Analysis
-
max time kernel
639s -
max time network
640s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
23-08-2024 03:25
Static task
static1
Behavioral task
behavioral1
Sample
BrowserCollector_x64.exe
Resource
win11-20240802-en
General
-
Target
BrowserCollector_x64.exe
-
Size
779KB
-
MD5
71b5e70a257f47dd6c9ead4f1010bd88
-
SHA1
f75c41ecbf6f34ca0048534d72f8847b37c38229
-
SHA256
9edcf4905388c25cb2782272ed5458157c6fded7d6e5ef0439102f1c74fd9925
-
SHA512
475fd6c74c835fcdc765b56bb7baa18926e6da6c497f160386429938148f9277447918a678b41c9bf1293988896530f4fcac17d1fa93f630a446263f07d9f45f
-
SSDEEP
12288:ksUHsZCB1OcBfiv3P6gIo/Bw9av4Xzo0P9MqETKTvNo4UvXCt:k3RB8Wfiv3PJImBw9ag5P9MqETWxI
Malware Config
Extracted
C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]
wannacry
13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
Signatures
-
InfinityLock Ransomware
Also known as InfinityCrypt. Based on the open-source HiddenTear ransomware.
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Wannacry
WannaCry is a ransomware cryptoworm.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD8C63.tmp [email protected] File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD8C6A.tmp [email protected] -
Executes dropped EXE 64 IoCs
pid Process 3104 taskdl.exe 3676 @[email protected] 2388 @[email protected] 1244 taskhsvc.exe 3556 taskse.exe 5428 @[email protected] 4532 taskdl.exe 3092 taskse.exe 5752 @[email protected] 5472 taskdl.exe 5164 taskse.exe 2568 @[email protected] 408 taskdl.exe 4912 taskse.exe 5512 @[email protected] 3464 taskdl.exe 2388 taskse.exe 4788 @[email protected] 5252 taskdl.exe 5084 LWwkAMIQ.exe 3316 uwEUcAUg.exe 5396 taskse.exe 1336 @[email protected] 924 taskdl.exe 5712 [email protected] 3096 [email protected] 5244 [email protected] 3060 [email protected] 4276 [email protected] 1204 [email protected] 240 [email protected] 5376 [email protected] 4152 [email protected] 5884 [email protected] 2956 [email protected] 1936 [email protected] 1308 [email protected] 2204 [email protected] 5844 [email protected] 2584 [email protected] 4008 [email protected] 2364 [email protected] 2996 Process not Found 1936 Process not Found 1900 Process not Found 648 Process not Found 444 Process not Found 2584 Process not Found 6032 Process not Found 2184 Process not Found 4692 Process not Found 4336 Process not Found 5888 Process not Found 5088 Process not Found 1640 Process not Found 2232 Process not Found 1292 Process not Found 4632 Process not Found 1440 Process not Found 3012 Process not Found 6044 Process not Found 4896 Process not Found 1836 Process not Found 2800 Process not Found -
Loads dropped DLL 7 IoCs
pid Process 1244 taskhsvc.exe 1244 taskhsvc.exe 1244 taskhsvc.exe 1244 taskhsvc.exe 1244 taskhsvc.exe 1244 taskhsvc.exe 1244 taskhsvc.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 1732 icacls.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uwEUcAUg.exe = "C:\\ProgramData\\ouMoEgoM\\uwEUcAUg.exe" [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uwEUcAUg.exe = "C:\\ProgramData\\ouMoEgoM\\uwEUcAUg.exe" uwEUcAUg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Run\LWwkAMIQ.exe = "C:\\Users\\Admin\\PMkQgkYg\\LWwkAMIQ.exe" LWwkAMIQ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\olcfvlzcexhkc292 = "\"C:\\Users\\Admin\\Downloads\\WannaCrypt0r\\tasksche.exe\"" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Run\LWwkAMIQ.exe = "C:\\Users\\Admin\\PMkQgkYg\\LWwkAMIQ.exe" [email protected] -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 15 raw.githubusercontent.com 77 raw.githubusercontent.com 133 raw.githubusercontent.com -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" @[email protected] -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\files_icons.png.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fi-fi\ui-strings.js.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sk-sk\ui-strings.js.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Microsoft.PowerShell.PackageManagement.dll.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\msedgeupdateres_el.dll.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_en_135x40.svg.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_pt_135x40.svg.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themeless\S_ThumbUpOutline_22_N.svg.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_sv.dll.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.VisualElementsManifest.xml.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Locales\ar.pak.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\ResiliencyLinks\Locales\nl.pak.DATA.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\AdobePDF417.pmp.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\core_icons_retina.png.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ko-kr\ui-strings.js.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\resources.pak.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\ResiliencyLinks\identity_proxy\identity_helper.Sparse.Internal.msix.DATA.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-win.css.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Locales\sl.pak.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_nextarrow_default.svg.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\ResiliencyLinks\VisualElements\LogoCanary.png.DATA.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\ResiliencyLinks\Locales\fa.pak.DATA.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\ResiliencyLinks\Locales\el.pak.DATA.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\ResiliencyLinks\Locales\gu.pak.DATA.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Locales\cs.pak.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\css\main.css.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\ResiliencyLinks\nacl_irt_x86_64.nexe.DATA.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Trust Protection Lists\Mu\Entities.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Trust Protection Lists\Mu\Other.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\notification_helper.exe.manifest.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\Locales\ca.pak.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\ResiliencyLinks\Locales\lb.pak.DATA.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\load-typekit.js.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-ae\ui-strings.js.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\msedgeupdateres_es.dll.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\msedgeupdateres_sr-Cyrl-RS.dll.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_reportabuse-default_18.svg.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon_2x.png.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\ui-strings.js.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\ResiliencyLinks\Locales\zh-TW.pak.DATA.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\ResiliencyLinks\Locales\sr.pak.DATA.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\uk-ua\ui-strings.js.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon_hover_2x.png.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\new_icons_retina.png.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\tr-tr\ui-strings.js.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\identity_helper.exe.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\ResiliencyLinks\Locales\mi.pak.DATA.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ui-strings.js.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Locales\fa.pak.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Trust Protection Lists\Sigma\Analytics.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AGMGPUOptIn.ini.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\icons_ie8.gif.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\Locales\fr.pak.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\sendforcomments.svg.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\zh-cn\ui-strings.js.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\ResiliencyLinks\msedgewebview2.exe.sig.DATA.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\identity_proxy\identity_helper.Sparse.Canary.msix.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\ResiliencyLinks\Trust Protection Lists\Mu\Fingerprinting.DATA.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\css\desktop-tool-view.css.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_uk.dll.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Locales\lt.pak.9F22A8F69F6988BB8F6A6C6062F903C196B2C0D21BDC8981CF4806DE7C72D3E0 [email protected] -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SystemTemp chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 3824 2388 WerFault.exe 134 2584 2388 WerFault.exe 134 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language [email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language [email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language [email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language [email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language [email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language [email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language [email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language [email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Checks processor information in registry 2 TTPs 16 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Winword.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Process not Found Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString [email protected] Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Winword.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Winword.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Process not Found Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 [email protected] Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Process not Found -
Enumerates system info in registry 2 TTPs 9 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Winword.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily Process not Found Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Process not Found Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily Winword.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Winword.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Process not Found Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "0" Process not Found Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\Main Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1" Process not Found Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\BrowserEmulation Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024" Process not Found Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "1935825542" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024" Process not Found Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\GPU Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140" Process not Found Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456" Process not Found Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\VersionManager Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "4318" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31126846" Process not Found -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133688572591994211" chrome.exe -
Modifies registry class 37 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic" OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\NodeSlot = "6" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings firefox.exe Set value (data) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 = 8c003100000000001759761b110050524f4752417e310000740009000400efbec55259611759761b2e0000003f0000000000010000000000000000004a000000000006118d00500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000 OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 00000000ffffffff OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 19002f433a5c000000000000000000000000000000000000000000 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\MRUListEx = ffffffff OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6 OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 OpenWith.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 6020 reg.exe 2764 reg.exe 1308 reg.exe 4640 reg.exe 4896 reg.exe 5040 reg.exe 1212 reg.exe 2204 Process not Found 4896 Process not Found 3880 reg.exe 2628 Process not Found 6036 reg.exe 5244 reg.exe 3968 reg.exe 5840 reg.exe 5516 reg.exe 5752 Process not Found 2076 reg.exe 5020 reg.exe 1388 reg.exe 5288 reg.exe 240 reg.exe 4776 reg.exe 5452 reg.exe 2348 reg.exe 5640 reg.exe 4864 reg.exe 5992 reg.exe 5244 reg.exe 4636 reg.exe 3988 reg.exe 5280 reg.exe 6096 reg.exe 5928 Process not Found 3880 reg.exe 3560 reg.exe 1640 reg.exe 2864 reg.exe 2288 reg.exe 4608 Process not Found 4768 reg.exe 4640 reg.exe 2452 Process not Found 2108 reg.exe 3428 reg.exe 3380 reg.exe 1640 reg.exe 4360 reg.exe 1212 reg.exe 2996 reg.exe 3572 reg.exe 5040 reg.exe 2936 Process not Found 2584 reg.exe 912 reg.exe 1416 Process not Found 3012 reg.exe 6032 Process not Found 5792 reg.exe 2996 reg.exe 5064 Process not Found 4600 reg.exe 4600 reg.exe 2184 reg.exe -
NTFS ADS 3 IoCs
description ioc Process File created C:\Users\Admin\Downloads\WannaCrypt0r.zip:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\PolyRansom.zip:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\InfinityCrypt.zip:Zone.Identifier firefox.exe -
Suspicious behavior: AddClipboardFormatListener 4 IoCs
pid Process 2020 Winword.exe 2020 Winword.exe 1212 Process not Found 1212 Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 4 IoCs
pid Process 5544 OpenWith.exe 5304 OpenWith.exe 5316 OpenWith.exe 3316 uwEUcAUg.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 2548 chrome.exe 2548 chrome.exe 2548 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2548 chrome.exe Token: SeCreatePagefilePrivilege 2548 chrome.exe Token: SeShutdownPrivilege 2548 chrome.exe Token: SeCreatePagefilePrivilege 2548 chrome.exe Token: SeShutdownPrivilege 2548 chrome.exe Token: SeCreatePagefilePrivilege 2548 chrome.exe Token: SeShutdownPrivilege 2548 chrome.exe Token: SeCreatePagefilePrivilege 2548 chrome.exe Token: SeShutdownPrivilege 2548 chrome.exe Token: SeCreatePagefilePrivilege 2548 chrome.exe Token: SeDebugPrivilege 5440 firefox.exe Token: SeDebugPrivilege 5440 firefox.exe Token: SeDebugPrivilege 5440 firefox.exe Token: SeDebugPrivilege 5440 firefox.exe Token: SeDebugPrivilege 5440 firefox.exe Token: SeDebugPrivilege 5440 firefox.exe Token: SeDebugPrivilege 5440 firefox.exe Token: SeDebugPrivilege 2944 [email protected] Token: SeDebugPrivilege 5440 firefox.exe Token: SeDebugPrivilege 5440 firefox.exe Token: SeIncreaseQuotaPrivilege 1392 WMIC.exe Token: SeSecurityPrivilege 1392 WMIC.exe Token: SeTakeOwnershipPrivilege 1392 WMIC.exe Token: SeLoadDriverPrivilege 1392 WMIC.exe Token: SeSystemProfilePrivilege 1392 WMIC.exe Token: SeSystemtimePrivilege 1392 WMIC.exe Token: SeProfSingleProcessPrivilege 1392 WMIC.exe Token: SeIncBasePriorityPrivilege 1392 WMIC.exe Token: SeCreatePagefilePrivilege 1392 WMIC.exe Token: SeBackupPrivilege 1392 WMIC.exe Token: SeRestorePrivilege 1392 WMIC.exe Token: SeShutdownPrivilege 1392 WMIC.exe Token: SeDebugPrivilege 1392 WMIC.exe Token: SeSystemEnvironmentPrivilege 1392 WMIC.exe Token: SeRemoteShutdownPrivilege 1392 WMIC.exe Token: SeUndockPrivilege 1392 WMIC.exe Token: SeManageVolumePrivilege 1392 WMIC.exe Token: 33 1392 WMIC.exe Token: 34 1392 WMIC.exe Token: 35 1392 WMIC.exe Token: 36 1392 WMIC.exe Token: SeIncreaseQuotaPrivilege 1392 WMIC.exe Token: SeSecurityPrivilege 1392 WMIC.exe Token: SeTakeOwnershipPrivilege 1392 WMIC.exe Token: SeLoadDriverPrivilege 1392 WMIC.exe Token: SeSystemProfilePrivilege 1392 WMIC.exe Token: SeSystemtimePrivilege 1392 WMIC.exe Token: SeProfSingleProcessPrivilege 1392 WMIC.exe Token: SeIncBasePriorityPrivilege 1392 WMIC.exe Token: SeCreatePagefilePrivilege 1392 WMIC.exe Token: SeBackupPrivilege 1392 WMIC.exe Token: SeRestorePrivilege 1392 WMIC.exe Token: SeShutdownPrivilege 1392 WMIC.exe Token: SeDebugPrivilege 1392 WMIC.exe Token: SeSystemEnvironmentPrivilege 1392 WMIC.exe Token: SeRemoteShutdownPrivilege 1392 WMIC.exe Token: SeUndockPrivilege 1392 WMIC.exe Token: SeManageVolumePrivilege 1392 WMIC.exe Token: 33 1392 WMIC.exe Token: 34 1392 WMIC.exe Token: 35 1392 WMIC.exe Token: 36 1392 WMIC.exe Token: SeBackupPrivilege 3384 vssvc.exe Token: SeRestorePrivilege 3384 vssvc.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2548 chrome.exe 2548 chrome.exe 2548 chrome.exe 2548 chrome.exe 2548 chrome.exe 2548 chrome.exe 2548 chrome.exe 2548 chrome.exe 2548 chrome.exe 2548 chrome.exe 2548 chrome.exe 2548 chrome.exe 2548 chrome.exe 2548 chrome.exe 2548 chrome.exe 2548 chrome.exe 2548 chrome.exe 2548 chrome.exe 2548 chrome.exe 2548 chrome.exe 2548 chrome.exe 2548 chrome.exe 2548 chrome.exe 2548 chrome.exe 2548 chrome.exe 2548 chrome.exe 2548 chrome.exe 5440 firefox.exe 5440 firefox.exe 5440 firefox.exe 5440 firefox.exe 5440 firefox.exe 5440 firefox.exe 5440 firefox.exe 5440 firefox.exe 5440 firefox.exe 5440 firefox.exe 5440 firefox.exe 5440 firefox.exe 5440 firefox.exe 5440 firefox.exe 5440 firefox.exe 5440 firefox.exe 5440 firefox.exe 5440 firefox.exe 5440 firefox.exe 5440 firefox.exe 5440 firefox.exe 3316 uwEUcAUg.exe 3316 uwEUcAUg.exe 3316 uwEUcAUg.exe 3316 uwEUcAUg.exe 3316 uwEUcAUg.exe 3316 uwEUcAUg.exe 3316 uwEUcAUg.exe 3316 uwEUcAUg.exe 3316 uwEUcAUg.exe 3316 uwEUcAUg.exe 3316 uwEUcAUg.exe 3316 uwEUcAUg.exe 3316 uwEUcAUg.exe 3316 uwEUcAUg.exe 3316 uwEUcAUg.exe 3316 uwEUcAUg.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 2548 chrome.exe 2548 chrome.exe 2548 chrome.exe 2548 chrome.exe 2548 chrome.exe 2548 chrome.exe 2548 chrome.exe 2548 chrome.exe 2548 chrome.exe 2548 chrome.exe 2548 chrome.exe 2548 chrome.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 5440 firefox.exe 5440 firefox.exe 5440 firefox.exe 5440 firefox.exe 5440 firefox.exe 5440 firefox.exe 5440 firefox.exe 5544 OpenWith.exe 5544 OpenWith.exe 5544 OpenWith.exe 5544 OpenWith.exe 5544 OpenWith.exe 5544 OpenWith.exe 5544 OpenWith.exe 5544 OpenWith.exe 5544 OpenWith.exe 5544 OpenWith.exe 5544 OpenWith.exe 5544 OpenWith.exe 5544 OpenWith.exe 5544 OpenWith.exe 5544 OpenWith.exe 5544 OpenWith.exe 5544 OpenWith.exe 5544 OpenWith.exe 5544 OpenWith.exe 5544 OpenWith.exe 5544 OpenWith.exe 5544 OpenWith.exe 5544 OpenWith.exe 5544 OpenWith.exe 5544 OpenWith.exe 5544 OpenWith.exe 5544 OpenWith.exe 5544 OpenWith.exe 5440 firefox.exe 5440 firefox.exe 5440 firefox.exe 3676 @[email protected] 3676 @[email protected] 2388 @[email protected] 2388 @[email protected] 5428 @[email protected] 5428 @[email protected] 5752 @[email protected] 2568 @[email protected] 5304 OpenWith.exe 5304 OpenWith.exe 5304 OpenWith.exe 5304 OpenWith.exe 5304 OpenWith.exe 5304 OpenWith.exe 5304 OpenWith.exe 5304 OpenWith.exe 5304 OpenWith.exe 5304 OpenWith.exe 5304 OpenWith.exe 2020 Winword.exe 2020 Winword.exe 2020 Winword.exe 2020 Winword.exe 2020 Winword.exe 2020 Winword.exe 2020 Winword.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5736 wrote to memory of 1676 5736 BrowserCollector_x64.exe 83 PID 5736 wrote to memory of 1676 5736 BrowserCollector_x64.exe 83 PID 2548 wrote to memory of 3108 2548 chrome.exe 87 PID 2548 wrote to memory of 3108 2548 chrome.exe 87 PID 2548 wrote to memory of 5144 2548 chrome.exe 88 PID 2548 wrote to memory of 5144 2548 chrome.exe 88 PID 2548 wrote to memory of 5144 2548 chrome.exe 88 PID 2548 wrote to memory of 5144 2548 chrome.exe 88 PID 2548 wrote to memory of 5144 2548 chrome.exe 88 PID 2548 wrote to memory of 5144 2548 chrome.exe 88 PID 2548 wrote to memory of 5144 2548 chrome.exe 88 PID 2548 wrote to memory of 5144 2548 chrome.exe 88 PID 2548 wrote to memory of 5144 2548 chrome.exe 88 PID 2548 wrote to memory of 5144 2548 chrome.exe 88 PID 2548 wrote to memory of 5144 2548 chrome.exe 88 PID 2548 wrote to memory of 5144 2548 chrome.exe 88 PID 2548 wrote to memory of 5144 2548 chrome.exe 88 PID 2548 wrote to memory of 5144 2548 chrome.exe 88 PID 2548 wrote to memory of 5144 2548 chrome.exe 88 PID 2548 wrote to memory of 5144 2548 chrome.exe 88 PID 2548 wrote to memory of 5144 2548 chrome.exe 88 PID 2548 wrote to memory of 5144 2548 chrome.exe 88 PID 2548 wrote to memory of 5144 2548 chrome.exe 88 PID 2548 wrote to memory of 5144 2548 chrome.exe 88 PID 2548 wrote to memory of 5144 2548 chrome.exe 88 PID 2548 wrote to memory of 5144 2548 chrome.exe 88 PID 2548 wrote to memory of 5144 2548 chrome.exe 88 PID 2548 wrote to memory of 5144 2548 chrome.exe 88 PID 2548 wrote to memory of 5144 2548 chrome.exe 88 PID 2548 wrote to memory of 5144 2548 chrome.exe 88 PID 2548 wrote to memory of 5144 2548 chrome.exe 88 PID 2548 wrote to memory of 5144 2548 chrome.exe 88 PID 2548 wrote to memory of 5144 2548 chrome.exe 88 PID 2548 wrote to memory of 5144 2548 chrome.exe 88 PID 2548 wrote to memory of 1016 2548 chrome.exe 89 PID 2548 wrote to memory of 1016 2548 chrome.exe 89 PID 2548 wrote to memory of 3224 2548 chrome.exe 90 PID 2548 wrote to memory of 3224 2548 chrome.exe 90 PID 2548 wrote to memory of 3224 2548 chrome.exe 90 PID 2548 wrote to memory of 3224 2548 chrome.exe 90 PID 2548 wrote to memory of 3224 2548 chrome.exe 90 PID 2548 wrote to memory of 3224 2548 chrome.exe 90 PID 2548 wrote to memory of 3224 2548 chrome.exe 90 PID 2548 wrote to memory of 3224 2548 chrome.exe 90 PID 2548 wrote to memory of 3224 2548 chrome.exe 90 PID 2548 wrote to memory of 3224 2548 chrome.exe 90 PID 2548 wrote to memory of 3224 2548 chrome.exe 90 PID 2548 wrote to memory of 3224 2548 chrome.exe 90 PID 2548 wrote to memory of 3224 2548 chrome.exe 90 PID 2548 wrote to memory of 3224 2548 chrome.exe 90 PID 2548 wrote to memory of 3224 2548 chrome.exe 90 PID 2548 wrote to memory of 3224 2548 chrome.exe 90 PID 2548 wrote to memory of 3224 2548 chrome.exe 90 PID 2548 wrote to memory of 3224 2548 chrome.exe 90 PID 2548 wrote to memory of 3224 2548 chrome.exe 90 PID 2548 wrote to memory of 3224 2548 chrome.exe 90 PID 2548 wrote to memory of 3224 2548 chrome.exe 90 PID 2548 wrote to memory of 3224 2548 chrome.exe 90 PID 2548 wrote to memory of 3224 2548 chrome.exe 90 PID 2548 wrote to memory of 3224 2548 chrome.exe 90 PID 2548 wrote to memory of 3224 2548 chrome.exe 90 PID 2548 wrote to memory of 3224 2548 chrome.exe 90 PID 2548 wrote to memory of 3224 2548 chrome.exe 90 PID 2548 wrote to memory of 3224 2548 chrome.exe 90 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 2112 attrib.exe 4700 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BrowserCollector_x64.exe"C:\Users\Admin\AppData\Local\Temp\BrowserCollector_x64.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5736 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pause2⤵PID:1676
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff37bdcc40,0x7fff37bdcc4c,0x7fff37bdcc582⤵PID:3108
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1788,i,15910491102374467725,3799692720292492923,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1776 /prefetch:22⤵PID:5144
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1588,i,15910491102374467725,3799692720292492923,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2100 /prefetch:32⤵PID:1016
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2180,i,15910491102374467725,3799692720292492923,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2196 /prefetch:82⤵PID:3224
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,15910491102374467725,3799692720292492923,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3244 /prefetch:12⤵PID:5164
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3164,i,15910491102374467725,3799692720292492923,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3380 /prefetch:12⤵PID:4728
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4472,i,15910491102374467725,3799692720292492923,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3764 /prefetch:12⤵PID:5972
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4756,i,15910491102374467725,3799692720292492923,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4788 /prefetch:82⤵PID:5848
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4792,i,15910491102374467725,3799692720292492923,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4788 /prefetch:82⤵PID:4544
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:2012
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:3256
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵PID:5216
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5440 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1876 -prefMapHandle 1880 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {22867ffe-612f-4138-8aa8-de1b645af718} 5440 "\\.\pipe\gecko-crash-server-pipe.5440" gpu3⤵PID:5256
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2364 -parentBuildID 20240401114208 -prefsHandle 2356 -prefMapHandle 2344 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {92878e97-4393-4179-962d-a6cf449316ee} 5440 "\\.\pipe\gecko-crash-server-pipe.5440" socket3⤵PID:3356
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2884 -childID 1 -isForBrowser -prefsHandle 2620 -prefMapHandle 2840 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b233fc9c-3162-4751-954b-d775e00e0b41} 5440 "\\.\pipe\gecko-crash-server-pipe.5440" tab3⤵PID:3008
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2808 -childID 2 -isForBrowser -prefsHandle 3672 -prefMapHandle 1504 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d4b9ea9c-0df6-4d34-8424-af8c1b6625e6} 5440 "\\.\pipe\gecko-crash-server-pipe.5440" tab3⤵PID:2496
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4644 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4704 -prefMapHandle 4700 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a12c4229-77fa-495b-85e4-7a795c511b8f} 5440 "\\.\pipe\gecko-crash-server-pipe.5440" utility3⤵
- Checks processor information in registry
PID:3836
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5376 -childID 3 -isForBrowser -prefsHandle 5364 -prefMapHandle 5352 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb941d4a-f797-44ee-aaf2-f18a133fdd5e} 5440 "\\.\pipe\gecko-crash-server-pipe.5440" tab3⤵PID:2864
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5468 -childID 4 -isForBrowser -prefsHandle 5476 -prefMapHandle 5248 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a96ac652-a328-4549-921c-680d17aacf49} 5440 "\\.\pipe\gecko-crash-server-pipe.5440" tab3⤵PID:4980
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5644 -childID 5 -isForBrowser -prefsHandle 5652 -prefMapHandle 5656 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5cc80e58-b2f4-4425-bc23-9ce36fbe06c6} 5440 "\\.\pipe\gecko-crash-server-pipe.5440" tab3⤵PID:1184
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1720 -childID 6 -isForBrowser -prefsHandle 2916 -prefMapHandle 2616 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7f4bffd-1d87-44f8-b754-c08fa8c1d1ab} 5440 "\\.\pipe\gecko-crash-server-pipe.5440" tab3⤵PID:4568
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2920 -childID 7 -isForBrowser -prefsHandle 6312 -prefMapHandle 2888 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {823538e0-6c34-4717-a8c5-7a68d3b9d2e5} 5440 "\\.\pipe\gecko-crash-server-pipe.5440" tab3⤵PID:2916
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2112
-
C:\Users\Admin\Downloads\InfinityCrypt\[email protected]"C:\Users\Admin\Downloads\InfinityCrypt\[email protected]"1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2944
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5544
-
C:\Users\Admin\Downloads\WannaCrypt0r\[email protected]"C:\Users\Admin\Downloads\WannaCrypt0r\[email protected]"1⤵
- Drops startup file
- Sets desktop wallpaper using registry
PID:6064 -
C:\Windows\SysWOW64\attrib.exeattrib +h .2⤵
- Views/modifies file attributes
PID:2112
-
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:1732
-
-
C:\Users\Admin\Downloads\WannaCrypt0r\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:3104
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 277791724383971.bat2⤵PID:3124
-
C:\Windows\SysWOW64\cscript.execscript.exe //nologo m.vbs3⤵PID:5172
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +s F:\$RECYCLE2⤵
- Views/modifies file attributes
PID:4700
-
-
C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]PID:3676
-
C:\Users\Admin\Downloads\WannaCrypt0r\TaskData\Tor\taskhsvc.exeTaskData\Tor\taskhsvc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1244
-
-
-
C:\Windows\SysWOW64\cmd.exePID:5172
-
C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]PID:2388
-
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet4⤵PID:1724
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1392
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2764⤵
- Program crash
PID:3824
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 6404⤵
- Program crash
PID:2584
-
-
-
-
C:\Users\Admin\Downloads\WannaCrypt0r\taskse.exetaskse.exe C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3556
-
-
C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:5428
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "olcfvlzcexhkc292" /t REG_SZ /d "\"C:\Users\Admin\Downloads\WannaCrypt0r\tasksche.exe\"" /f2⤵PID:5540
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "olcfvlzcexhkc292" /t REG_SZ /d "\"C:\Users\Admin\Downloads\WannaCrypt0r\tasksche.exe\"" /f3⤵
- Adds Run key to start application
PID:4012
-
-
-
C:\Users\Admin\Downloads\WannaCrypt0r\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:4532
-
-
C:\Users\Admin\Downloads\WannaCrypt0r\taskse.exePID:3092
-
-
C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]PID:5752
-
-
C:\Users\Admin\Downloads\WannaCrypt0r\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:5472
-
-
C:\Users\Admin\Downloads\WannaCrypt0r\taskse.exePID:5164
-
-
C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]PID:2568
-
-
C:\Users\Admin\Downloads\WannaCrypt0r\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:408
-
-
C:\Users\Admin\Downloads\WannaCrypt0r\taskse.exePID:4912
-
-
C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]PID:5512
-
-
C:\Users\Admin\Downloads\WannaCrypt0r\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:3464
-
-
C:\Users\Admin\Downloads\WannaCrypt0r\taskse.exePID:2388
-
-
C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]PID:4788
-
-
C:\Users\Admin\Downloads\WannaCrypt0r\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:5252
-
-
C:\Users\Admin\Downloads\WannaCrypt0r\taskse.exePID:5396
-
-
C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]PID:1336
-
-
C:\Users\Admin\Downloads\WannaCrypt0r\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:924
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2388 -ip 23881⤵PID:2788
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3384
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2388 -ip 23881⤵PID:3312
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]1⤵PID:3140
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5304 -
C:\Program Files\Microsoft Office\root\Office16\Winword.exe"C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\Downloads\WannaCrypt0r\t.wnry"2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2020
-
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]"C:\Users\Admin\Downloads\PolyRansom\[email protected]"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:5208 -
C:\Users\Admin\PMkQgkYg\LWwkAMIQ.exe"C:\Users\Admin\PMkQgkYg\LWwkAMIQ.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5084
-
-
C:\ProgramData\ouMoEgoM\uwEUcAUg.exe"C:\ProgramData\ouMoEgoM\uwEUcAUg.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3316
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"2⤵PID:3684
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2800 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"4⤵PID:5064
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom5⤵
- Suspicious behavior: EnumeratesProcesses
PID:5284 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"6⤵PID:3824
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom7⤵
- Suspicious behavior: EnumeratesProcesses
PID:752 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"8⤵PID:3124
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom9⤵
- Suspicious behavior: EnumeratesProcesses
PID:4276 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"10⤵PID:5196
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom11⤵
- Suspicious behavior: EnumeratesProcesses
PID:4768 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"12⤵PID:1996
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom13⤵
- Suspicious behavior: EnumeratesProcesses
PID:980 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"14⤵PID:3136
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom15⤵
- Suspicious behavior: EnumeratesProcesses
PID:3908 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"16⤵PID:1204
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV117⤵PID:3700
-
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom17⤵
- Suspicious behavior: EnumeratesProcesses
PID:5992 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"18⤵PID:5416
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom19⤵
- Suspicious behavior: EnumeratesProcesses
PID:3372 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"20⤵PID:1068
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom21⤵
- Suspicious behavior: EnumeratesProcesses
PID:4896 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"22⤵PID:6140
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom23⤵
- Suspicious behavior: EnumeratesProcesses
PID:5740 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"24⤵PID:5888
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV125⤵PID:5408
-
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom25⤵
- Suspicious behavior: EnumeratesProcesses
PID:3424 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"26⤵PID:1044
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom27⤵
- Suspicious behavior: EnumeratesProcesses
PID:1440 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"28⤵PID:4864
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom29⤵PID:2296
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"30⤵
- System Location Discovery: System Language Discovery
PID:3104 -
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom31⤵PID:3136
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"32⤵PID:6020
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom33⤵PID:5240
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"34⤵PID:5888
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom35⤵PID:3128
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"36⤵PID:2864
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom37⤵PID:1856
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"38⤵PID:5332
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom39⤵PID:5384
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"40⤵PID:980
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom41⤵PID:1392
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"42⤵PID:924
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom43⤵PID:4800
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"44⤵PID:3768
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom45⤵PID:5516
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"46⤵PID:3948
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom47⤵PID:820
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"48⤵PID:4636
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom49⤵PID:3380
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"50⤵PID:4632
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom51⤵PID:4276
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"52⤵PID:4172
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom53⤵PID:4896
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"54⤵PID:5376
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom55⤵PID:4152
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"56⤵PID:1900
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV157⤵PID:3624
-
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom57⤵PID:2628
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"58⤵PID:5636
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom59⤵PID:648
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"60⤵PID:3740
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom61⤵PID:5632
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"62⤵PID:5776
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom63⤵PID:1224
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"64⤵PID:2616
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom65⤵PID:1896
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"66⤵PID:4012
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom67⤵PID:5644
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"68⤵
- System Location Discovery: System Language Discovery
PID:5180 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV169⤵PID:3768
-
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom69⤵PID:3136
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"70⤵PID:5884
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom71⤵PID:5088
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"72⤵PID:2300
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom73⤵PID:2740
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"74⤵
- System Location Discovery: System Language Discovery
PID:4808 -
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom75⤵
- System Location Discovery: System Language Discovery
PID:3812 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"76⤵PID:1604
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom77⤵PID:4600
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"78⤵
- System Location Discovery: System Language Discovery
PID:3572 -
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom79⤵PID:6032
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"80⤵
- System Location Discovery: System Language Discovery
PID:5316 -
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom81⤵PID:6140
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"82⤵PID:3424
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom83⤵PID:5348
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"84⤵PID:4920
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom85⤵PID:3136
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"86⤵PID:5776
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom87⤵PID:6128
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"88⤵PID:4276
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom89⤵PID:2364
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"90⤵PID:1020
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom91⤵PID:5180
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"92⤵PID:5884
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom93⤵PID:5088
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"94⤵PID:4776
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom95⤵PID:1072
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"96⤵
- System Location Discovery: System Language Discovery
PID:2040 -
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom97⤵PID:2596
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"98⤵PID:1224
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom99⤵PID:3424
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"100⤵
- System Location Discovery: System Language Discovery
PID:1440 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1101⤵PID:6044
-
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom101⤵PID:700
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"102⤵PID:4740
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom103⤵PID:4636
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"104⤵PID:5192
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom105⤵PID:3724
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"106⤵PID:1020
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom107⤵PID:4652
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"108⤵PID:5008
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom109⤵PID:1584
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"110⤵PID:2592
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom111⤵PID:1820
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"112⤵PID:760
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom113⤵PID:5064
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"114⤵PID:5476
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom115⤵PID:5480
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"116⤵PID:3908
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom117⤵PID:5864
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"118⤵
- System Location Discovery: System Language Discovery
PID:6140 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1119⤵PID:5088
-
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom119⤵PID:3948
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"120⤵PID:5712
-
C:\Users\Admin\Downloads\PolyRansom\[email protected]C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom121⤵
- System Location Discovery: System Language Discovery
PID:3096 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom\Endermanch@PolyRansom"122⤵PID:5024
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-