Analysis
-
max time kernel
1799s -
max time network
1784s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
01-02-2025 20:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
HappyMod-3-1-5.apk
Resource
win11-20241007-en
windows11-21h2-x64
48 signatures
900 seconds
General
-
Target
HappyMod-3-1-5.apk
-
Size
17.4MB
-
MD5
0ef4f4f011c3e16e18b18584d2f40393
-
SHA1
d4a1292884579509009f85fbe480e819f4e103a9
-
SHA256
a7e864470fc10ae55241364ce076007552af9673177e15caf4c20062bfc7339a
-
SHA512
a85a12907e4a3b5bae1d80771817798c123688c2b4fc1945efdb65ff9d1ad4168186add6c55ae4ade9a969c9e0f67cab2672031aafbaca76386e74357211636b
-
SSDEEP
393216:zp0TcbMT8whcEb7NqnKdzbspDNx4GhY6qqoe2w+FCropPvAUqfE:zacQTvcEUnKRwMGm6qqf0CkpQUqfE
Malware Config
Extracted
Path
C:\Users\Admin\Downloads\@[email protected]
Family
wannacry
Ransom Note
Q: What's wrong with my files?
A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
Next, please find an application file named "@[email protected]". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.
�
Wallets
12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Process not Found -
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
description pid Process procid_target PID 1708 created 2084 1708 Process not Found 2045 PID 1708 created 2084 1708 Process not Found 2045 -
UAC bypass 3 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Wannacry
WannaCry is a ransomware cryptoworm.
-
Wannacry family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (84) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Active Setup\Installed Components Process not Found -
Downloads MZ/PE file 2 IoCs
flow pid Process 40 5088 msedge.exe 81 3656 Process not Found -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD2350.tmp Process not Found File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD2366.tmp Process not Found -
Executes dropped EXE 64 IoCs
pid Process 432 ViraLock (1).exe 4200 feAQcsYs.exe 1072 mQAYUkQE.exe 1948 ViraLock (1).exe 3004 ViraLock (1).exe 656 ViraLock (1).exe 4072 ViraLock (1).exe 736 ViraLock (1).exe 5016 ViraLock (1).exe 1548 ViraLock (1).exe 1400 ViraLock (1).exe 2092 ViraLock (1).exe 3340 ViraLock (1).exe 3976 ViraLock (1).exe 576 ViraLock (1).exe 2180 ViraLock (1).exe 1864 ViraLock (1).exe 4548 ViraLock (1).exe 2700 ViraLock (1).exe 5012 ViraLock (1).exe 848 ViraLock (1).exe 1816 ViraLock (1).exe 3076 ViraLock (1).exe 1964 ViraLock (1).exe 4736 ViraLock (1).exe 4404 ViraLock (1).exe 3004 ViraLock (1).exe 1864 ViraLock (1).exe 1764 ViraLock (1).exe 2208 ViraLock (1).exe 2984 ViraLock (1).exe 2180 ViraLock (1).exe 4688 ViraLock (1).exe 240 ViraLock (1).exe 1764 ViraLock (1).exe 3524 ViraLock (1).exe 3588 ViraLock (1).exe 4900 ViraLock (1).exe 3548 ViraLock (1).exe 1044 ViraLock (1).exe 444 ViraLock (1).exe 1792 ViraLock (1).exe 1584 ViraLock (1).exe 4060 ViraLock (1).exe 2948 ViraLock (1).exe 1952 ViraLock (1).exe 3696 ViraLock (1).exe 2304 ViraLock (1).exe 5116 ViraLock (1).exe 3996 ViraLock (1).exe 3340 ViraLock (1).exe 1860 ViraLock (1).exe 1816 ViraLock (1).exe 3768 ViraLock (1).exe 2336 ViraLock (1).exe 4868 ViraLock (1).exe 3292 ViraLock (1).exe 2792 ViraLock (1).exe 4204 ViraLock (1).exe 496 ViraLock (1).exe 1688 ViraLock (1).exe 1044 ViraLock (1).exe 1948 ViraLock (1).exe 3656 ViraLock (1).exe -
Loads dropped DLL 8 IoCs
pid Process 3836 Process not Found 3836 Process not Found 3836 Process not Found 3836 Process not Found 3836 Process not Found 3836 Process not Found 3836 Process not Found 3836 Process not Found -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 3748 Process not Found -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Run\feAQcsYs.exe = "C:\\Users\\Admin\\LWgsUccE\\feAQcsYs.exe" feAQcsYs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aptiorhqd785 = "\"C:\\Users\\Admin\\Downloads\\tasksche.exe\"" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Run\feAQcsYs.exe = "C:\\Users\\Admin\\LWgsUccE\\feAQcsYs.exe" ViraLock (1).exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mQAYUkQE.exe = "C:\\ProgramData\\RCscEMMc\\mQAYUkQE.exe" ViraLock (1).exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mQAYUkQE.exe = "C:\\ProgramData\\RCscEMMc\\mQAYUkQE.exe" mQAYUkQE.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: Process not Found File opened (read-only) \??\F: Process not Found -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 2 raw.githubusercontent.com 40 raw.githubusercontent.com 81 raw.githubusercontent.com -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\tztv-f.exe Process not Found -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 3972 Process not Found -
Sets desktop wallpaper using registry 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" Process not Found -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\Users\Admin\Downloads\ViraLock (1).exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\WannaCrypt0r.exe:Zone.Identifier Process not Found -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ViraLock (1).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ViraLock (1).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ViraLock (1).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ViraLock (1).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ViraLock (1).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ViraLock (1).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ViraLock (1).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 Process not Found Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 Process not Found Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 Process not Found Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 Process not Found Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 Process not Found Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 Process not Found Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 Process not Found Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 Process not Found Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A Process not Found Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 Process not Found Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 Process not Found Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A Process not Found Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 Process not Found Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A Process not Found Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities Process not Found Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName Process not Found -
Enumerates system info in registry 2 TTPs 11 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Process not Found Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Process not Found Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Process not Found Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Process not Found Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Process not Found Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Process not Found Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Process not Found Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Process not Found -
Kills process with taskkill 2 IoCs
pid Process 1444 Process not Found 4504 Process not Found -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0" Process not Found Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\GPU Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "3594064913" Process not Found Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing Process not Found Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "0" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1" Process not Found Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0" Process not Found Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\VersionManager Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "4318" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13" Process not Found Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\TypedURLs taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Toolbar Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024" Process not Found Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\GPU Process not Found Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser Process not Found Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Main Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140" Process not Found Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31159578" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1" Process not Found Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Main Process not Found -
Modifies data under HKEY_USERS 42 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" Process not Found Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US\CachedLanguageName = "@Winlangdb.dll,-1121" Process not Found Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\LANGUAGE Process not Found Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" Process not Found Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\CLSID = "{00000000-0000-0000-0000-000000000000}" Process not Found Key created \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US\0409:00000409 = "1" Process not Found Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\Profile = "{00000000-0000-0000-0000-000000000000}" Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem Process not Found Key created \REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000 Process not Found Set value (str) \REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload\1 = "00000409" Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" Process not Found Key created \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\Language Process not Found Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\Language\00000000 = "00000409" Process not Found Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000 Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History Process not Found Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\Languages = 65006e002d005500530000000000 Process not Found Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409 Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\TIP Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\KeyboardLayout = "67699721" Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "200" Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31} Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\ShowShiftLock = "1" Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\HiddenDummyLayouts Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" Process not Found Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\ASSEMBLYITEM\0X00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000 Process not Found Key created \REGISTRY\USER\.DEFAULT\Keyboard Layout\Substitutes Process not Found Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\ASSEMBLYITEM\0X00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31} Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\ShowCasing = "1" Process not Found Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31} Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409 Process not Found -
Modifies registry class 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Process not Found Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\0 Process not Found Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff Process not Found Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Process not Found Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6 Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "264" Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "2352" Process not Found Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 3a002e8005398e082303024b98265d99428e115f260001002600efbe13000000d3bbf1dfaf18db018de874c3e674db0149321ecce674db0114000000 Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" Process not Found Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5 Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "1020" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "13745" Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\MRUListEx = 00000000ffffffff Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "4205" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "10032" Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff Process not Found Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Rev = "0" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\0\NodeSlot = "4" Process not Found Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "4213" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "132" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Rev = "0" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "888" Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Sort = 0000000000000000000000000000000002000000f4eec83032a8e241ab32e3c3ca28fd29030000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Process not Found Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209" Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "7439" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "3989" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "3913" Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = ffffffff Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616193" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0" Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "5044" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "5139" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "12731" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1" Process not Found Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\LogicalViewMode = "2" Process not Found Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" Process not Found -
Modifies registry key 1 TTPs 64 IoCs
pid Process 3004 reg.exe 3324 reg.exe 1972 reg.exe 844 reg.exe 1720 reg.exe 4712 reg.exe 256 Process not Found 3500 Process not Found 1308 reg.exe 1864 reg.exe 4704 reg.exe 1136 reg.exe 240 reg.exe 3068 Process not Found 3984 Process not Found 5044 reg.exe 3592 reg.exe 872 reg.exe 568 reg.exe 1852 reg.exe 5016 reg.exe 3916 reg.exe 4300 reg.exe 1792 reg.exe 448 reg.exe 4092 reg.exe 1540 reg.exe 4896 Process not Found 1564 reg.exe 5052 reg.exe 4072 reg.exe 4100 Process not Found 2696 reg.exe 5044 reg.exe 228 reg.exe 1112 reg.exe 3280 Process not Found 1304 Process not Found 2948 reg.exe 2064 reg.exe 1860 reg.exe 712 Process not Found 3972 reg.exe 3364 reg.exe 2332 reg.exe 1540 reg.exe 1568 reg.exe 3312 reg.exe 1968 reg.exe 3076 reg.exe 1380 Process not Found 3920 Process not Found 3732 reg.exe 5016 reg.exe 576 reg.exe 2164 reg.exe 1144 reg.exe 1964 reg.exe 2488 reg.exe 4712 reg.exe 900 Process not Found 1964 reg.exe 3400 reg.exe 3280 reg.exe -
NTFS ADS 5 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 795206.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 702107.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\ViraLock (1).exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 109344.crdownload:SmartScreen Process not Found File opened for modification C:\Users\Admin\Downloads\WannaCrypt0r.exe:Zone.Identifier Process not Found -
Opens file in notepad (likely ransom note) 4 IoCs
pid Process 4368 Process not Found 4976 Process not Found 3296 Process not Found 2092 Process not Found -
Suspicious behavior: AddClipboardFormatListener 5 IoCs
pid Process 3320 Process not Found 3320 Process not Found 3320 Process not Found 3320 Process not Found 3320 Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5088 msedge.exe 5088 msedge.exe 4972 msedge.exe 4972 msedge.exe 3280 identity_helper.exe 3280 identity_helper.exe 3920 msedge.exe 3920 msedge.exe 3968 msedge.exe 3968 msedge.exe 432 ViraLock (1).exe 432 ViraLock (1).exe 432 ViraLock (1).exe 432 ViraLock (1).exe 1948 ViraLock (1).exe 1948 ViraLock (1).exe 1948 ViraLock (1).exe 1948 ViraLock (1).exe 3004 ViraLock (1).exe 3004 ViraLock (1).exe 3004 ViraLock (1).exe 3004 ViraLock (1).exe 656 ViraLock (1).exe 656 ViraLock (1).exe 656 ViraLock (1).exe 656 ViraLock (1).exe 4072 ViraLock (1).exe 4072 ViraLock (1).exe 4072 ViraLock (1).exe 4072 ViraLock (1).exe 736 ViraLock (1).exe 736 ViraLock (1).exe 736 ViraLock (1).exe 736 ViraLock (1).exe 5016 ViraLock (1).exe 5016 ViraLock (1).exe 5016 ViraLock (1).exe 5016 ViraLock (1).exe 1548 ViraLock (1).exe 1548 ViraLock (1).exe 1548 ViraLock (1).exe 1548 ViraLock (1).exe 1400 ViraLock (1).exe 1400 ViraLock (1).exe 1400 ViraLock (1).exe 1400 ViraLock (1).exe 2092 ViraLock (1).exe 2092 ViraLock (1).exe 2092 ViraLock (1).exe 2092 ViraLock (1).exe 3340 ViraLock (1).exe 3340 ViraLock (1).exe 3340 ViraLock (1).exe 3340 ViraLock (1).exe 3976 ViraLock (1).exe 3976 ViraLock (1).exe 3976 ViraLock (1).exe 3976 ViraLock (1).exe 576 ViraLock (1).exe 576 ViraLock (1).exe 576 ViraLock (1).exe 576 ViraLock (1).exe 2180 ViraLock (1).exe 2180 ViraLock (1).exe -
Suspicious behavior: GetForegroundWindowSpam 4 IoCs
pid Process 1072 mQAYUkQE.exe 2060 taskmgr.exe 3320 Process not Found 4776 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 25 IoCs
pid Process 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 868 Process not Found 868 Process not Found 868 Process not Found 868 Process not Found 868 Process not Found 868 Process not Found 868 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2060 taskmgr.exe Token: SeSystemProfilePrivilege 2060 taskmgr.exe Token: SeCreateGlobalPrivilege 2060 taskmgr.exe Token: SeShutdownPrivilege 1304 Process not Found Token: SeCreatePagefilePrivilege 1304 Process not Found Token: SeShutdownPrivilege 3320 Process not Found Token: SeCreatePagefilePrivilege 3320 Process not Found Token: SeShutdownPrivilege 3320 Process not Found Token: SeCreatePagefilePrivilege 3320 Process not Found Token: SeShutdownPrivilege 3320 Process not Found Token: SeCreatePagefilePrivilege 3320 Process not Found Token: SeShutdownPrivilege 3320 Process not Found Token: SeCreatePagefilePrivilege 3320 Process not Found Token: SeShutdownPrivilege 3320 Process not Found Token: SeCreatePagefilePrivilege 3320 Process not Found Token: SeShutdownPrivilege 3320 Process not Found Token: SeCreatePagefilePrivilege 3320 Process not Found Token: SeShutdownPrivilege 3320 Process not Found Token: SeCreatePagefilePrivilege 3320 Process not Found Token: SeShutdownPrivilege 3320 Process not Found Token: SeCreatePagefilePrivilege 3320 Process not Found Token: SeShutdownPrivilege 3320 Process not Found Token: SeCreatePagefilePrivilege 3320 Process not Found Token: SeShutdownPrivilege 3320 Process not Found Token: SeCreatePagefilePrivilege 3320 Process not Found Token: SeShutdownPrivilege 3320 Process not Found Token: SeCreatePagefilePrivilege 3320 Process not Found Token: SeShutdownPrivilege 3320 Process not Found Token: SeCreatePagefilePrivilege 3320 Process not Found Token: SeShutdownPrivilege 3320 Process not Found Token: SeCreatePagefilePrivilege 3320 Process not Found Token: SeShutdownPrivilege 3320 Process not Found Token: SeCreatePagefilePrivilege 3320 Process not Found Token: SeShutdownPrivilege 3320 Process not Found Token: SeCreatePagefilePrivilege 3320 Process not Found Token: SeShutdownPrivilege 3320 Process not Found Token: SeCreatePagefilePrivilege 3320 Process not Found Token: SeShutdownPrivilege 3320 Process not Found Token: SeCreatePagefilePrivilege 3320 Process not Found Token: SeShutdownPrivilege 3320 Process not Found Token: SeCreatePagefilePrivilege 3320 Process not Found Token: SeShutdownPrivilege 3320 Process not Found Token: SeCreatePagefilePrivilege 3320 Process not Found Token: SeShutdownPrivilege 3320 Process not Found Token: SeCreatePagefilePrivilege 3320 Process not Found Token: SeShutdownPrivilege 3320 Process not Found Token: SeCreatePagefilePrivilege 3320 Process not Found Token: SeShutdownPrivilege 3320 Process not Found Token: SeCreatePagefilePrivilege 3320 Process not Found Token: SeShutdownPrivilege 3320 Process not Found Token: SeCreatePagefilePrivilege 3320 Process not Found Token: SeShutdownPrivilege 3320 Process not Found Token: SeCreatePagefilePrivilege 3320 Process not Found Token: SeShutdownPrivilege 3320 Process not Found Token: SeCreatePagefilePrivilege 3320 Process not Found Token: SeShutdownPrivilege 3320 Process not Found Token: SeCreatePagefilePrivilege 3320 Process not Found Token: SeShutdownPrivilege 3320 Process not Found Token: SeCreatePagefilePrivilege 3320 Process not Found Token: SeShutdownPrivilege 3320 Process not Found Token: SeCreatePagefilePrivilege 3320 Process not Found Token: SeShutdownPrivilege 3320 Process not Found Token: SeCreatePagefilePrivilege 3320 Process not Found Token: SeShutdownPrivilege 3320 Process not Found -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe 2060 taskmgr.exe -
Suspicious use of SetWindowsHookEx 40 IoCs
pid Process 1140 OpenWith.exe 1304 Process not Found 3320 Process not Found 4800 Process not Found 2696 Process not Found 3320 Process not Found 3320 Process not Found 3320 Process not Found 3320 Process not Found 3320 Process not Found 3320 Process not Found 3320 Process not Found 3320 Process not Found 3320 Process not Found 3320 Process not Found 3320 Process not Found 3320 Process not Found 2792 Process not Found 2792 Process not Found 3408 Process not Found 3408 Process not Found 3320 Process not Found 2084 Process not Found 2084 Process not Found 2796 Process not Found 5016 Process not Found 3320 Process not Found 3320 Process not Found 4800 Process not Found 4800 Process not Found 4800 Process not Found 4800 Process not Found 4800 Process not Found 4716 Process not Found 4716 Process not Found 3320 Process not Found 3320 Process not Found 3320 Process not Found 3320 Process not Found 3320 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4972 wrote to memory of 1008 4972 msedge.exe 82 PID 4972 wrote to memory of 1008 4972 msedge.exe 82 PID 4972 wrote to memory of 2336 4972 msedge.exe 83 PID 4972 wrote to memory of 2336 4972 msedge.exe 83 PID 4972 wrote to memory of 2336 4972 msedge.exe 83 PID 4972 wrote to memory of 2336 4972 msedge.exe 83 PID 4972 wrote to memory of 2336 4972 msedge.exe 83 PID 4972 wrote to memory of 2336 4972 msedge.exe 83 PID 4972 wrote to memory of 2336 4972 msedge.exe 83 PID 4972 wrote to memory of 2336 4972 msedge.exe 83 PID 4972 wrote to memory of 2336 4972 msedge.exe 83 PID 4972 wrote to memory of 2336 4972 msedge.exe 83 PID 4972 wrote to memory of 2336 4972 msedge.exe 83 PID 4972 wrote to memory of 2336 4972 msedge.exe 83 PID 4972 wrote to memory of 2336 4972 msedge.exe 83 PID 4972 wrote to memory of 2336 4972 msedge.exe 83 PID 4972 wrote to memory of 2336 4972 msedge.exe 83 PID 4972 wrote to memory of 2336 4972 msedge.exe 83 PID 4972 wrote to memory of 2336 4972 msedge.exe 83 PID 4972 wrote to memory of 2336 4972 msedge.exe 83 PID 4972 wrote to memory of 2336 4972 msedge.exe 83 PID 4972 wrote to memory of 2336 4972 msedge.exe 83 PID 4972 wrote to memory of 2336 4972 msedge.exe 83 PID 4972 wrote to memory of 2336 4972 msedge.exe 83 PID 4972 wrote to memory of 2336 4972 msedge.exe 83 PID 4972 wrote to memory of 2336 4972 msedge.exe 83 PID 4972 wrote to memory of 2336 4972 msedge.exe 83 PID 4972 wrote to memory of 2336 4972 msedge.exe 83 PID 4972 wrote to memory of 2336 4972 msedge.exe 83 PID 4972 wrote to memory of 2336 4972 msedge.exe 83 PID 4972 wrote to memory of 2336 4972 msedge.exe 83 PID 4972 wrote to memory of 2336 4972 msedge.exe 83 PID 4972 wrote to memory of 2336 4972 msedge.exe 83 PID 4972 wrote to memory of 2336 4972 msedge.exe 83 PID 4972 wrote to memory of 2336 4972 msedge.exe 83 PID 4972 wrote to memory of 2336 4972 msedge.exe 83 PID 4972 wrote to memory of 2336 4972 msedge.exe 83 PID 4972 wrote to memory of 2336 4972 msedge.exe 83 PID 4972 wrote to memory of 2336 4972 msedge.exe 83 PID 4972 wrote to memory of 2336 4972 msedge.exe 83 PID 4972 wrote to memory of 2336 4972 msedge.exe 83 PID 4972 wrote to memory of 2336 4972 msedge.exe 83 PID 4972 wrote to memory of 5088 4972 msedge.exe 84 PID 4972 wrote to memory of 5088 4972 msedge.exe 84 PID 4972 wrote to memory of 1872 4972 msedge.exe 85 PID 4972 wrote to memory of 1872 4972 msedge.exe 85 PID 4972 wrote to memory of 1872 4972 msedge.exe 85 PID 4972 wrote to memory of 1872 4972 msedge.exe 85 PID 4972 wrote to memory of 1872 4972 msedge.exe 85 PID 4972 wrote to memory of 1872 4972 msedge.exe 85 PID 4972 wrote to memory of 1872 4972 msedge.exe 85 PID 4972 wrote to memory of 1872 4972 msedge.exe 85 PID 4972 wrote to memory of 1872 4972 msedge.exe 85 PID 4972 wrote to memory of 1872 4972 msedge.exe 85 PID 4972 wrote to memory of 1872 4972 msedge.exe 85 PID 4972 wrote to memory of 1872 4972 msedge.exe 85 PID 4972 wrote to memory of 1872 4972 msedge.exe 85 PID 4972 wrote to memory of 1872 4972 msedge.exe 85 PID 4972 wrote to memory of 1872 4972 msedge.exe 85 PID 4972 wrote to memory of 1872 4972 msedge.exe 85 PID 4972 wrote to memory of 1872 4972 msedge.exe 85 PID 4972 wrote to memory of 1872 4972 msedge.exe 85 PID 4972 wrote to memory of 1872 4972 msedge.exe 85 PID 4972 wrote to memory of 1872 4972 msedge.exe 85 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 4108 Process not Found 912 Process not Found
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\HappyMod-3-1-5.apk1⤵PID:1144
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:1140
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff44e53cb8,0x7fff44e53cc8,0x7fff44e53cd82⤵PID:1008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,291891929757826012,15613878970779875383,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:22⤵PID:2336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,291891929757826012,15613878970779875383,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:32⤵
- Downloads MZ/PE file
- Suspicious behavior: EnumeratesProcesses
PID:5088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,291891929757826012,15613878970779875383,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2516 /prefetch:82⤵PID:1872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,291891929757826012,15613878970779875383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵PID:1580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,291891929757826012,15613878970779875383,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:12⤵PID:1384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,291891929757826012,15613878970779875383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:12⤵PID:4060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,291891929757826012,15613878970779875383,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:12⤵PID:4896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,291891929757826012,15613878970779875383,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,291891929757826012,15613878970779875383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:12⤵PID:2760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,291891929757826012,15613878970779875383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:12⤵PID:4744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,291891929757826012,15613878970779875383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:12⤵PID:2680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,291891929757826012,15613878970779875383,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3476 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,291891929757826012,15613878970779875383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2008 /prefetch:12⤵PID:228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,291891929757826012,15613878970779875383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:12⤵PID:1504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,291891929757826012,15613878970779875383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:12⤵PID:2232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1908,291891929757826012,15613878970779875383,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6036 /prefetch:82⤵PID:2364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1908,291891929757826012,15613878970779875383,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3516 /prefetch:82⤵PID:1848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,291891929757826012,15613878970779875383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:12⤵PID:128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,291891929757826012,15613878970779875383,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:12⤵PID:352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,291891929757826012,15613878970779875383,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6388 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,291891929757826012,15613878970779875383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:12⤵PID:4168
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,291891929757826012,15613878970779875383,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6540 /prefetch:12⤵PID:2884
-
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1).exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:432 -
C:\Users\Admin\LWgsUccE\feAQcsYs.exe"C:\Users\Admin\LWgsUccE\feAQcsYs.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4200
-
-
C:\ProgramData\RCscEMMc\mQAYUkQE.exe"C:\ProgramData\RCscEMMc\mQAYUkQE.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
PID:1072
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"3⤵
- System Location Discovery: System Language Discovery
PID:4656 -
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1948 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"5⤵PID:4020
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3004 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"7⤵PID:4688
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:656 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"9⤵PID:1584
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4072 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"11⤵PID:2232
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:736 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"13⤵PID:1848
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5016 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"15⤵PID:5020
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1548 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"17⤵PID:4020
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1400 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"19⤵PID:1636
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2092 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"21⤵PID:1596
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3340 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"23⤵PID:2728
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3976 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"25⤵PID:5072
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:576 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"27⤵
- System Location Discovery: System Language Discovery
PID:4920 -
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"28⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2180 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"29⤵PID:2216
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1864 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"31⤵PID:2120
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"32⤵
- Executes dropped EXE
PID:4548 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"33⤵PID:5036
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"34⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"35⤵PID:3100
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"36⤵
- Executes dropped EXE
PID:5012 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"37⤵PID:3408
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV138⤵PID:1624
-
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"38⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"39⤵PID:2092
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV140⤵PID:692
-
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"40⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"41⤵PID:2568
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"42⤵
- Executes dropped EXE
PID:3076 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"43⤵PID:844
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"44⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"45⤵PID:3524
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"46⤵
- Executes dropped EXE
PID:4736 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"47⤵PID:2488
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"48⤵
- Executes dropped EXE
PID:4404 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"49⤵PID:5004
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"50⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"51⤵PID:4156
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"52⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"53⤵PID:4820
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"54⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"55⤵PID:3536
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"56⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"57⤵PID:4720
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"58⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"59⤵PID:4832
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"60⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"61⤵PID:1556
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"62⤵
- Executes dropped EXE
PID:4688 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"63⤵PID:4892
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"64⤵
- Executes dropped EXE
PID:240 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"65⤵PID:4420
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"66⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"67⤵PID:4736
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"68⤵
- Executes dropped EXE
PID:3524 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"69⤵PID:3760
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"70⤵
- Executes dropped EXE
PID:3588 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"71⤵
- System Location Discovery: System Language Discovery
PID:3860 -
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"72⤵
- Executes dropped EXE
PID:4900 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"73⤵PID:4548
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"74⤵
- Executes dropped EXE
PID:3548 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"75⤵PID:2720
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV176⤵PID:792
-
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"76⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"77⤵PID:3404
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"78⤵
- Executes dropped EXE
PID:444 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"79⤵PID:2800
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"80⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"81⤵PID:2068
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"82⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"83⤵PID:1852
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"84⤵
- Executes dropped EXE
PID:4060 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"85⤵PID:3640
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"86⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"87⤵PID:3600
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"88⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"89⤵PID:2060
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"90⤵
- Executes dropped EXE
PID:3696 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"91⤵PID:2540
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"92⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"93⤵PID:3748
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV194⤵PID:3760
-
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"94⤵
- Executes dropped EXE
PID:5116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"95⤵PID:4880
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"96⤵
- Executes dropped EXE
PID:3996 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"97⤵PID:1680
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"98⤵
- Executes dropped EXE
PID:3340 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"99⤵PID:4888
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"100⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"101⤵PID:2208
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"102⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"103⤵PID:4896
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"104⤵
- Executes dropped EXE
PID:3768 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"105⤵PID:3684
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1106⤵PID:1584
-
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"106⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"107⤵PID:3136
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1108⤵PID:4060
-
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"108⤵
- Executes dropped EXE
PID:4868 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"109⤵
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1110⤵PID:3424
-
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"110⤵
- Executes dropped EXE
PID:3292 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"111⤵PID:3968
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"112⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"113⤵PID:1320
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1114⤵PID:2060
-
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"114⤵
- Executes dropped EXE
PID:4204 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"115⤵
- System Location Discovery: System Language Discovery
PID:1960 -
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"116⤵
- Executes dropped EXE
PID:496 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"117⤵
- System Location Discovery: System Language Discovery
PID:4432 -
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"118⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"119⤵PID:4116
-
C:\Users\Admin\Downloads\ViraLock (1).exe"C:\Users\Admin\Downloads\ViraLock (1)"120⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock (1)"121⤵PID:4308
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-