wannacry | hxxp://github[.]com

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\Program Files\\MicrosoftWindowsServicesEtc\\xRunReg.vbs\""	wscript.exe

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 1632 created 4352	1632	taskmgr.exe	242
PID 1632 created 4352	1632	taskmgr.exe	242

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Disables RegEdit via registry modification 1 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\disableregistrytools = "1"	wscript.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Possible privilege escalation attempt 5 IoCs

exploit

pid	Process
2696	icacls.exe
7616	takeown.exe
3656	icacls.exe
3200	takeown.exe
7512	icacls.exe

Checks computer location settings 2 TTPs 22 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	firefox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	firefox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MrsMajor3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	tor-browser-windows-x86_64-portable-13.5.6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	firefox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MrsMajor2.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	GetReady.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MrsMajor3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MrsMajor3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	firefox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	firefox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	firefox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MrsMajor3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	firefox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MrsMajor3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD37C8.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD37B1.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Executes dropped EXE 64 IoCs

pid	Process
1112	MrsMajor3.0.exe
4240	eulascr.exe
1004	MrsMajor3.0.exe
3420	eulascr.exe
3636	MrsMajor3.0.exe
4920	eulascr.exe
2840	MrsMajor3.0.exe
3784	eulascr.exe
4576	taskdl.exe
872	@[email protected]
752	@[email protected]
4708	taskhsvc.exe
4492	taskdl.exe
4360	taskse.exe
2968	@[email protected]
4980	tor.exe
4932	taskdl.exe
1672	taskse.exe
2464	@[email protected]
2352	taskse.exe
1556	@[email protected]
1376	taskdl.exe
2408	taskse.exe
1480	@[email protected]
1316	taskdl.exe
2188	taskse.exe
5036	@[email protected]
1372	taskdl.exe
1960	tor.exe
4520	taskse.exe
4352	@[email protected]
4936	taskdl.exe
4744	taskse.exe
1520	@[email protected]
2768	taskdl.exe
2968	tor-browser-windows-x86_64-portable-13.5.6.exe
1804	taskse.exe
2188	@[email protected]
4744	taskdl.exe
2412	firefox.exe
932	firefox.exe
4716	firefox.exe
652	firefox.exe
1984	firefox.exe
3532	tor.exe
5248	firefox.exe
5784	firefox.exe
3656	firefox.exe
1368	firefox.exe
1832	firefox.exe
5996	firefox.exe
6100	taskse.exe
3648	@[email protected]
5808	taskdl.exe
5288	firefox.exe
1688	taskse.exe
5108	@[email protected]
5168	taskdl.exe
5568	taskse.exe
5352	@[email protected]
3660	taskdl.exe
2920	firefox.exe
5292	firefox.exe
4776	firefox.exe

Loads dropped DLL 64 IoCs

pid	Process
4240	eulascr.exe
3420	eulascr.exe
4920	eulascr.exe
3784	eulascr.exe
4708	taskhsvc.exe
4708	taskhsvc.exe
4708	taskhsvc.exe
4708	taskhsvc.exe
4708	taskhsvc.exe
4708	taskhsvc.exe
4708	taskhsvc.exe
4708	taskhsvc.exe
4980	tor.exe
4980	tor.exe
4980	tor.exe
4980	tor.exe
4980	tor.exe
4980	tor.exe
1960	tor.exe
1960	tor.exe
1960	tor.exe
1960	tor.exe
1960	tor.exe
1960	tor.exe
2968	tor-browser-windows-x86_64-portable-13.5.6.exe
2968	tor-browser-windows-x86_64-portable-13.5.6.exe
2968	tor-browser-windows-x86_64-portable-13.5.6.exe
2412	firefox.exe
932	firefox.exe
932	firefox.exe
932	firefox.exe
932	firefox.exe
932	firefox.exe
932	firefox.exe
932	firefox.exe
932	firefox.exe
932	firefox.exe
932	firefox.exe
932	firefox.exe
4716	firefox.exe
4716	firefox.exe
4716	firefox.exe
4716	firefox.exe
652	firefox.exe
652	firefox.exe
652	firefox.exe
652	firefox.exe
1984	firefox.exe
1984	firefox.exe
1984	firefox.exe
1984	firefox.exe
5248	firefox.exe
5248	firefox.exe
5248	firefox.exe
5248	firefox.exe
1984	firefox.exe
1984	firefox.exe
652	firefox.exe
652	firefox.exe
5248	firefox.exe
5248	firefox.exe
5784	firefox.exe
5784	firefox.exe
5784	firefox.exe

Modifies file permissions 1 TTPs 5 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2696	icacls.exe
7616	takeown.exe
3656	icacls.exe
3200	takeown.exe
7512	icacls.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico"	wscript.exe

Obfuscated with Agile.Net obfuscator 3 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/files/0x0007000000023d84-702.dat	agile_net
behavioral1/memory/4240-704-0x0000000000340000-0x000000000036A000-memory.dmp	agile_net
behavioral1/files/0x0007000000023d94-732.dat	agile_net

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nzfbkoaczl750 = "\"C:\\Users\\Admin\\Desktop\\tasksche.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MajorX = "wscript.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\xRun.vbs\""	wscript.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	firefox.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
62	raw.githubusercontent.com
71	drive.google.com
72	drive.google.com
735	raw.githubusercontent.com
738	raw.githubusercontent.com
61	raw.githubusercontent.com

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\taskmgr.exe	cmd.exe
File created	C:\Windows\System32\taskmgr.exe	cmd.exe
File opened for modification	C:\Windows\System32\sethc.exe	cmd.exe

Sets desktop wallpaper using registry 2 TTPs 4 IoCs

ransomware

Defacement

T1491

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Drops file in Program Files directory 37 IoCs

description	ioc	Process
File created	C:\program files\MicrosoftWindowsServicesEtc\weird\majorlist.bat	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\AppKill.bat	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\data\excursor.ani	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\data\thetruth.jpg	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\weird\cmd.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\fexec.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\RuntimeChecker.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\breakrule.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\Major.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\weird\majorsod.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\weird\WinScrew.bat	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\weird\breakrule.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\weird\GetReady.bat	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\weird\RuntimeChecker.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\xRun.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\bsod.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\data\runner32s.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\GetReady.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\NotMuch.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\healgen.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\rsod.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\xRunReg.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\weird\Major.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\WinScrew.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\CallFunc.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\data\fileico.ico	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\DgzRun.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\majorlist.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\majordared.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\weird\runner32s.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\example.txt	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\majorsod.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\weird\bsod.bat	wscript.exe
File opened for modification	C:\program files\MicrosoftWindowsServicesEtc\AppKill.bat	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\checker.bat	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\clingclang.wav	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\data\eula32.exe	wscript.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notmuch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 11 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	sdiagnhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	sdiagnhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	sdiagnhost.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	sdiagnhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	sdiagnhost.exe

Modifies Control Panel 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Cursors\Hand = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\excursor.ani"	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Cursors	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Cursors\Arrow = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\excursor.ani"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Cursors\AppStarting = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\excursor.ani"	wscript.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "59"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4file	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	tor-browser-windows-x86_64-portable-13.5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico"	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico"	wscript.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

pid	Process
4628	reg.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 698910.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 797660.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 786670.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 453209.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2500	msedge.exe
2500	msedge.exe
548	msedge.exe
548	msedge.exe
336	identity_helper.exe
336	identity_helper.exe
2248	msedge.exe
2248	msedge.exe
2316	msedge.exe
2316	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3992	msedge.exe
3992	msedge.exe
932	msedge.exe
932	msedge.exe
4708	taskhsvc.exe
4708	taskhsvc.exe
4708	taskhsvc.exe
4708	taskhsvc.exe
4708	taskhsvc.exe
4708	taskhsvc.exe
1632	taskmgr.exe
1632	taskmgr.exe
1632	taskmgr.exe
1632	taskmgr.exe
1632	taskmgr.exe
1632	taskmgr.exe
1632	taskmgr.exe
1632	taskmgr.exe
1632	taskmgr.exe
1632	taskmgr.exe
1632	taskmgr.exe
1632	taskmgr.exe
1632	taskmgr.exe
1632	taskmgr.exe
1632	taskmgr.exe
1632	taskmgr.exe
1632	taskmgr.exe
4980	tor.exe
4980	tor.exe
4980	tor.exe
4980	tor.exe
1632	taskmgr.exe
1632	taskmgr.exe
1632	taskmgr.exe
1632	taskmgr.exe
1632	taskmgr.exe
1632	taskmgr.exe
1632	taskmgr.exe
1632	taskmgr.exe
1632	taskmgr.exe
1632	taskmgr.exe
1632	taskmgr.exe
1632	taskmgr.exe
1632	taskmgr.exe
1632	taskmgr.exe
1632	taskmgr.exe
1632	taskmgr.exe
1632	taskmgr.exe
1632	taskmgr.exe
1632	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
1632	taskmgr.exe
548	msedge.exe
5144	@[email protected]

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4920	eulascr.exe
Token: SeDebugPrivilege	1632	taskmgr.exe
Token: SeSystemProfilePrivilege	1632	taskmgr.exe
Token: SeCreateGlobalPrivilege	1632	taskmgr.exe
Token: SeIncreaseQuotaPrivilege	544	WMIC.exe
Token: SeSecurityPrivilege	544	WMIC.exe
Token: SeTakeOwnershipPrivilege	544	WMIC.exe
Token: SeLoadDriverPrivilege	544	WMIC.exe
Token: SeSystemProfilePrivilege	544	WMIC.exe
Token: SeSystemtimePrivilege	544	WMIC.exe
Token: SeProfSingleProcessPrivilege	544	WMIC.exe
Token: SeIncBasePriorityPrivilege	544	WMIC.exe
Token: SeCreatePagefilePrivilege	544	WMIC.exe
Token: SeBackupPrivilege	544	WMIC.exe
Token: SeRestorePrivilege	544	WMIC.exe
Token: SeShutdownPrivilege	544	WMIC.exe
Token: SeDebugPrivilege	544	WMIC.exe
Token: SeSystemEnvironmentPrivilege	544	WMIC.exe
Token: SeRemoteShutdownPrivilege	544	WMIC.exe
Token: SeUndockPrivilege	544	WMIC.exe
Token: SeManageVolumePrivilege	544	WMIC.exe
Token: 33	544	WMIC.exe
Token: 34	544	WMIC.exe
Token: 35	544	WMIC.exe
Token: 36	544	WMIC.exe
Token: SeIncreaseQuotaPrivilege	544	WMIC.exe
Token: SeSecurityPrivilege	544	WMIC.exe
Token: SeTakeOwnershipPrivilege	544	WMIC.exe
Token: SeLoadDriverPrivilege	544	WMIC.exe
Token: SeSystemProfilePrivilege	544	WMIC.exe
Token: SeSystemtimePrivilege	544	WMIC.exe
Token: SeProfSingleProcessPrivilege	544	WMIC.exe
Token: SeIncBasePriorityPrivilege	544	WMIC.exe
Token: SeCreatePagefilePrivilege	544	WMIC.exe
Token: SeBackupPrivilege	544	WMIC.exe
Token: SeRestorePrivilege	544	WMIC.exe
Token: SeShutdownPrivilege	544	WMIC.exe
Token: SeDebugPrivilege	544	WMIC.exe
Token: SeSystemEnvironmentPrivilege	544	WMIC.exe
Token: SeRemoteShutdownPrivilege	544	WMIC.exe
Token: SeUndockPrivilege	544	WMIC.exe
Token: SeManageVolumePrivilege	544	WMIC.exe
Token: 33	544	WMIC.exe
Token: 34	544	WMIC.exe
Token: 35	544	WMIC.exe
Token: 36	544	WMIC.exe
Token: SeBackupPrivilege	2736	vssvc.exe
Token: SeRestorePrivilege	2736	vssvc.exe
Token: SeAuditPrivilege	2736	vssvc.exe
Token: SeTcbPrivilege	4360	taskse.exe
Token: SeTcbPrivilege	4360	taskse.exe
Token: SeTcbPrivilege	1672	taskse.exe
Token: SeTcbPrivilege	1672	taskse.exe
Token: SeTcbPrivilege	2352	taskse.exe
Token: SeTcbPrivilege	2352	taskse.exe
Token: SeTcbPrivilege	2408	taskse.exe
Token: SeTcbPrivilege	2408	taskse.exe
Token: SeTcbPrivilege	2188	taskse.exe
Token: SeTcbPrivilege	2188	taskse.exe
Token: SeTcbPrivilege	4520	taskse.exe
Token: SeTcbPrivilege	4520	taskse.exe
Token: SeTcbPrivilege	4744	taskse.exe
Token: SeTcbPrivilege	4744	taskse.exe
Token: SeTcbPrivilege	1804	taskse.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1112	MrsMajor3.0.exe
1004	MrsMajor3.0.exe
3636	MrsMajor3.0.exe
2840	MrsMajor3.0.exe
872	@[email protected]
872	@[email protected]
752	@[email protected]
752	@[email protected]
2968	@[email protected]
2968	@[email protected]
2464	@[email protected]
1556	@[email protected]
1480	@[email protected]
5036	@[email protected]
4352	@[email protected]
4352	@[email protected]
1520	@[email protected]
2188	@[email protected]
932	firefox.exe
932	firefox.exe
932	firefox.exe
932	firefox.exe
3648	@[email protected]
932	firefox.exe
932	firefox.exe
932	firefox.exe
932	firefox.exe
932	firefox.exe
932	firefox.exe
5108	@[email protected]
5352	@[email protected]
6104	@[email protected]
2020	@[email protected]
716	@[email protected]
3352	@[email protected]
5976	@[email protected]
5144	@[email protected]
5144	@[email protected]
6792	@[email protected]
6452	@[email protected]
6384	@[email protected]
2124	@[email protected]
5500	@[email protected]
5968	@[email protected]
4280	@[email protected]
6860	@[email protected]
6860	@[email protected]
6468	@[email protected]
4836	@[email protected]
7028	@[email protected]
4916	@[email protected]
68	@[email protected]
2004	@[email protected]
5216	@[email protected]
876	@[email protected]
7144	@[email protected]
3644	@[email protected]
4052	@[email protected]
3064	@[email protected]
7072	@[email protected]
3068	@[email protected]
320	@[email protected]
6884	@[email protected]
2088	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 548 wrote to memory of 1648	548	msedge.exe	79
PID 548 wrote to memory of 1648	548	msedge.exe	79
PID 548 wrote to memory of 392	548	msedge.exe	80
PID 548 wrote to memory of 392	548	msedge.exe	80
PID 548 wrote to memory of 392	548	msedge.exe	80
PID 548 wrote to memory of 392	548	msedge.exe	80
PID 548 wrote to memory of 392	548	msedge.exe	80
PID 548 wrote to memory of 392	548	msedge.exe	80
PID 548 wrote to memory of 392	548	msedge.exe	80
PID 548 wrote to memory of 392	548	msedge.exe	80
PID 548 wrote to memory of 392	548	msedge.exe	80
PID 548 wrote to memory of 392	548	msedge.exe	80
PID 548 wrote to memory of 392	548	msedge.exe	80
PID 548 wrote to memory of 392	548	msedge.exe	80
PID 548 wrote to memory of 392	548	msedge.exe	80
PID 548 wrote to memory of 392	548	msedge.exe	80
PID 548 wrote to memory of 392	548	msedge.exe	80
PID 548 wrote to memory of 392	548	msedge.exe	80
PID 548 wrote to memory of 392	548	msedge.exe	80
PID 548 wrote to memory of 392	548	msedge.exe	80
PID 548 wrote to memory of 392	548	msedge.exe	80
PID 548 wrote to memory of 392	548	msedge.exe	80
PID 548 wrote to memory of 392	548	msedge.exe	80
PID 548 wrote to memory of 392	548	msedge.exe	80
PID 548 wrote to memory of 392	548	msedge.exe	80
PID 548 wrote to memory of 392	548	msedge.exe	80
PID 548 wrote to memory of 392	548	msedge.exe	80
PID 548 wrote to memory of 392	548	msedge.exe	80
PID 548 wrote to memory of 392	548	msedge.exe	80
PID 548 wrote to memory of 392	548	msedge.exe	80
PID 548 wrote to memory of 392	548	msedge.exe	80
PID 548 wrote to memory of 392	548	msedge.exe	80
PID 548 wrote to memory of 392	548	msedge.exe	80
PID 548 wrote to memory of 392	548	msedge.exe	80
PID 548 wrote to memory of 392	548	msedge.exe	80
PID 548 wrote to memory of 392	548	msedge.exe	80
PID 548 wrote to memory of 392	548	msedge.exe	80
PID 548 wrote to memory of 392	548	msedge.exe	80
PID 548 wrote to memory of 392	548	msedge.exe	80
PID 548 wrote to memory of 392	548	msedge.exe	80
PID 548 wrote to memory of 392	548	msedge.exe	80
PID 548 wrote to memory of 392	548	msedge.exe	80
PID 548 wrote to memory of 2500	548	msedge.exe	81
PID 548 wrote to memory of 2500	548	msedge.exe	81
PID 548 wrote to memory of 5020	548	msedge.exe	82
PID 548 wrote to memory of 5020	548	msedge.exe	82
PID 548 wrote to memory of 5020	548	msedge.exe	82
PID 548 wrote to memory of 5020	548	msedge.exe	82
PID 548 wrote to memory of 5020	548	msedge.exe	82
PID 548 wrote to memory of 5020	548	msedge.exe	82
PID 548 wrote to memory of 5020	548	msedge.exe	82
PID 548 wrote to memory of 5020	548	msedge.exe	82
PID 548 wrote to memory of 5020	548	msedge.exe	82
PID 548 wrote to memory of 5020	548	msedge.exe	82
PID 548 wrote to memory of 5020	548	msedge.exe	82
PID 548 wrote to memory of 5020	548	msedge.exe	82
PID 548 wrote to memory of 5020	548	msedge.exe	82
PID 548 wrote to memory of 5020	548	msedge.exe	82
PID 548 wrote to memory of 5020	548	msedge.exe	82
PID 548 wrote to memory of 5020	548	msedge.exe	82
PID 548 wrote to memory of 5020	548	msedge.exe	82
PID 548 wrote to memory of 5020	548	msedge.exe	82
PID 548 wrote to memory of 5020	548	msedge.exe	82
PID 548 wrote to memory of 5020	548	msedge.exe	82

System policy modification 1 TTPs 12 IoCs

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system	wscript.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 3 IoCs

Hidden Files and Directories

T1564.001

pid	Process
5816	attrib.exe
1796	attrib.exe
3656	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://github.com
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc69ee46f8,0x7ffc69ee4708,0x7ffc69ee4718
  2⤵
  PID:1648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
  2⤵
  PID:392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
  2⤵
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:2004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4772 /prefetch:8
  2⤵
  PID:1968
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:8
  2⤵
  PID:4228
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  PID:2996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
  2⤵
  PID:3112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
  2⤵
  PID:1528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
  2⤵
  PID:3184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  PID:1728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
  2⤵
  PID:1068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
  2⤵
  PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1
  2⤵
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
  2⤵
  PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:1
  2⤵
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6616 /prefetch:1
  2⤵
  PID:2556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5972 /prefetch:8
  2⤵
  PID:2660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:1664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:2328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5988 /prefetch:8
  2⤵
  PID:452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5960 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6228 /prefetch:8
  2⤵
  PID:1532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6024 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3920 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2668 /prefetch:1
  2⤵
  PID:2932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2208 /prefetch:1
  2⤵
  PID:220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3112 /prefetch:1
  2⤵
  PID:3764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2492 /prefetch:1
  2⤵
  PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
  2⤵
  PID:2692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:1
  2⤵
  PID:4388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
  2⤵
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6404 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3752 /prefetch:1
  2⤵
  PID:3976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1420 /prefetch:1
  2⤵
  PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6768 /prefetch:1
  2⤵
  PID:3928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:1
  2⤵
  PID:532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2128 /prefetch:1
  2⤵
  PID:536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
  2⤵
  PID:1272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2492 /prefetch:1
  2⤵
  PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6932 /prefetch:1
  2⤵
  PID:3928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7336 /prefetch:1
  2⤵
  PID:2664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7988 /prefetch:1
  2⤵
  PID:1188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8156 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2672 /prefetch:8
  2⤵
  PID:2588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7424 /prefetch:1
  2⤵
  PID:752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:3220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7404 /prefetch:1
  2⤵
  PID:2460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8056 /prefetch:1
  2⤵
  PID:3268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3760 /prefetch:8
  2⤵
  PID:2128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7440 /prefetch:8
  2⤵
  PID:3160
- C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.5.6.exe
  "C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.5.6.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  PID:2968
- - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
    "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2412
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Checks whether UAC is enabled
      Checks processor information in registry
      Suspicious use of SetWindowsHookEx
      PID:932
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="932.0.821751682\1183068532" -parentBuildID 20240930230510 -prefsHandle 2264 -prefMapHandle 1768 -prefsLen 19247 -prefMapSize 240500 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {db38af19-cb0d-4edf-b82f-b2efa43a944a} 932 gpu
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4716
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="932.1.1308033628\1546300922" -childID 1 -isForBrowser -prefsHandle 2920 -prefMapHandle 2936 -prefsLen 20081 -prefMapSize 240500 -jsInitHandle 1216 -jsInitLen 240916 -parentBuildID 20240930230510 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {7aaf1cb3-5bc4-4f22-bd41-fe452829ecf4} 932 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:652
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe" -f "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc" DataDirectory "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor" ClientOnionAuthDir "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\onion-auth" --defaults-torrc "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc-defaults" GeoIPFile "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip" GeoIPv6File "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip6" +__ControlPort 127.0.0.1:9151 HashedControlPassword 16:38ce737ee4b318596017f3e8cb1c4942caf07c2626f75dbefe86b69f74 +__SocksPort "127.0.0.1:9150 ExtendedErrors IPv6Traffic PreferIPv6 KeepAliveIsolateSOCKSAuth" __OwningControllerProcess 932 DisableNetwork 1
        5⤵
        Executes dropped EXE
        
        PID:3532
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="932.2.9767477\1911551208" -childID 2 -isForBrowser -prefsHandle 2692 -prefMapHandle 2796 -prefsLen 20897 -prefMapSize 240500 -jsInitHandle 1216 -jsInitLen 240916 -parentBuildID 20240930230510 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {a0a94fa8-e58f-4f67-a0cf-18fa8fd1ae48} 932 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1984
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="932.3.2031419326\1620356290" -childID 3 -isForBrowser -prefsHandle 3156 -prefMapHandle 3136 -prefsLen 20974 -prefMapSize 240500 -jsInitHandle 1216 -jsInitLen 240916 -parentBuildID 20240930230510 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {a22e2b0e-94cf-4832-9b51-c5dce9565f9c} 932 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5248
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="932.4.1363172363\1752700806" -parentBuildID 20240930230510 -prefsHandle 3900 -prefMapHandle 3912 -prefsLen 22697 -prefMapSize 240500 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {31fc0888-7d68-43fd-9107-7e96b73e9224} 932 rdd
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5784
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="932.5.17786451\646521068" -childID 4 -isForBrowser -prefsHandle 4060 -prefMapHandle 4044 -prefsLen 22264 -prefMapSize 240500 -jsInitHandle 1216 -jsInitLen 240916 -parentBuildID 20240930230510 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {1f629c63-265a-4bec-8435-ac2c77957a0f} 932 tab
        5⤵
        Executes dropped EXE
        
        PID:3656
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="932.6.699961299\455566899" -childID 5 -isForBrowser -prefsHandle 4236 -prefMapHandle 4136 -prefsLen 22264 -prefMapSize 240500 -jsInitHandle 1216 -jsInitLen 240916 -parentBuildID 20240930230510 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {0cac5389-a930-4559-bb3a-6843ea3907e3} 932 tab
        5⤵
        Executes dropped EXE
        
        PID:1368
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="932.7.1747767737\2144489501" -childID 6 -isForBrowser -prefsHandle 4440 -prefMapHandle 4444 -prefsLen 22264 -prefMapSize 240500 -jsInitHandle 1216 -jsInitLen 240916 -parentBuildID 20240930230510 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {b7ff64ad-0d05-47af-80e2-d4ff2e985da8} 932 tab
        5⤵
        Executes dropped EXE
        
        PID:1832
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="932.8.2127066762\1565863593" -childID 7 -isForBrowser -prefsHandle 4836 -prefMapHandle 3976 -prefsLen 22622 -prefMapSize 240500 -jsInitHandle 1216 -jsInitLen 240916 -parentBuildID 20240930230510 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {33671a99-e676-471e-8b01-0ce10040441c} 932 tab
        5⤵
        Executes dropped EXE
        
        PID:5996
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="932.9.1789249400\1974155352" -childID 8 -isForBrowser -prefsHandle 1864 -prefMapHandle 1940 -prefsLen 22836 -prefMapSize 240500 -jsInitHandle 1216 -jsInitLen 240916 -parentBuildID 20240930230510 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {b6cdc2da-50cb-4353-a1b0-9ea8ddd7c56d} 932 tab
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5288
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="932.10.1753260838\253256170" -childID 9 -isForBrowser -prefsHandle 5000 -prefMapHandle 5004 -prefsLen 23035 -prefMapSize 240500 -jsInitHandle 1216 -jsInitLen 240916 -parentBuildID 20240930230510 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {35d4dfac-742c-4cd8-95e0-ba5a9052640d} 932 tab
        5⤵
        Executes dropped EXE
        
        PID:2920
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="932.11.1541742406\766039593" -childID 10 -isForBrowser -prefsHandle 4528 -prefMapHandle 4428 -prefsLen 23035 -prefMapSize 240500 -jsInitHandle 1216 -jsInitLen 240916 -parentBuildID 20240930230510 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {ebbbf5ba-c269-4eaa-b871-20abe7d6b369} 932 tab
        5⤵
        Executes dropped EXE
        
        PID:5292
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="932.12.676502640\196756077" -childID 11 -isForBrowser -prefsHandle 5212 -prefMapHandle 1948 -prefsLen 23035 -prefMapSize 240500 -jsInitHandle 1216 -jsInitLen 240916 -parentBuildID 20240930230510 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {2dec75eb-58c0-4bc3-b78b-5ff61caa48d9} 932 tab
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4776
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="932.13.610932088\930899303" -childID 12 -isForBrowser -prefsHandle 5128 -prefMapHandle 5224 -prefsLen 23035 -prefMapSize 240500 -jsInitHandle 1216 -jsInitLen 240916 -parentBuildID 20240930230510 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {45467260-f6eb-4c83-9934-bec4d3cebdd7} 932 tab
        5⤵
        Checks computer location settings
        
        PID:6492
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="932.14.1495202331\640913276" -childID 13 -isForBrowser -prefsHandle 4144 -prefMapHandle 5072 -prefsLen 23035 -prefMapSize 240500 -jsInitHandle 1216 -jsInitLen 240916 -parentBuildID 20240930230510 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {c759e44f-687b-4529-aeea-e76038d0eab6} 932 tab
        5⤵
        
        PID:5568
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="932.15.1105981800\1925287839" -childID 14 -isForBrowser -prefsHandle 1528 -prefMapHandle 4752 -prefsLen 23035 -prefMapSize 240500 -jsInitHandle 1216 -jsInitLen 240916 -parentBuildID 20240930230510 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {91afa980-ec24-4262-9677-09296e25b046} 932 tab
        5⤵
        
        PID:6516
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="932.16.2084003679\749370723" -childID 15 -isForBrowser -prefsHandle 5664 -prefMapHandle 4428 -prefsLen 23035 -prefMapSize 240500 -jsInitHandle 1216 -jsInitLen 240916 -parentBuildID 20240930230510 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {a3622a43-7ea1-444d-a448-09a0801ad6fc} 932 tab
        5⤵
        Checks computer location settings
        
        PID:6176
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="932.17.1061736001\689339932" -childID 16 -isForBrowser -prefsHandle 5536 -prefMapHandle 5540 -prefsLen 23035 -prefMapSize 240500 -jsInitHandle 1216 -jsInitLen 240916 -parentBuildID 20240930230510 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {0c852d85-99d0-4e0a-ae23-9001aa998871} 932 tab
        5⤵
        Checks computer location settings
        
        PID:6908
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="932.18.601373508\1947309379" -childID 17 -isForBrowser -prefsHandle 5280 -prefMapHandle 5200 -prefsLen 23035 -prefMapSize 240500 -jsInitHandle 1216 -jsInitLen 240916 -parentBuildID 20240930230510 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {5fe385da-0729-4db0-b9f4-ba909b512427} 932 tab
        5⤵
        Checks computer location settings
        
        PID:1232
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="932.19.674864497\453966284" -childID 18 -isForBrowser -prefsHandle 4820 -prefMapHandle 4228 -prefsLen 23035 -prefMapSize 240500 -jsInitHandle 1216 -jsInitLen 240916 -parentBuildID 20240930230510 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {8d0e0f92-ff26-406e-ba89-aa480e91606a} 932 tab
        5⤵
        
        PID:2432
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="932.20.2029994410\1460208489" -childID 19 -isForBrowser -prefsHandle 5700 -prefMapHandle 5712 -prefsLen 23035 -prefMapSize 240500 -jsInitHandle 1216 -jsInitLen 240916 -parentBuildID 20240930230510 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {35824dab-a00c-4082-bca8-03cd2843fe76} 932 tab
        5⤵
        
        PID:5084
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="932.21.2110687007\1202149057" -childID 20 -isForBrowser -prefsHandle 5904 -prefMapHandle 6076 -prefsLen 23035 -prefMapSize 240500 -jsInitHandle 1216 -jsInitLen 240916 -parentBuildID 20240930230510 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {fd8e34cf-2d83-4f35-bb7f-c62d967bdbce} 932 tab
        5⤵
        
        PID:5384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7964 /prefetch:1
  2⤵
  PID:980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
  2⤵
  PID:5196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
  2⤵
  PID:5932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7676 /prefetch:1
  2⤵
  PID:5436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8144 /prefetch:1
  2⤵
  PID:6048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
  2⤵
  PID:6276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:6352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8216 /prefetch:1
  2⤵
  PID:6716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7504 /prefetch:1
  2⤵
  PID:6800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4632 /prefetch:8
  2⤵
  PID:1944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8760 /prefetch:1
  2⤵
  PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=8480 /prefetch:8
  2⤵
  PID:2252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8448 /prefetch:1
  2⤵
  PID:5436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7952 /prefetch:8
  2⤵
  PID:6588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=81 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7048 /prefetch:1
  2⤵
  PID:6856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8212 /prefetch:8
  2⤵
  PID:5504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=84 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7496 /prefetch:1
  2⤵
  PID:6192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8680 /prefetch:8
  2⤵
  PID:6632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=86 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8476 /prefetch:1
  2⤵
  PID:6252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=87 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7724 /prefetch:1
  2⤵
  PID:2356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=88 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7692 /prefetch:1
  2⤵
  PID:6392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=89 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7664 /prefetch:1
  2⤵
  PID:7024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=91 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9196 /prefetch:1
  2⤵
  PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=9444 /prefetch:8
  2⤵
  PID:3064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=94 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9252 /prefetch:1
  2⤵
  PID:6012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9004 /prefetch:8
  2⤵
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=96 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8840 /prefetch:1
  2⤵
  PID:6976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=97 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10132 /prefetch:1
  2⤵
  PID:6736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=8744 /prefetch:8
  2⤵
  PID:716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=99 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7312 /prefetch:1
  2⤵
  PID:6968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=100 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10220 /prefetch:1
  2⤵
  PID:1744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=101 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:1
  2⤵
  PID:2648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=10148 /prefetch:8
  2⤵
  PID:3656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=103 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9248 /prefetch:1
  2⤵
  PID:3200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=104 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10144 /prefetch:1
  2⤵
  PID:6756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=105 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9032 /prefetch:1
  2⤵
  PID:6500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=106 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8756 /prefetch:1
  2⤵
  PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=107 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9668 /prefetch:1
  2⤵
  PID:6256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=109 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9672 /prefetch:1
  2⤵
  PID:6464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,12504392617543403793,5939358543246246423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8900 /prefetch:8
  2⤵
  PID:1200

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1396

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3848

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1004

C:\Users\Admin\Downloads\MrsMajor3.0.exe
"C:\Users\Admin\Downloads\MrsMajor3.0.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1112
- C:\Windows\system32\wscript.exe
  "C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\555.tmp\556.tmp\557.vbs //Nologo
  2⤵
  - UAC bypass
  - Checks computer location settings
  - System policy modification
  PID:3048
- - C:\Users\Admin\AppData\Local\Temp\555.tmp\eulascr.exe
    "C:\Users\Admin\AppData\Local\Temp\555.tmp\eulascr.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4240

C:\Users\Admin\Downloads\MrsMajor3.0.exe
"C:\Users\Admin\Downloads\MrsMajor3.0.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1004
- C:\Windows\system32\wscript.exe
  "C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\1EF8.tmp\1EF9.tmp\1EFA.vbs //Nologo
  2⤵
  - UAC bypass
  - Checks computer location settings
  - System policy modification
  PID:4468
- - C:\Users\Admin\AppData\Local\Temp\1EF8.tmp\eulascr.exe
    "C:\Users\Admin\AppData\Local\Temp\1EF8.tmp\eulascr.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3420

C:\Users\Admin\Downloads\MrsMajor3.0.exe
"C:\Users\Admin\Downloads\MrsMajor3.0.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3636
- C:\Windows\system32\wscript.exe
  "C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\57EA.tmp\57EB.tmp\57EC.vbs //Nologo
  2⤵
  - UAC bypass
  - Checks computer location settings
  - System policy modification
  PID:1112
- - C:\Users\Admin\AppData\Local\Temp\57EA.tmp\eulascr.exe
    "C:\Users\Admin\AppData\Local\Temp\57EA.tmp\eulascr.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4920

C:\Users\Admin\Downloads\MrsMajor3.0.exe
"C:\Users\Admin\Downloads\MrsMajor3.0.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2840
- C:\Windows\system32\wscript.exe
  "C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\B998.tmp\B999.tmp\B99A.vbs //Nologo
  2⤵
  - UAC bypass
  - Checks computer location settings
  - System policy modification
  PID:1348
- - C:\Users\Admin\AppData\Local\Temp\B998.tmp\eulascr.exe
    "C:\Users\Admin\AppData\Local\Temp\B998.tmp\eulascr.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3784

C:\Users\Admin\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:3924
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - Views/modifies file attributes
  PID:1796
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:2696
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4576
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 251591728301636.bat
  2⤵
  PID:2384
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    3⤵
    PID:3088
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - Views/modifies file attributes
  PID:3656
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:872
- - C:\Users\Admin\Desktop\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:4708
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3088
- - C:\Users\Admin\Desktop\@[email protected]
    @[email protected] vs
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:752
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      System Location Discovery: System Language Discovery
      PID:2188
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:544
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:4492
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4360
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2968
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "nzfbkoaczl750" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:876
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "nzfbkoaczl750" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:4628
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:4932
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1672
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2464
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2352
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1556
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1376
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2408
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1480
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1316
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2188
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5036
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1372
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4520
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - Suspicious use of SetWindowsHookEx
  PID:4352
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4936
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4744
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1520
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2768
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1804
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2188
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:4744
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:6100
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3648
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:5808
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1688
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5108
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:5168
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5568
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5352
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3660
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  PID:5792
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:6104
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5932
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  PID:4304
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2020
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  PID:1652
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7160
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:716
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  PID:1948
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4188
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3352
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  PID:4296
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  PID:3180
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:5976
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  PID:6204
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1000
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Sets desktop wallpaper using registry
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:5144
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3484
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  PID:816
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6792
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3396
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  PID:5436
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:6452
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  PID:6564
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7056
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:6384
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  PID:6368
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  PID:4804
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2124
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  PID:2148
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5244
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:5500
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  PID:7100
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  PID:432
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5968
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6504
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6576
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4280
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  PID:6536
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6672
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6860
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  PID:6116
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  PID:6856
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:6860
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  PID:2004
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  PID:6352
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6468
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7032
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  PID:8
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4836
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  PID:1416
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4272
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:7028
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4188
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  PID:872
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4916
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  PID:6456
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  PID:6424
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:68
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  PID:1408
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  PID:7080
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2004
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  PID:5372
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6472
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5216
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6736
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6676
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:876
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  PID:6344
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - Views/modifies file attributes
  PID:5816
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6524
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:7144
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  PID:6472
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  PID:6816
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3644
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  PID:6080
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  PID:1892
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4052
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7152
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  PID:2984
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3064
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  PID:7072
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6548
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:7072
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  PID:2820
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  PID:6388
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3068
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5004
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  PID:2088
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:320
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  PID:7148
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  PID:2148
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:6884
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6024
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  PID:1820
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2088
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6664
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  PID:6516
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  PID:2920
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6100
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7876
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  PID:7884
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  PID:7940
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7172
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7180
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7364
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8072
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  PID:8048
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  PID:6292

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Users\Admin\Desktop\TaskData\Tor\tor.exe
"C:\Users\Admin\Desktop\TaskData\Tor\tor.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4980

C:\Users\Admin\Desktop\TaskData\Tor\tor.exe
"C:\Users\Admin\Desktop\TaskData\Tor\tor.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1960

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\187a48fb6ed94674806ae2c81fdf1579 /t 5072 /p 2968
1⤵
PID:1044

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\d2654d7926de4804a3c5cbd7af31923d /t 5076 /p 4352
1⤵
PID:5484

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3f4 0x4f4
1⤵
PID:5808

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6784

C:\Windows\system32\pcwrun.exe
C:\Windows\system32\pcwrun.exe "C:\Users\Admin\Downloads\Ransomware.WannaCry_Plus\Win32.Wannacry.exe" CompatTab
1⤵
PID:6460
- C:\Windows\System32\msdt.exe
  C:\Windows\System32\msdt.exe -path C:\Windows\diagnostics\index\PCWDiagnostic.xml -af C:\Users\Admin\AppData\Local\Temp\PCWA263.xml /skip TRUE
  2⤵
  PID:2412
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Users\Admin\Downloads\Ransomware.WannaCry_Plus\Win32.Wannacry.exe"
    3⤵
    - Checks computer location settings
    PID:7964

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:7248
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0j1dywyp\0j1dywyp.cmdline"
  2⤵
  PID:7608
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA8BC.tmp" "c:\Users\Admin\AppData\Local\Temp\0j1dywyp\CSC6B5E779C6C1400AB8651E96C91284EC.TMP"
    3⤵
    PID:7644
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zupftdft\zupftdft.cmdline"
  2⤵
  PID:7688
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA8FB.tmp" "c:\Users\Admin\AppData\Local\Temp\zupftdft\CSC153F44EF75ED4BC2A4D5357074D73E3E.TMP"
    3⤵
    PID:7720
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4q3aoqub\4q3aoqub.cmdline"
  2⤵
  PID:7800
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESABD9.tmp" "c:\Users\Admin\AppData\Local\Temp\4q3aoqub\CSC2C07E40A6ECA4B41A418D8F75E89C187.TMP"
    3⤵
    PID:7828

C:\Users\Admin\Downloads\MrsMajor2.0.exe
"C:\Users\Admin\Downloads\MrsMajor2.0.exe"
1⤵
- Checks computer location settings
PID:6844
- C:\Windows\system32\wscript.exe
  "C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\A78F.tmp\A790.vbs
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Modifies Control Panel
  - Modifies registry class
  - System policy modification
  PID:6108
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c cd\&cd "C:\Users\Admin\AppData\Local\Temp" & eula32.exe
    3⤵
    PID:7196
  - - C:\Users\Admin\AppData\Local\Temp\eula32.exe
      eula32.exe
      4⤵
      PID:7288
- - C:\Program Files\MicrosoftWindowsServicesEtc\GetReady.exe
    "C:\Program Files\MicrosoftWindowsServicesEtc\GetReady.exe"
    3⤵
    - Checks computer location settings
    PID:7672
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1\DCB8.bat "C:\Program Files\MicrosoftWindowsServicesEtc\GetReady.exe""
      4⤵
      Drops file in System32 directory
      PID:7420
    - - C:\Windows\System32\takeown.exe
        
        takeown /f taskmgr.exe
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:7616
    - - C:\Windows\System32\icacls.exe
        
        icacls taskmgr.exe /granted "Admin":F
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3656
    - - C:\Windows\System32\takeown.exe
        
        takeown /f sethc.exe
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3200
    - - C:\Windows\System32\icacls.exe
        
        icacls sethc.exe /granted "Admin":F
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:7512
- - C:\Program Files\MicrosoftWindowsServicesEtc\notmuch.exe
    "C:\Program Files\MicrosoftWindowsServicesEtc\notmuch.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7444
- - C:\Windows\System32\shutdown.exe
    "C:\Windows\System32\shutdown.exe" -r -t 5
    3⤵
    PID:7776

C:\Users\Admin\Downloads\MrsMajor3.0.exe
"C:\Users\Admin\Downloads\MrsMajor3.0.exe"
1⤵
- Checks computer location settings
PID:7224
- C:\Windows\system32\wscript.exe
  "C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\DCB8.tmp\DCB9.tmp\DCBA.vbs //Nologo
  2⤵
  - UAC bypass
  - Checks computer location settings
  - System policy modification
  PID:7572
- - C:\Users\Admin\AppData\Local\Temp\DCB8.tmp\eulascr.exe
    "C:\Users\Admin\AppData\Local\Temp\DCB8.tmp\eulascr.exe"
    3⤵
    PID:7804

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3f07855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
PID:6460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery