Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
782s -
max time network
857s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250113-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
17/01/2025, 11:47
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://Virus exe dow
Resource
win10ltsc2021-20250113-en
Errors
General
-
Target
http://Virus exe dow
Malware Config
Extracted
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\!Please Read Me!.txt
wannacry
15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1
Extracted
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\@[email protected]
wannacry
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Extracted
C:\Recovery\README_HOW_TO_UNLOCK.TXT
http://zvnvp2rhe3ljwf2m.onion
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Program Files (x86)\\Windows\\Error file remover\\fatalerror.exe" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Program Files (x86)\\Windows\\Error file remover\\fatalerror.exe" msiexec.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 63 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Wannacry
WannaCry is a ransomware cryptoworm.
-
Wannacry family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (70) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 5872 Process not Found -
Drops startup file 5 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\91ff1cb2.exe explorer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDEE56.tmp WannaCry.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDEE5D.tmp WannaCry.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD1AD9.tmp WannaCrypt0r.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD1ADF.tmp WannaCrypt0r.exe -
Executes dropped EXE 10 IoCs
pid Process 2176 !WannaDecryptor!.exe 1972 !WannaDecryptor!.exe 5340 !WannaDecryptor!.exe 1956 !WannaDecryptor!.exe 4968 taskdl.exe 5812 taskse.exe 5668 AcEMAQkQ.exe 1964 gEwAgMAE.exe 3996 fatalerror.exe 736 @[email protected] -
Loads dropped DLL 16 IoCs
pid Process 2116 WinlockerVB6Blacksod.exe 2116 WinlockerVB6Blacksod.exe 5588 MsiExec.exe 5588 MsiExec.exe 5588 MsiExec.exe 5588 MsiExec.exe 5588 MsiExec.exe 5588 MsiExec.exe 5588 MsiExec.exe 5588 MsiExec.exe 5588 MsiExec.exe 5588 MsiExec.exe 1544 MsiExec.exe 5588 MsiExec.exe 2116 WinlockerVB6Blacksod.exe 5588 MsiExec.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 5408 icacls.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gEwAgMAE.exe = "C:\\ProgramData\\NWUccQUg\\gEwAgMAE.exe" gEwAgMAE.exe Set value (str) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\91ff1cb = "C:\\91ff1cb2\\91ff1cb2.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\91ff1cb2 = "C:\\Users\\Admin\\AppData\\Roaming\\91ff1cb2.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Desktop\\The-MALWARE-Repo-master\\Ransomware\\WannaCry.exe\" /r" WannaCry.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ifmtnfzogw121 = "\"C:\\Users\\Admin\\Desktop\\The-MALWARE-Repo-master\\Ransomware\\tasksche.exe\"" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AcEMAQkQ.exe = "C:\\Users\\Admin\\QcwwAgUE\\AcEMAQkQ.exe" ViraLock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gEwAgMAE.exe = "C:\\ProgramData\\NWUccQUg\\gEwAgMAE.exe" ViraLock.exe Set value (str) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AcEMAQkQ.exe = "C:\\Users\\Admin\\QcwwAgUE\\AcEMAQkQ.exe" AcEMAQkQ.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 262 5588 MsiExec.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: WinlockerVB6Blacksod.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: WinlockerVB6Blacksod.exe File opened (read-only) \??\P: WinlockerVB6Blacksod.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: WinlockerVB6Blacksod.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\S: WinlockerVB6Blacksod.exe File opened (read-only) \??\Z: WinlockerVB6Blacksod.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Q: WinlockerVB6Blacksod.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: WinlockerVB6Blacksod.exe File opened (read-only) \??\T: WinlockerVB6Blacksod.exe File opened (read-only) \??\U: WinlockerVB6Blacksod.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: WinlockerVB6Blacksod.exe File opened (read-only) \??\L: WinlockerVB6Blacksod.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\W: WinlockerVB6Blacksod.exe File opened (read-only) \??\X: WinlockerVB6Blacksod.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: WinlockerVB6Blacksod.exe File opened (read-only) \??\M: WinlockerVB6Blacksod.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\N: WinlockerVB6Blacksod.exe File opened (read-only) \??\V: WinlockerVB6Blacksod.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: WinlockerVB6Blacksod.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: WinlockerVB6Blacksod.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\R: WinlockerVB6Blacksod.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: WinlockerVB6Blacksod.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: WinlockerVB6Blacksod.exe -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 144 ip-addr.es 146 ip-addr.es 255 ip-addr.es 287 ip-addr.es -
AutoIT Executable 13 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x00230000000466d3-6942.dat autoit_exe behavioral1/memory/1912-7256-0x00000000002B0000-0x000000000053E000-memory.dmp autoit_exe behavioral1/memory/5236-7449-0x0000000000F00000-0x000000000118E000-memory.dmp autoit_exe behavioral1/memory/1912-7628-0x00000000002B0000-0x000000000053E000-memory.dmp autoit_exe behavioral1/memory/5236-7760-0x0000000000F00000-0x000000000118E000-memory.dmp autoit_exe behavioral1/memory/5128-7878-0x0000000000F60000-0x00000000011EE000-memory.dmp autoit_exe behavioral1/memory/1912-7920-0x00000000002B0000-0x000000000053E000-memory.dmp autoit_exe behavioral1/memory/5236-8312-0x0000000000F00000-0x000000000118E000-memory.dmp autoit_exe behavioral1/memory/5128-8374-0x0000000000F60000-0x00000000011EE000-memory.dmp autoit_exe behavioral1/memory/1912-8470-0x00000000002B0000-0x000000000053E000-memory.dmp autoit_exe behavioral1/memory/5236-8690-0x0000000000F00000-0x000000000118E000-memory.dmp autoit_exe behavioral1/memory/5128-8778-0x0000000000F60000-0x00000000011EE000-memory.dmp autoit_exe behavioral1/memory/1912-8809-0x00000000002B0000-0x000000000053E000-memory.dmp autoit_exe -
Sets desktop wallpaper using registry 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Control Panel\Desktop\Wallpaper = "0" $uckyLocker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp" !WannaDecryptor!.exe Set value (str) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" WannaCrypt0r.exe -
resource yara_rule behavioral1/memory/1912-7256-0x00000000002B0000-0x000000000053E000-memory.dmp upx behavioral1/memory/5236-7449-0x0000000000F00000-0x000000000118E000-memory.dmp upx behavioral1/files/0x0020000000046717-7496.dat upx behavioral1/memory/1912-7628-0x00000000002B0000-0x000000000053E000-memory.dmp upx behavioral1/memory/5236-7760-0x0000000000F00000-0x000000000118E000-memory.dmp upx behavioral1/memory/5128-7878-0x0000000000F60000-0x00000000011EE000-memory.dmp upx behavioral1/memory/1912-7920-0x00000000002B0000-0x000000000053E000-memory.dmp upx behavioral1/memory/5236-8312-0x0000000000F00000-0x000000000118E000-memory.dmp upx behavioral1/memory/5128-8374-0x0000000000F60000-0x00000000011EE000-memory.dmp upx behavioral1/memory/1912-8470-0x00000000002B0000-0x000000000053E000-memory.dmp upx behavioral1/memory/5236-8690-0x0000000000F00000-0x000000000118E000-memory.dmp upx behavioral1/memory/5128-8778-0x0000000000F60000-0x00000000011EE000-memory.dmp upx behavioral1/memory/1912-8809-0x00000000002B0000-0x000000000053E000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20250117114718.pma setup.exe File created C:\Program Files (x86)\Windows\Error file remover\fatalerror.exe msiexec.exe File created C:\Program Files (x86)\Windows\Error file remover\Windows Logoff Sound.wav msiexec.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\b43346b8-1851-466e-95dc-c4487ecc3369.tmp setup.exe -
Drops file in Windows directory 21 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSIC0F.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIBD0.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSID1D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID2E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID3E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE1C.tmp msiexec.exe File opened for modification C:\Windows\Installer\e63099a.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIB41.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSICBD.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{C452D4E2-DE24-48B6-B5C3-ACB240A01606} msiexec.exe File opened for modification C:\Windows\Installer\MSID1C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID6E.tmp msiexec.exe File created C:\Windows\Tasks\sys.job MsiExec.exe File created C:\Windows\Installer\e63099a.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIB90.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC4F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIDCD.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA08.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ViraLock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fatalerror.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ViraLock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ViraLock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ViraLock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ViraLock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ViraLock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ViraLock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ViraLock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 Taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A Taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName Taskmgr.exe -
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Interacts with shadow copies 3 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3164 Process not Found 5752 Process not Found 5540 Process not Found -
Kills process with taskkill 4 IoCs
pid Process 772 taskkill.exe 5692 taskkill.exe 4580 taskkill.exe 5616 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Software\Microsoft\Internet Explorer\IESettingSync fatalerror.exe Set value (int) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" fatalerror.exe Key created \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch fatalerror.exe Set value (str) \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" fatalerror.exe -
Modifies data under HKEY_USERS 18 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "23" LogonUI.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E msiexec.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings Taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings firefox.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 856 reg.exe 5240 reg.exe 2472 reg.exe 1188 Process not Found 4140 Process not Found 4244 reg.exe 5084 reg.exe 5720 reg.exe 1168 reg.exe 5524 reg.exe 3948 reg.exe 5616 reg.exe 456 reg.exe 5576 reg.exe 5252 reg.exe 4176 reg.exe 1288 reg.exe 1188 reg.exe 116 reg.exe 4244 reg.exe 2564 reg.exe 5772 reg.exe 5416 reg.exe 5156 reg.exe 3692 reg.exe 5028 reg.exe 5964 Process not Found 1960 reg.exe 2860 reg.exe 2052 reg.exe 4664 reg.exe 5664 reg.exe 5704 reg.exe 2504 reg.exe 3956 reg.exe 3916 reg.exe 3440 reg.exe 5176 reg.exe 6108 reg.exe 1912 reg.exe 5416 reg.exe 1252 reg.exe 5240 reg.exe 1248 reg.exe 5128 reg.exe 5988 reg.exe 2452 reg.exe 6080 reg.exe 5960 reg.exe 3764 reg.exe 5612 reg.exe 2328 reg.exe 3520 reg.exe 5796 reg.exe 4272 reg.exe 2576 reg.exe 3556 reg.exe 2512 reg.exe 5880 reg.exe 3392 reg.exe 5992 reg.exe 4456 reg.exe 5072 Process not Found 5980 reg.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2716 msedge.exe 2716 msedge.exe 2332 msedge.exe 2332 msedge.exe 2744 identity_helper.exe 2744 identity_helper.exe 5564 msedge.exe 5564 msedge.exe 5564 msedge.exe 5564 msedge.exe 2420 msedge.exe 2420 msedge.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4176 Taskmgr.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 3508 CryptoWall.exe 4512 explorer.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
pid Process 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4392 LogonUI.exe Token: SeCreatePagefilePrivilege 4392 LogonUI.exe Token: SeDebugPrivilege 4176 Taskmgr.exe Token: SeSystemProfilePrivilege 4176 Taskmgr.exe Token: SeCreateGlobalPrivilege 4176 Taskmgr.exe Token: 33 4176 Taskmgr.exe Token: SeIncBasePriorityPrivilege 4176 Taskmgr.exe Token: SeDebugPrivilege 5940 firefox.exe Token: SeDebugPrivilege 5940 firefox.exe Token: SeDebugPrivilege 5692 taskkill.exe Token: SeDebugPrivilege 772 taskkill.exe Token: SeDebugPrivilege 4580 taskkill.exe Token: SeDebugPrivilege 5616 taskkill.exe Token: SeSecurityPrivilege 3136 msiexec.exe Token: SeCreateTokenPrivilege 2116 WinlockerVB6Blacksod.exe Token: SeAssignPrimaryTokenPrivilege 2116 WinlockerVB6Blacksod.exe Token: SeLockMemoryPrivilege 2116 WinlockerVB6Blacksod.exe Token: SeIncreaseQuotaPrivilege 2116 WinlockerVB6Blacksod.exe Token: SeMachineAccountPrivilege 2116 WinlockerVB6Blacksod.exe Token: SeTcbPrivilege 2116 WinlockerVB6Blacksod.exe Token: SeSecurityPrivilege 2116 WinlockerVB6Blacksod.exe Token: SeTakeOwnershipPrivilege 2116 WinlockerVB6Blacksod.exe Token: SeLoadDriverPrivilege 2116 WinlockerVB6Blacksod.exe Token: SeSystemProfilePrivilege 2116 WinlockerVB6Blacksod.exe Token: SeSystemtimePrivilege 2116 WinlockerVB6Blacksod.exe Token: SeProfSingleProcessPrivilege 2116 WinlockerVB6Blacksod.exe Token: SeIncBasePriorityPrivilege 2116 WinlockerVB6Blacksod.exe Token: SeCreatePagefilePrivilege 2116 WinlockerVB6Blacksod.exe Token: SeCreatePermanentPrivilege 2116 WinlockerVB6Blacksod.exe Token: SeBackupPrivilege 2116 WinlockerVB6Blacksod.exe Token: SeRestorePrivilege 2116 WinlockerVB6Blacksod.exe Token: SeShutdownPrivilege 2116 WinlockerVB6Blacksod.exe Token: SeDebugPrivilege 2116 WinlockerVB6Blacksod.exe Token: SeAuditPrivilege 2116 WinlockerVB6Blacksod.exe Token: SeSystemEnvironmentPrivilege 2116 WinlockerVB6Blacksod.exe Token: SeChangeNotifyPrivilege 2116 WinlockerVB6Blacksod.exe Token: SeRemoteShutdownPrivilege 2116 WinlockerVB6Blacksod.exe Token: SeUndockPrivilege 2116 WinlockerVB6Blacksod.exe Token: SeSyncAgentPrivilege 2116 WinlockerVB6Blacksod.exe Token: SeEnableDelegationPrivilege 2116 WinlockerVB6Blacksod.exe Token: SeManageVolumePrivilege 2116 WinlockerVB6Blacksod.exe Token: SeImpersonatePrivilege 2116 WinlockerVB6Blacksod.exe Token: SeCreateGlobalPrivilege 2116 WinlockerVB6Blacksod.exe Token: SeShutdownPrivilege 2264 msiexec.exe Token: SeIncreaseQuotaPrivilege 2264 msiexec.exe Token: SeCreateTokenPrivilege 2264 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2264 msiexec.exe Token: SeLockMemoryPrivilege 2264 msiexec.exe Token: SeIncreaseQuotaPrivilege 2264 msiexec.exe Token: SeMachineAccountPrivilege 2264 msiexec.exe Token: SeTcbPrivilege 2264 msiexec.exe Token: SeSecurityPrivilege 2264 msiexec.exe Token: SeTakeOwnershipPrivilege 2264 msiexec.exe Token: SeLoadDriverPrivilege 2264 msiexec.exe Token: SeSystemProfilePrivilege 2264 msiexec.exe Token: SeSystemtimePrivilege 2264 msiexec.exe Token: SeProfSingleProcessPrivilege 2264 msiexec.exe Token: SeIncBasePriorityPrivilege 2264 msiexec.exe Token: SeCreatePagefilePrivilege 2264 msiexec.exe Token: SeCreatePermanentPrivilege 2264 msiexec.exe Token: SeBackupPrivilege 2264 msiexec.exe Token: SeRestorePrivilege 2264 msiexec.exe Token: SeShutdownPrivilege 2264 msiexec.exe Token: SeDebugPrivilege 2264 msiexec.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 2332 msedge.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe 4176 Taskmgr.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 400 SecHealthUI.exe 4392 LogonUI.exe 5940 firefox.exe 2176 !WannaDecryptor!.exe 2176 !WannaDecryptor!.exe 1972 !WannaDecryptor!.exe 1972 !WannaDecryptor!.exe 5340 !WannaDecryptor!.exe 5340 !WannaDecryptor!.exe 1956 !WannaDecryptor!.exe 1956 !WannaDecryptor!.exe 3996 fatalerror.exe 3996 fatalerror.exe 3996 fatalerror.exe 736 @[email protected] 736 @[email protected] -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2332 wrote to memory of 1344 2332 msedge.exe 81 PID 2332 wrote to memory of 1344 2332 msedge.exe 81 PID 2332 wrote to memory of 4492 2332 msedge.exe 83 PID 2332 wrote to memory of 4492 2332 msedge.exe 83 PID 2332 wrote to memory of 4492 2332 msedge.exe 83 PID 2332 wrote to memory of 4492 2332 msedge.exe 83 PID 2332 wrote to memory of 4492 2332 msedge.exe 83 PID 2332 wrote to memory of 4492 2332 msedge.exe 83 PID 2332 wrote to memory of 4492 2332 msedge.exe 83 PID 2332 wrote to memory of 4492 2332 msedge.exe 83 PID 2332 wrote to memory of 4492 2332 msedge.exe 83 PID 2332 wrote to memory of 4492 2332 msedge.exe 83 PID 2332 wrote to memory of 4492 2332 msedge.exe 83 PID 2332 wrote to memory of 4492 2332 msedge.exe 83 PID 2332 wrote to memory of 4492 2332 msedge.exe 83 PID 2332 wrote to memory of 4492 2332 msedge.exe 83 PID 2332 wrote to memory of 4492 2332 msedge.exe 83 PID 2332 wrote to memory of 4492 2332 msedge.exe 83 PID 2332 wrote to memory of 4492 2332 msedge.exe 83 PID 2332 wrote to memory of 4492 2332 msedge.exe 83 PID 2332 wrote to memory of 4492 2332 msedge.exe 83 PID 2332 wrote to memory of 4492 2332 msedge.exe 83 PID 2332 wrote to memory of 4492 2332 msedge.exe 83 PID 2332 wrote to memory of 4492 2332 msedge.exe 83 PID 2332 wrote to memory of 4492 2332 msedge.exe 83 PID 2332 wrote to memory of 4492 2332 msedge.exe 83 PID 2332 wrote to memory of 4492 2332 msedge.exe 83 PID 2332 wrote to memory of 4492 2332 msedge.exe 83 PID 2332 wrote to memory of 4492 2332 msedge.exe 83 PID 2332 wrote to memory of 4492 2332 msedge.exe 83 PID 2332 wrote to memory of 4492 2332 msedge.exe 83 PID 2332 wrote to memory of 4492 2332 msedge.exe 83 PID 2332 wrote to memory of 4492 2332 msedge.exe 83 PID 2332 wrote to memory of 4492 2332 msedge.exe 83 PID 2332 wrote to memory of 4492 2332 msedge.exe 83 PID 2332 wrote to memory of 4492 2332 msedge.exe 83 PID 2332 wrote to memory of 4492 2332 msedge.exe 83 PID 2332 wrote to memory of 4492 2332 msedge.exe 83 PID 2332 wrote to memory of 4492 2332 msedge.exe 83 PID 2332 wrote to memory of 4492 2332 msedge.exe 83 PID 2332 wrote to memory of 4492 2332 msedge.exe 83 PID 2332 wrote to memory of 4492 2332 msedge.exe 83 PID 2332 wrote to memory of 2716 2332 msedge.exe 84 PID 2332 wrote to memory of 2716 2332 msedge.exe 84 PID 2332 wrote to memory of 4136 2332 msedge.exe 85 PID 2332 wrote to memory of 4136 2332 msedge.exe 85 PID 2332 wrote to memory of 4136 2332 msedge.exe 85 PID 2332 wrote to memory of 4136 2332 msedge.exe 85 PID 2332 wrote to memory of 4136 2332 msedge.exe 85 PID 2332 wrote to memory of 4136 2332 msedge.exe 85 PID 2332 wrote to memory of 4136 2332 msedge.exe 85 PID 2332 wrote to memory of 4136 2332 msedge.exe 85 PID 2332 wrote to memory of 4136 2332 msedge.exe 85 PID 2332 wrote to memory of 4136 2332 msedge.exe 85 PID 2332 wrote to memory of 4136 2332 msedge.exe 85 PID 2332 wrote to memory of 4136 2332 msedge.exe 85 PID 2332 wrote to memory of 4136 2332 msedge.exe 85 PID 2332 wrote to memory of 4136 2332 msedge.exe 85 PID 2332 wrote to memory of 4136 2332 msedge.exe 85 PID 2332 wrote to memory of 4136 2332 msedge.exe 85 PID 2332 wrote to memory of 4136 2332 msedge.exe 85 PID 2332 wrote to memory of 4136 2332 msedge.exe 85 PID 2332 wrote to memory of 4136 2332 msedge.exe 85 PID 2332 wrote to memory of 4136 2332 msedge.exe 85 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 3436 attrib.exe 3936 attrib.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://Virus exe dow1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffba69346f8,0x7ffba6934708,0x7ffba69347182⤵PID:1344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,6643206818622466602,15495660259094193247,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:22⤵PID:4492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,6643206818622466602,15495660259094193247,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,6643206818622466602,15495660259094193247,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:82⤵PID:4136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6643206818622466602,15495660259094193247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:12⤵PID:4608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6643206818622466602,15495660259094193247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:12⤵PID:1396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6643206818622466602,15495660259094193247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:12⤵PID:4768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6643206818622466602,15495660259094193247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:12⤵PID:4928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6643206818622466602,15495660259094193247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:12⤵PID:4956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6643206818622466602,15495660259094193247,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:12⤵PID:3588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,6643206818622466602,15495660259094193247,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6044 /prefetch:82⤵PID:1776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
PID:3652 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x138,0x12c,0x128,0x130,0x120,0x7ff758295460,0x7ff758295470,0x7ff7582954803⤵PID:2236
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,6643206818622466602,15495660259094193247,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6044 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6643206818622466602,15495660259094193247,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:12⤵PID:1876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6643206818622466602,15495660259094193247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:12⤵PID:636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6643206818622466602,15495660259094193247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:12⤵PID:568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6643206818622466602,15495660259094193247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:12⤵PID:1856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6643206818622466602,15495660259094193247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:12⤵PID:4604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,6643206818622466602,15495660259094193247,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3052 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6643206818622466602,15495660259094193247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3116 /prefetch:12⤵PID:5828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6643206818622466602,15495660259094193247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:12⤵PID:5916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6643206818622466602,15495660259094193247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:12⤵PID:4272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,6643206818622466602,15495660259094193247,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6412 /prefetch:82⤵PID:2052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,6643206818622466602,15495660259094193247,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6036 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2420
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1348
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2040
-
C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe"C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:400
-
C:\Windows\System32\SecurityHealthHost.exeC:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding1⤵PID:1464
-
C:\Windows\System32\SecurityHealthHost.exeC:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding1⤵PID:5148
-
C:\Windows\System32\SecurityHealthHost.exeC:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding1⤵PID:5268
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3720
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa39c9855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4392
-
C:\Windows\system32\launchtm.exelaunchtm.exe /31⤵PID:2676
-
C:\Windows\System32\Taskmgr.exe"C:\Windows\System32\Taskmgr.exe" /32⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:4176
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1200
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:2020
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\CryptoWall.exe"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\CryptoWall.exe"1⤵
- Suspicious behavior: MapViewOfSection
PID:3508 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\syswow64\explorer.exe"2⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
PID:4512 -
C:\Windows\SysWOW64\svchost.exe-k netsvcs3⤵PID:1552
-
-
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\$uckyLocker.exe"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\$uckyLocker.exe"1⤵
- Sets desktop wallpaper using registry
PID:3732
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵PID:5680
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵PID:5992
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5940 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1896 -prefsLen 27137 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {03804132-5608-4929-b5cc-12410e8d270b} 5940 "\\.\pipe\gecko-crash-server-pipe.5940" gpu3⤵PID:5232
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2360 -prefsLen 27015 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {59fd0625-0f2e-4ff5-ba95-2e2884ebe3a1} 5940 "\\.\pipe\gecko-crash-server-pipe.5940" socket3⤵
- Checks processor information in registry
PID:2952
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3048 -childID 1 -isForBrowser -prefsHandle 3000 -prefMapHandle 3140 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b13830dc-fa51-4106-938d-1840b6ef19c7} 5940 "\\.\pipe\gecko-crash-server-pipe.5940" tab3⤵PID:5072
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3924 -childID 2 -isForBrowser -prefsHandle 3916 -prefMapHandle 3912 -prefsLen 32389 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {38d684cb-1bc8-4516-ab02-f5058a196829} 5940 "\\.\pipe\gecko-crash-server-pipe.5940" tab3⤵PID:2200
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4564 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4620 -prefMapHandle 4616 -prefsLen 32389 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d2f100f-8b5d-4c9d-86dd-4f482541a4c8} 5940 "\\.\pipe\gecko-crash-server-pipe.5940" utility3⤵
- Checks processor information in registry
PID:688
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5392 -childID 3 -isForBrowser -prefsHandle 5356 -prefMapHandle 5376 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6021514-2d91-4fef-ad34-315d309ca5ce} 5940 "\\.\pipe\gecko-crash-server-pipe.5940" tab3⤵PID:4644
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5516 -childID 4 -isForBrowser -prefsHandle 5520 -prefMapHandle 5524 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e7c5df9-d050-430c-8310-811e70c003de} 5940 "\\.\pipe\gecko-crash-server-pipe.5940" tab3⤵PID:1088
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5712 -childID 5 -isForBrowser -prefsHandle 5720 -prefMapHandle 5724 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {77eca4a8-79a7-4f6e-9210-b04838d84a26} 5940 "\\.\pipe\gecko-crash-server-pipe.5940" tab3⤵PID:3800
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5088 -childID 6 -isForBrowser -prefsHandle 6300 -prefMapHandle 6296 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2352affd-e0fa-4276-babd-b05904cc909c} 5940 "\\.\pipe\gecko-crash-server-pipe.5940" tab3⤵PID:3548
-
-
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\WannaCry.exe"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\WannaCry.exe"1⤵
- Drops startup file
- Adds Run key to start application
PID:3208 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 118911737115185.bat2⤵PID:4448
-
C:\Windows\SysWOW64\cscript.execscript //nologo c.vbs3⤵PID:5180
-
-
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\!WannaDecryptor!.exe!WannaDecryptor!.exe f2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2176
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im MSExchange*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:772
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Microsoft.Exchange.*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5692
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlserver.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5616
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlwriter.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4580
-
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\!WannaDecryptor!.exe!WannaDecryptor!.exe c2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1972
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /b !WannaDecryptor!.exe v2⤵PID:5060
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\!WannaDecryptor!.exe!WannaDecryptor!.exe v3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5340 -
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet4⤵PID:3092
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵PID:3588
-
-
-
-
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1956
-
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\WannaCry.exe"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\WannaCry.exe"1⤵PID:3004
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\WinlockerVB6Blacksod.exe"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\WinlockerVB6Blacksod.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2116 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi" AI_SETUPEXEPATH=C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\WinlockerVB6Blacksod.exe SETUPEXEDIR=C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2264
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Modifies WinLogon for persistence
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3136 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 234BF801DE336A3DD14679A9EB2A757D2⤵
- Loads dropped DLL
- Blocklisted process makes network request
PID:5588
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 54DAA9874F1A6707ED2AC4D704185566 E Global\MSI00002⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1544
-
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\WannaCrypt0r.exe"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\WannaCrypt0r.exe"1⤵
- Drops startup file
- Sets desktop wallpaper using registry
PID:1080 -
C:\Windows\SysWOW64\attrib.exeattrib +h .2⤵
- Views/modifies file attributes
PID:3436
-
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:5408
-
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:4968
-
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\taskse.exetaskse.exe C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\@[email protected]2⤵
- Executes dropped EXE
PID:5812
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ifmtnfzogw121" /t REG_SZ /d "\"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\tasksche.exe\"" /f2⤵PID:1396
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ifmtnfzogw121" /t REG_SZ /d "\"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\tasksche.exe\"" /f3⤵
- Adds Run key to start application
PID:5672
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 231081737115198.bat2⤵PID:2864
-
C:\Windows\SysWOW64\cscript.execscript.exe //nologo m.vbs3⤵PID:4256
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +s F:\$RECYCLE2⤵
- Views/modifies file attributes
PID:3936
-
-
C:\Windows\SysWOW64\cmd.exePID:1544
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\@[email protected]PID:736
-
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet4⤵
- System Location Discovery: System Language Discovery
PID:1960 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵PID:5664
-
-
-
-
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\taskdl.exetaskdl.exe2⤵PID:3556
-
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\taskse.exePID:3692
-
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\@[email protected]PID:1756
-
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exe"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exe"1⤵
- Adds Run key to start application
PID:2132 -
C:\Users\Admin\QcwwAgUE\AcEMAQkQ.exe"C:\Users\Admin\QcwwAgUE\AcEMAQkQ.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5668
-
-
C:\ProgramData\NWUccQUg\gEwAgMAE.exe"C:\ProgramData\NWUccQUg\gEwAgMAE.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1964
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"2⤵PID:6096
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock3⤵PID:1464
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"4⤵PID:5652
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock5⤵PID:5296
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"6⤵PID:2328
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock7⤵PID:4948
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"8⤵PID:3236
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock9⤵PID:5984
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"10⤵PID:4988
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock11⤵
- System Location Discovery: System Language Discovery
PID:1984 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"12⤵PID:2012
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV113⤵PID:2576
-
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock13⤵PID:3704
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"14⤵PID:5072
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock15⤵PID:2340
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"16⤵PID:5200
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock17⤵
- System Location Discovery: System Language Discovery
PID:5672 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"18⤵PID:1776
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV119⤵PID:5096
-
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock19⤵PID:3456
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"20⤵
- System Location Discovery: System Language Discovery
PID:3992 -
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock21⤵PID:6036
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"22⤵PID:4964
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock23⤵PID:2616
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"24⤵
- System Location Discovery: System Language Discovery
PID:2764 -
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock25⤵PID:5304
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"26⤵PID:2492
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock27⤵PID:4364
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"28⤵PID:6020
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock29⤵PID:5264
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"30⤵PID:4600
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock31⤵PID:564
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"32⤵PID:2316
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock33⤵PID:4828
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"34⤵PID:5436
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock35⤵
- System Location Discovery: System Language Discovery
PID:4524 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"36⤵PID:5912
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock37⤵PID:2448
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"38⤵PID:5416
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV139⤵PID:6112
-
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock39⤵PID:1800
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"40⤵PID:2008
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock41⤵PID:5176
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"42⤵PID:1188
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock43⤵
- System Location Discovery: System Language Discovery
PID:5824 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"44⤵PID:5972
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock45⤵
- System Location Discovery: System Language Discovery
PID:648 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"46⤵PID:5936
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV147⤵PID:6052
-
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock47⤵PID:4988
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"48⤵PID:5816
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock49⤵PID:4768
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"50⤵PID:2448
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock51⤵
- System Location Discovery: System Language Discovery
PID:3384 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"52⤵PID:2540
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock53⤵PID:1608
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"54⤵
- System Location Discovery: System Language Discovery
PID:5676 -
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock55⤵PID:6136
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"56⤵PID:5812
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock57⤵PID:1184
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"58⤵PID:4060
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock59⤵PID:3692
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"60⤵PID:2036
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock61⤵PID:2732
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"62⤵PID:5816
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock63⤵
- System Location Discovery: System Language Discovery
PID:3832 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"64⤵PID:5984
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock65⤵PID:4976
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"66⤵PID:2628
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock67⤵PID:4972
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"68⤵PID:3288
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock69⤵PID:2496
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"70⤵PID:4040
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV171⤵PID:5436
-
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock71⤵PID:2284
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"72⤵PID:3392
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV173⤵PID:5036
-
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock73⤵PID:4936
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"74⤵PID:5936
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV175⤵PID:2764
-
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock75⤵PID:4968
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"76⤵PID:2344
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock77⤵PID:4520
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"78⤵
- System Location Discovery: System Language Discovery
PID:5400 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV179⤵PID:5328
-
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock79⤵PID:3292
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"80⤵PID:1816
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock81⤵PID:1596
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"82⤵PID:5784
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock83⤵PID:3992
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"84⤵PID:5896
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock85⤵PID:4040
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"86⤵PID:5248
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock87⤵PID:1984
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"88⤵
- System Location Discovery: System Language Discovery
PID:1340 -
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock89⤵PID:2052
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"90⤵PID:4012
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV191⤵PID:5480
-
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock91⤵PID:2564
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"92⤵PID:4456
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock93⤵PID:5400
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"94⤵PID:5000
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock95⤵PID:2472
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"96⤵PID:4768
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock97⤵PID:2404
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"98⤵PID:2252
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock99⤵PID:5944
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"100⤵PID:3412
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1101⤵PID:3608
-
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock101⤵PID:4912
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"102⤵PID:4160
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock103⤵PID:1340
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"104⤵
- System Location Discovery: System Language Discovery
PID:1248 -
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock105⤵PID:4012
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"106⤵PID:2336
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock107⤵PID:5796
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"108⤵PID:2112
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock109⤵PID:3112
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"110⤵PID:772
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock111⤵PID:2500
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"112⤵PID:4008
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock113⤵PID:4976
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"114⤵PID:5088
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock115⤵PID:5540
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"116⤵
- System Location Discovery: System Language Discovery
PID:3916 -
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock117⤵PID:5588
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"118⤵
- System Location Discovery: System Language Discovery
PID:1476 -
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock119⤵PID:3692
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"120⤵PID:2804
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock.exeC:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock121⤵PID:3236
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\ViraLock"122⤵
- System Location Discovery: System Language Discovery
PID:3832
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-