsInitLen 240916 -parentBuildID 20240416150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {5b62d54c-7986-4352-8d3b-97537e4548c1} 1452 tab
5⤵
PID:7120

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1452.14.2100754602\964748454" -childID 13 -isForBrowser -prefsHandle 4896 -prefMapHandle 2764 -prefsLen 22924 -prefMapSize 243660 -jsInitHandle 1296 -jsInitLen 240916 -parentBuildID 20240416150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {93007b9e-6618-4197-a4e9-397fbe50cb67} 1452 tab
5⤵
PID:6444

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:5340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5888

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5600

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
PID:552

C:\Windows\SysWOW64\attrib.exe
attrib +h .
2⤵
- Views/modifies file attributes
PID:1712

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:400

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 313821714746935.bat
2⤵
PID:1508

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
3⤵
PID:4016

C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
2⤵
- Views/modifies file attributes
PID:5484

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected] co
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4668

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4856

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
2⤵
PID:5880

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected] vs
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1932

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
PID:5584

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
PID:5512

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:5216

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:2420

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:5704

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "fylozfgiislz175" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\tasksche.exe\"" /f
2⤵
PID:4544

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "fylozfgiislz175" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\tasksche.exe\"" /f
3⤵
- Adds Run key to start application
- Modifies registry key
PID:2296

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2968

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:2428

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:180

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2372

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:2912

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1712

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:5968

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1200

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1772

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:3752

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5236

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4280

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:7116

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:7124

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:7148

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:7148

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3536

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1508

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:6800

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5144

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:6892

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:6172

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5956

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:6192

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:4200

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5740

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:6028

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:2156

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6288

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:3992

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:6644

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6416

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:5680

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:2904

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1532

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1632

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:4004

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2696

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:6460

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:5872

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:1664

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:516

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:6960

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:628

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:5804

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:5680

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:6784

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:6684

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:5500

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:6704

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:6724

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:6896

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:5024

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:60

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:1616

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:3672

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:5512

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:6960

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:6208

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:2696

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:6888

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:6584

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:5580

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:5884

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:1500

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:1920

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:5840

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:6980

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:5108

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:4724

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:4884

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:5820

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:5084

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:6300

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:2696

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:6616

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:1668

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:3752

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:6512

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:2748

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:6476

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:6424

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:6556

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:5872

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:5124

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:2948

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:5592

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:1736

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:5404

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:6388

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:7036

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:6664

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:6920

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:2420

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:4980

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:6944

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:6472

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:5436

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:6408

C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
2⤵
- Views/modifies file attributes
PID:2436

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:2992

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:1832

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:2760

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:952

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:5364

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:6012

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:6208

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:6080

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:4500

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:4780

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:808

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:1540

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:5872

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:5440

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:4456

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:5976

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:2856

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:2356

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:6292

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:4984

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:4528

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:6128

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:5900

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:4860

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:2784

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:952

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:5432

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:5804

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:6208

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:3320

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:4980

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:6620

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:180

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:1056

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:6556

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:7096

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:3756

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:644

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:6896

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:5576

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:6348

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:7080

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:704

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:3096

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:5668

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:6844

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:3120

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:4916

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:2696

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:1228

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:6860

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:6804

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:3560

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:6936

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:5560

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:6484

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:4884

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:5548

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:6600

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:7000

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:5624

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:628

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:2776

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:4552

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:4860

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:6280

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:2056

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:6824

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:6220

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:4964

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:7040

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:3728

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:5932

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
PID:5340

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:6556

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:5188

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
PID:5560

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:6604

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:6472

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
PID:6600

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:6292

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:4716

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
PID:628

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:2776

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:6540

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
PID:6520

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:5876

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:6168

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
PID:6460

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:1512

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:1164

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
PID:6648

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:6956

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:5888

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
PID:6476

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:224

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:4172

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
PID:516

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:6788

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:1524

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
PID:2856

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:5884

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:1896

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
PID:3292

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:7160

C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /f /im Microsoft.Exchange.*
2⤵
- Kills process with taskkill
PID:3536

C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /f /im MSExchange*
2⤵
- Kills process with taskkill
PID:6148

C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /f /im sqlserver.exe
2⤵
- Kills process with taskkill
PID:4080

C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /f /im sqlwriter.exe
2⤵
- Kills process with taskkill
PID:6932

C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /f /im mysqld.exe
2⤵
- Kills process with taskkill
PID:1020

C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
2⤵
- Views/modifies file attributes
PID:6436

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:6004

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
PID:4576

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:6964

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:2856

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
PID:7004

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:3752

C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
2⤵
- Views/modifies file attributes
PID:6260

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:6020

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
PID:6320

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:6504

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:6572

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
PID:6164

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:6300

C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
2⤵
- Views/modifies file attributes
PID:4964

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:2044

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
PID:1836

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:5060

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:5460

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
PID:2856

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:7000

C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
2⤵
- Views/modifies file attributes
PID:4284

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:1792

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
PID:7092

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:6152

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
PID:1080

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
PID:6912

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
PID:1940

C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
2⤵
- Views/modifies file attributes
PID:6644

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3120

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\@[email protected]
1⤵
PID:6548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

System Information Discovery