Resubmissions
07/03/2025, 01:45
250307-b6lhvssmz6 707/03/2025, 01:35
250307-bzy6da1xht 807/03/2025, 01:14
250307-bl6y3asjy5 1025/02/2025, 23:16
250225-287f8atjv5 8Analysis
-
max time kernel
1172s -
max time network
1170s -
platform
windows11-21h2_x64 -
resource
win11-20250217-en -
resource tags
arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system -
submitted
07/03/2025, 01:14
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://bonzi.link/
Resource
win11-20250217-en
dharmacredential_accessdefense_evasiondiscoveryexecutionimpactmacromacro_on_actionpersistenceransomwarespywarestealertrojanupx
windows11-21h2-x64
45 signatures
900 seconds
General
-
Target
https://bonzi.link/
Malware Config
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Dharma family
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
UAC bypass 3 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (698) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components MSAGENT.EXE Key created \REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components tv_enua.exe -
Downloads MZ/PE file 5 IoCs
flow pid Process 159 3896 msedge.exe 159 3896 msedge.exe 159 3896 msedge.exe 159 3896 msedge.exe 159 3896 msedge.exe -
Office macro that triggers on suspicious action 1 IoCs
Office document macro which triggers in special circumstances - often malicious.
resource yara_rule behavioral1/files/0x001b00000002b1fd-2963.dat office_macro_on_action -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 5 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-E4FF9D87.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-E4FF9D87.[[email protected]].ncov CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini CoronaVirus.exe -
Executes dropped EXE 64 IoCs
pid Process 4068 MSAGENT.EXE 1932 tv_enua.exe 5352 AgentSvr.exe 5376 BonziBDY_4.EXE 5392 AgentSvr.exe 1580 CoronaVirus.exe 8892 msedge.exe 8688 msedge.exe 12964 msedge.exe 8588 msedge.exe 7164 msedge.exe 2424 PolyRansom (1).exe 3864 NiIIYoMM.exe 4380 ZyAgYcAk.exe 10616 PolyRansom (1).exe 9200 PolyRansom (1).exe 14360 PolyRansom (1).exe 17360 PolyRansom (1).exe 19656 PolyRansom (1).exe 4812 PolyRansom (1).exe 6696 PolyRansom (1).exe 7916 PolyRansom (1).exe 8564 PolyRansom (1).exe 8236 PolyRansom (1).exe 8136 PolyRansom (1).exe 8556 PolyRansom (1).exe 7220 PolyRansom (1).exe 6756 PolyRansom (1).exe 16780 PolyRansom (1).exe 17072 PolyRansom (1).exe 16568 PolyRansom (1).exe 9028 PolyRansom (1).exe 11016 PolyRansom (1).exe 10128 PolyRansom (1).exe 11128 PolyRansom (1).exe 11988 PolyRansom (1).exe 13504 PolyRansom (1).exe 14112 PolyRansom (1).exe 14692 PolyRansom (1).exe 16016 PolyRansom (1).exe 17316 PolyRansom (1).exe 17648 PolyRansom (1).exe 7364 PolyRansom (1).exe 23620 PolyRansom (1).exe 25008 PolyRansom (1).exe 19432 PolyRansom (1).exe 20064 PolyRansom (1).exe 20368 PolyRansom (1).exe 26508 PolyRansom (1).exe 26772 PolyRansom (1).exe 29364 PolyRansom (1).exe 10956 PolyRansom (1).exe 20756 PolyRansom (1).exe 22360 PolyRansom (1).exe 11364 PolyRansom (1).exe 14316 PolyRansom (1).exe 14904 PolyRansom (1).exe 13524 PolyRansom (1).exe 21464 PolyRansom (1).exe 18336 PolyRansom (1).exe 21756 PolyRansom (1).exe 22176 PolyRansom (1).exe 28396 PolyRansom (1).exe 22612 PolyRansom (1).exe -
Loads dropped DLL 64 IoCs
pid Process 4816 BonziBuddy432.exe 4816 BonziBuddy432.exe 4816 BonziBuddy432.exe 4816 BonziBuddy432.exe 4816 BonziBuddy432.exe 4816 BonziBuddy432.exe 4816 BonziBuddy432.exe 4816 BonziBuddy432.exe 4816 BonziBuddy432.exe 4816 BonziBuddy432.exe 4816 BonziBuddy432.exe 4068 MSAGENT.EXE 5192 regsvr32.exe 5216 regsvr32.exe 5236 regsvr32.exe 5260 regsvr32.exe 5280 regsvr32.exe 5304 regsvr32.exe 5328 regsvr32.exe 1932 tv_enua.exe 6020 regsvr32.exe 6020 regsvr32.exe 6124 regsvr32.exe 5376 BonziBDY_4.EXE 5376 BonziBDY_4.EXE 5376 BonziBDY_4.EXE 5376 BonziBDY_4.EXE 5376 BonziBDY_4.EXE 5376 BonziBDY_4.EXE 5392 AgentSvr.exe 5392 AgentSvr.exe 5392 AgentSvr.exe 5392 AgentSvr.exe 5392 AgentSvr.exe 8892 msedge.exe 8688 msedge.exe 12964 msedge.exe 8588 msedge.exe 7164 msedge.exe 9336 msedge.exe 11496 msedge.exe 13120 msedge.exe 3900 msedge.exe 13724 msedge.exe 13436 msedge.exe 14512 msedge.exe 22976 msedge.exe 22940 msedge.exe 7980 msedge.exe 18576 msedge.exe 19176 msedge.exe 18812 msedge.exe 20308 msedge.exe 23584 msedge.exe 24764 msedge.exe 25016 msedge.exe 29704 msedge.exe 30116 WINWORD.EXE 30116 WINWORD.EXE 30116 WINWORD.EXE 30116 WINWORD.EXE 30116 WINWORD.EXE 30116 WINWORD.EXE 30116 WINWORD.EXE -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Run\NiIIYoMM.exe = "C:\\Users\\Admin\\qoEwwckw\\NiIIYoMM.exe" NiIIYoMM.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ZyAgYcAk.exe = "C:\\ProgramData\\OWskMkMs\\ZyAgYcAk.exe" ZyAgYcAk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tv_enua = "RunDll32 advpack.dll,LaunchINFSection C:\\Windows\\INF\\tv_enua.inf, RemoveCabinet" tv_enua.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe" CoronaVirus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" CoronaVirus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" CoronaVirus.exe Set value (str) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Run\NiIIYoMM.exe = "C:\\Users\\Admin\\qoEwwckw\\NiIIYoMM.exe" PolyRansom (1).exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ZyAgYcAk.exe = "C:\\ProgramData\\OWskMkMs\\ZyAgYcAk.exe" PolyRansom (1).exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Links\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Music\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Videos\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Documents\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Desktop\desktop.ini CoronaVirus.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-2800786028-4028220528-1905518260-1000\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Downloads\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Videos\desktop.ini CoronaVirus.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2800786028-4028220528-1905518260-1000\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files (x86)\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Documents\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Libraries\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Music\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini CoronaVirus.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 129 raw.githubusercontent.com 159 raw.githubusercontent.com -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msvcp50.dll tv_enua.exe File created C:\Windows\System32\CoronaVirus.exe CoronaVirus.exe File created C:\Windows\System32\Info.hta CoronaVirus.exe File opened for modification C:\Windows\SysWOW64\SETA2D8.tmp tv_enua.exe File created C:\Windows\SysWOW64\SETA2D8.tmp tv_enua.exe -
resource yara_rule behavioral1/files/0x001e00000002b111-32290.dat upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\AppxManifest.xml CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_2021.2012.10.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\LEVEL.ELM.id-E4FF9D87.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_et.dll CoronaVirus.exe File opened for modification C:\Program Files\7-Zip\Lang\ko.txt CoronaVirus.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrome.7z.id-E4FF9D87.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\export.svg.id-E4FF9D87.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Java\jdk-1.8\bin\jdb.exe.id-E4FF9D87.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-pl.xrm-ms.id-E4FF9D87.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ul-oob.xrm-ms.id-E4FF9D87.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE CoronaVirus.exe File opened for modification C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui CoronaVirus.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\ucrtbase.dll CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt.id-E4FF9D87.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.BingWeather_1.0.6.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\WeatherSplashScreen.scale-125_contrast-white.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\Snooze.scale-64.png CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-pl.xrm-ms.id-E4FF9D87.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\resources.pri CoronaVirus.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Contain.ps1 CoronaVirus.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\nl-NL\tipresx.dll.mui CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected].[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\contrast-white\NotepadMedTile.scale-125.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\delete.svg CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-pl.xrm-ms CoronaVirus.exe File created C:\Program Files\VideoLAN\VLC\plugins\demux\libcaf_plugin.dll.id-E4FF9D87.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\de-DE\tipresx.dll.mui CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Xml.Linq.dll CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pt-br\PlayStore_icon.svg.id-E4FF9D87.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ja.pak.id-E4FF9D87.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\WidevineCdm\manifest.json.id-E4FF9D87.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-pl.xrm-ms CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\msedgeupdateres_nb.dll.id-E4FF9D87.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-80_altform-lightunplated_contrast-white.png CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.AccessControl.dll CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.dll CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-20_contrast-black.png CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationClientSideProviders.resources.dll CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\css\main-selector.css CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ServiceModel.Web.dll.id-E4FF9D87.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filter-disabled_32.svg CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-ae\ui-strings.js.id-E4FF9D87.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ppd.xrm-ms.id-E4FF9D87.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Windows.UI.ViewManagement.ViewManagementViewScalingContract.winmd CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\Assets\256x256.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\merge-styles\lib-commonjs\IKeyframes.js CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\vcruntime140.dll.id-E4FF9D87.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Grace-ppd.xrm-ms CoronaVirus.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_tr.dll CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-stdio-l1-1-0.dll CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue.xml CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\sql90.xsl.id-E4FF9D87.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\VideoLAN\VLC\plugins\control\libgestures_plugin.dll.id-E4FF9D87.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-72_altform-lightunplated_contrast-white.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\MapsAppList.targetsize-40_altform-lightunplated.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugin.js CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\System\vcruntime140.dll CoronaVirus.exe File created C:\Program Files\VideoLAN\VLC\plugins\demux\libreal_plugin.dll.id-E4FF9D87.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI.id-E4FF9D87.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL044.XML.id-E4FF9D87.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.resources.dll.id-E4FF9D87.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailMediumTile.scale-400.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SplashScreen.scale-100.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\rhp_world_icon_hover.png.id-E4FF9D87.[[email protected]].ncov CoronaVirus.exe -
Drops file in Windows directory 56 IoCs
description ioc Process File created C:\Windows\msagent\SET7BE2.tmp MSAGENT.EXE File opened for modification C:\Windows\msagent\SET7C05.tmp MSAGENT.EXE File opened for modification C:\Windows\msagent\AgentMPx.dll MSAGENT.EXE File opened for modification C:\Windows\msagent\SET7C06.tmp MSAGENT.EXE File opened for modification C:\Windows\msagent\SET7C07.tmp MSAGENT.EXE File opened for modification C:\Windows\msagent\AgentPsh.dll MSAGENT.EXE File opened for modification C:\Windows\msagent\intl\SET7C0C.tmp MSAGENT.EXE File opened for modification C:\Windows\msagent\SET7C1D.tmp MSAGENT.EXE File opened for modification C:\Windows\msagent\AgentCtl.dll MSAGENT.EXE File opened for modification C:\Windows\msagent\AgentSvr.exe MSAGENT.EXE File created C:\Windows\msagent\SET7C07.tmp MSAGENT.EXE File opened for modification C:\Windows\msagent\AgentSR.dll MSAGENT.EXE File opened for modification C:\Windows\INF\SET7C09.tmp MSAGENT.EXE File opened for modification C:\Windows\INF\agtinst.inf MSAGENT.EXE File opened for modification C:\Windows\msagent\mslwvtts.dll MSAGENT.EXE File opened for modification C:\Windows\lhsp\tv\SETA2C3.tmp tv_enua.exe File opened for modification C:\Windows\msagent\chars\Peedy.acs BonziBuddy432.exe File opened for modification C:\Windows\msagent\SET7BE2.tmp MSAGENT.EXE File opened for modification C:\Windows\msagent\SET7BF3.tmp MSAGENT.EXE File created C:\Windows\msagent\SET7BF4.tmp MSAGENT.EXE File created C:\Windows\lhsp\tv\SETA2C3.tmp tv_enua.exe File opened for modification C:\Windows\lhsp\help\SETA2D5.tmp tv_enua.exe File opened for modification C:\Windows\lhsp\help\tv_enua.hlp tv_enua.exe File created C:\Windows\INF\SETA2D7.tmp tv_enua.exe File opened for modification C:\Windows\msagent\AgentDp2.dll MSAGENT.EXE File created C:\Windows\msagent\SET7C05.tmp MSAGENT.EXE File created C:\Windows\msagent\SET7C06.tmp MSAGENT.EXE File created C:\Windows\msagent\SET7C0A.tmp MSAGENT.EXE File created C:\Windows\msagent\SET7C1D.tmp MSAGENT.EXE File opened for modification C:\Windows\INF\SETA2D7.tmp tv_enua.exe File opened for modification C:\Windows\INF\tv_enua.inf tv_enua.exe File opened for modification C:\Windows\msagent\SET7C08.tmp MSAGENT.EXE File created C:\Windows\msagent\SET7C08.tmp MSAGENT.EXE File opened for modification C:\Windows\help\Agt0409.hlp MSAGENT.EXE File created C:\Windows\msagent\intl\SET7C0C.tmp MSAGENT.EXE File opened for modification C:\Windows\msagent\intl\Agt0409.dll MSAGENT.EXE File opened for modification C:\Windows\lhsp\tv\tv_enua.dll tv_enua.exe File opened for modification C:\Windows\lhsp\tv\SETA2C4.tmp tv_enua.exe File created C:\Windows\lhsp\help\SETA2D5.tmp tv_enua.exe File opened for modification C:\Windows\msagent\SET7BF2.tmp MSAGENT.EXE File opened for modification C:\Windows\msagent\AgentAnm.dll MSAGENT.EXE File created C:\Windows\help\SET7C0B.tmp MSAGENT.EXE File created C:\Windows\lhsp\tv\SETA2C4.tmp tv_enua.exe File opened for modification C:\Windows\lhsp\tv\tvenuax.dll tv_enua.exe File opened for modification C:\Windows\fonts\SETA2D6.tmp tv_enua.exe File created C:\Windows\fonts\SETA2D6.tmp tv_enua.exe File opened for modification C:\Windows\msagent\chars\Bonzi.acs BonziBuddy432.exe File created C:\Windows\msagent\SET7BF2.tmp MSAGENT.EXE File created C:\Windows\msagent\SET7BF3.tmp MSAGENT.EXE File created C:\Windows\INF\SET7C09.tmp MSAGENT.EXE File opened for modification C:\Windows\msagent\AgtCtl15.tlb MSAGENT.EXE File opened for modification C:\Windows\msagent\AgentDPv.dll MSAGENT.EXE File opened for modification C:\Windows\msagent\SET7BF4.tmp MSAGENT.EXE File opened for modification C:\Windows\msagent\SET7C0A.tmp MSAGENT.EXE File opened for modification C:\Windows\help\SET7C0B.tmp MSAGENT.EXE File opened for modification C:\Windows\fonts\andmoipa.ttf tv_enua.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 7 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\Users\Admin\Downloads\PolyRansom (1).exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\ArcticBomb.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\FlashKiller.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\WinNuke.98.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\CodeRed.a.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\{F5B0384B-039C-42DE-B518-4A9E4D585B3F}\8tr.exe:Zone.Identifier WINWORD.EXE File opened for modification C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier msedge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 31600 19024 WerFault.exe 1504 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AgentSvr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PolyRansom (1).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PolyRansom (1).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PolyRansom (1).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PolyRansom (1).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSAGENT.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PolyRansom (1).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PolyRansom (1).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PolyRansom (1).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 9 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 10688 vssadmin.exe 26848 vssadmin.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "3384549794" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\UnattendLoaded = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Internet Explorer\BrowserEmulation iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "4318" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31166232" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0" iexplore.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C74190B8-8589-11D1-B16A-00C0F0283628} BonziBuddy432.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\MiscStatus regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BD1-7DE6-11D0-91FE-00C04FD701A5}\TypeLib\Version = "2.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{065E6FEA-1BF9-11D2-BAE8-00104B9E0792}\TypeLib\Version = "3.0" BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B976285-3692-11D0-9B8A-0000C0F04C96}\TypeLib\ = "{0A45DB48-BD0D-11D2-8D14-00104B9E072A}" BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A4E0988E-24BE-4570-B4D8-982F1386E0C6}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" BonziBDY_4.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C74190B8-8589-11D1-B16A-00C0F0283628}\TypeLib BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D} BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08C75162-3C9C-11D1-91FE-00C04FD701A5}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}" AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ProgCtrl\CLSID\ = "{35053A22-8589-11D1-B16A-00C0F0283628}" BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1EFB6597-857C-11D1-B16A-00C0F0283628} BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{065E6FD8-1BF9-11D2-BAE8-00104B9E0792}\InprocServer32 BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A45DB4F-BD0D-11D2-8D14-00104B9E072A}\MiscStatus\ = "0" BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4900F67-055F-11D4-8F9B-00104BA312D6} BonziBDY_4.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{53FA8D4A-2CDD-11D3-9DD0-D3CD4078982A}\ProgID BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6CFC9BA3-FE87-11D2-9DCF-ED29FAFE371D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55DD814E-A1B7-4808-9625-4F75A3FAD8A7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2C247F22-8591-11D1-B16A-00C0F0283628}\ = "ImageListEvents" BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{53FA8D4D-2CDD-11D3-9DD0-D3CD4078982A}\MiscStatus BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{37DEB787-2D9B-11D3-9DD0-C423E6542E10}\ProxyStubClsid32 BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{53FA8D31-2CDD-11D3-9DD0-D3CD4078982A}\ProxyStubClsid32 BonziBuddy432.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE42-8596-11D1-B16A-00C0F0283628} BonziBuddy432.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\MiscStatus\1\ = "165265" BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B1BE807-567F-11D1-B652-0060976C699F}\Forward\ = "{916694A9-8AD6-11D2-B6FD-0060976C699F}" BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5AA1F9B2-F64C-11CD-95A8-0000C04D4C0A}\TypeLib BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35053A20-8589-11D1-B16A-00C0F0283628}\ = "IProgressBar" BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.Slider.2\CLSID\ = "{F08DF954-8592-11D1-B16A-00C0F0283628}" BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{065E6FDD-1BF9-11D2-BAE8-00104B9E0792} BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5A31F2F-122F-4615-A9B7-90841538EC7C}\ = "BonziBUDDY.clsClickTheButton" BonziBDY_4.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1533A365-F76F-4518-8A56-4CD34547F8AB}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502} BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497" BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{065E6FD4-1BF9-11D2-BAE8-00104B9E0792}\ProxyStubClsid32 BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{643F1352-1D07-11CE-9E52-0000C0554C0A}\ = "_DDayviewEvents" BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4900F69-055F-11D4-8F9B-00104BA312D6} BonziBDY_4.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A031FBF6-81A7-4440-9E20-51ABB2289E4B}\VERSION BonziBDY_4.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{53FA8D4A-2CDD-11D3-9DD0-D3CD4078982A}\MiscStatus\1 BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4F2C1F0-6FA6-11CE-942A-0000C0C14E92}\TypeLib\Version = "1.0" BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4900F95-055F-11D4-8F9B-00104BA312D6}\TypeLib\ = "{F4900F5D-055F-11D4-8F9B-00104BA312D6}" BonziBDY_4.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4900F67-055F-11D4-8F9B-00104BA312D6}\ = "BonziBUDDY.clsBBPlayer" BonziBDY_4.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}\2.0\HELPDIR BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{916694A8-8AD6-11D2-B6FD-0060976C699F} BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{065E6FE7-1BF9-11D2-BAE8-00104B9E0792}\TypeLib\Version = "3.0" BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1DAB85C3-803A-11D0-AC63-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BDB-7DE6-11D0-91FE-00C04FD701A5}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6CFC9BA1-FE87-11D2-9DCF-ED29FAFE371D}\TypeLib\ = "{972DE6B5-8B09-11D2-B652-A1FD6CC34260}" BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{35053A22-8589-11D1-B16A-00C0F0283628}\ProgID BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8E3867A4-8586-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0" BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C87-7B81-11D0-AC5F-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}" AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4900F69-055F-11D4-8F9B-00104BA312D6}\ = "clsStoryReader" BonziBDY_4.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CFC9BA2-FE87-11D2-9DCF-ED29FAFE371D}\InprocServer32\ThreadingModel = "Apartment" BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ActiveSkin.SkinStorage BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{972DE6C3-8B09-11D2-B652-A1FD6CC34260}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E91E27A2-C5AE-11D2-8D1B-00104B9E072A}\ = "DSSTabPanelControlEvents" BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{065E6FD2-1BF9-11D2-BAE8-00104B9E0792}\ = "ISSBase" BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{065E6FE8-1BF9-11D2-BAE8-00104B9E0792}\TypeLib\ = "{065E6FD1-1BF9-11D2-BAE8-00104B9E0792}" BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA478DA1-3920-11D3-9DD0-8067E4A06603}\Programmable BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EE11629B-36DF-11D3-9DD0-89D6DBBBA800}\TypeLib\ = "{972DE6B5-8B09-11D2-B652-A1FD6CC34260}" BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35053A21-8589-11D1-B16A-00C0F0283628}\TypeLib BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{643F1350-1D07-11CE-9E52-0000C0554C0A}\InprocServer32 BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B77181C-D3EF-11D1-8500-00C04FA34A14}\TypeLib\Version = "2.0" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628} BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C74190B5-8589-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" BonziBuddy432.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 13444 reg.exe 20428 reg.exe 25980 reg.exe 28408 reg.exe 15620 reg.exe 27084 reg.exe 12396 reg.exe 10032 reg.exe 18208 reg.exe 20764 reg.exe 27520 reg.exe 20784 reg.exe 31528 reg.exe 8408 reg.exe 29580 reg.exe 6316 reg.exe 30468 reg.exe 32144 reg.exe 4676 reg.exe 8076 reg.exe 9420 reg.exe 16400 reg.exe 8728 reg.exe 26748 reg.exe 22472 reg.exe 29712 reg.exe 28584 reg.exe 24336 reg.exe 10236 reg.exe 5904 reg.exe 32152 reg.exe 20880 reg.exe 28120 reg.exe 708 reg.exe 18308 reg.exe 5144 reg.exe 14572 reg.exe 9844 reg.exe 7124 reg.exe 14608 reg.exe 29408 reg.exe 28728 reg.exe 26776 reg.exe 31780 reg.exe 28424 reg.exe 26460 reg.exe 7348 reg.exe 12080 reg.exe 18772 reg.exe 21712 reg.exe 22496 reg.exe 32148 reg.exe 4540 reg.exe 9484 reg.exe 12352 reg.exe 11956 reg.exe 25656 reg.exe 31748 reg.exe 32996 reg.exe 9852 reg.exe 6588 reg.exe 3000 reg.exe 12024 reg.exe 24088 reg.exe -
NTFS ADS 11 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\{F5B0384B-039C-42DE-B518-4A9E4D585B3F}\8tr.exe:Zone.Identifier WINWORD.EXE File opened for modification C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\PolyRansom (1).exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\ArcticBomb.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\WindowsXPHorrorEdition.txt:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Bon.zip:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\CodeRed.a.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\metrofax.doc:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\FlashKiller.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\WinNuke.98.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Melissa.doc:Zone.Identifier msedge.exe -
Opens file in notepad (likely ransom note) 3 IoCs
pid Process 14792 NOTEPAD.EXE 14816 NOTEPAD.EXE 15004 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 3 IoCs
pid Process 5880 WINWORD.EXE 5880 WINWORD.EXE 4688 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3896 msedge.exe 3896 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3144 identity_helper.exe 3144 identity_helper.exe 756 msedge.exe 756 msedge.exe 4792 msedge.exe 4792 msedge.exe 1464 msedge.exe 1464 msedge.exe 1464 msedge.exe 1464 msedge.exe 5228 msedge.exe 5228 msedge.exe 5664 msedge.exe 5664 msedge.exe 6064 msedge.exe 6064 msedge.exe 1580 CoronaVirus.exe 1580 CoronaVirus.exe 1580 CoronaVirus.exe 1580 CoronaVirus.exe 1580 CoronaVirus.exe 1580 CoronaVirus.exe 1580 CoronaVirus.exe 1580 CoronaVirus.exe 1580 CoronaVirus.exe 1580 CoronaVirus.exe 1580 CoronaVirus.exe 1580 CoronaVirus.exe 1580 CoronaVirus.exe 1580 CoronaVirus.exe 1580 CoronaVirus.exe 1580 CoronaVirus.exe 1580 CoronaVirus.exe 1580 CoronaVirus.exe 1580 CoronaVirus.exe 1580 CoronaVirus.exe 1580 CoronaVirus.exe 1580 CoronaVirus.exe 1580 CoronaVirus.exe 1580 CoronaVirus.exe 1580 CoronaVirus.exe 1580 CoronaVirus.exe 1580 CoronaVirus.exe 1580 CoronaVirus.exe 1580 CoronaVirus.exe 1580 CoronaVirus.exe 1580 CoronaVirus.exe 1580 CoronaVirus.exe 1580 CoronaVirus.exe 1580 CoronaVirus.exe 1580 CoronaVirus.exe 1580 CoronaVirus.exe 1580 CoronaVirus.exe 1580 CoronaVirus.exe 1580 CoronaVirus.exe 1580 CoronaVirus.exe 1580 CoronaVirus.exe 1580 CoronaVirus.exe 1580 CoronaVirus.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3208 msedge.exe 3864 NiIIYoMM.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 63 IoCs
pid Process 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: 33 5392 AgentSvr.exe Token: SeIncBasePriorityPrivilege 5392 AgentSvr.exe Token: 33 5516 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 5516 AUDIODG.EXE Token: 33 5392 AgentSvr.exe Token: SeIncBasePriorityPrivilege 5392 AgentSvr.exe Token: 33 5392 AgentSvr.exe Token: SeIncBasePriorityPrivilege 5392 AgentSvr.exe Token: 33 5392 AgentSvr.exe Token: SeIncBasePriorityPrivilege 5392 AgentSvr.exe Token: 33 4084 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4084 AUDIODG.EXE Token: SeBackupPrivilege 18660 vssvc.exe Token: SeRestorePrivilege 18660 vssvc.exe Token: SeAuditPrivilege 18660 vssvc.exe Token: SeShutdownPrivilege 5880 WINWORD.EXE Token: SeIncreaseQuotaPrivilege 5880 WINWORD.EXE Token: SeSecurityPrivilege 20476 msiexec.exe Token: SeCreateTokenPrivilege 5880 WINWORD.EXE Token: SeAssignPrimaryTokenPrivilege 5880 WINWORD.EXE Token: SeLockMemoryPrivilege 5880 WINWORD.EXE Token: SeIncreaseQuotaPrivilege 5880 WINWORD.EXE Token: SeMachineAccountPrivilege 5880 WINWORD.EXE Token: SeTcbPrivilege 5880 WINWORD.EXE Token: SeSecurityPrivilege 5880 WINWORD.EXE Token: SeTakeOwnershipPrivilege 5880 WINWORD.EXE Token: SeLoadDriverPrivilege 5880 WINWORD.EXE Token: SeSystemProfilePrivilege 5880 WINWORD.EXE Token: SeSystemtimePrivilege 5880 WINWORD.EXE Token: SeProfSingleProcessPrivilege 5880 WINWORD.EXE Token: SeIncBasePriorityPrivilege 5880 WINWORD.EXE Token: SeCreatePagefilePrivilege 5880 WINWORD.EXE Token: SeCreatePermanentPrivilege 5880 WINWORD.EXE Token: SeBackupPrivilege 5880 WINWORD.EXE Token: SeRestorePrivilege 5880 WINWORD.EXE Token: SeShutdownPrivilege 5880 WINWORD.EXE Token: SeDebugPrivilege 5880 WINWORD.EXE Token: SeAuditPrivilege 5880 WINWORD.EXE Token: SeSystemEnvironmentPrivilege 5880 WINWORD.EXE Token: SeChangeNotifyPrivilege 5880 WINWORD.EXE Token: SeRemoteShutdownPrivilege 5880 WINWORD.EXE Token: SeUndockPrivilege 5880 WINWORD.EXE Token: SeSyncAgentPrivilege 5880 WINWORD.EXE Token: SeEnableDelegationPrivilege 5880 WINWORD.EXE Token: SeManageVolumePrivilege 5880 WINWORD.EXE Token: SeImpersonatePrivilege 5880 WINWORD.EXE Token: SeCreateGlobalPrivilege 5880 WINWORD.EXE Token: SeShutdownPrivilege 5880 WINWORD.EXE Token: SeIncreaseQuotaPrivilege 5880 WINWORD.EXE Token: SeCreateTokenPrivilege 5880 WINWORD.EXE Token: SeAssignPrimaryTokenPrivilege 5880 WINWORD.EXE Token: SeLockMemoryPrivilege 5880 WINWORD.EXE Token: SeIncreaseQuotaPrivilege 5880 WINWORD.EXE Token: SeMachineAccountPrivilege 5880 WINWORD.EXE Token: SeTcbPrivilege 5880 WINWORD.EXE Token: SeSecurityPrivilege 5880 WINWORD.EXE Token: SeTakeOwnershipPrivilege 5880 WINWORD.EXE Token: SeLoadDriverPrivilege 5880 WINWORD.EXE Token: SeSystemProfilePrivilege 5880 WINWORD.EXE Token: SeSystemtimePrivilege 5880 WINWORD.EXE Token: SeProfSingleProcessPrivilege 5880 WINWORD.EXE Token: SeIncBasePriorityPrivilege 5880 WINWORD.EXE Token: SeCreatePagefilePrivilege 5880 WINWORD.EXE Token: SeCreatePermanentPrivilege 5880 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 5392 AgentSvr.exe 5392 AgentSvr.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe -
Suspicious use of SendNotifyMessage 30 IoCs
pid Process 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 5392 AgentSvr.exe 5392 AgentSvr.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe -
Suspicious use of SetWindowsHookEx 32 IoCs
pid Process 4816 BonziBuddy432.exe 4068 MSAGENT.EXE 1932 tv_enua.exe 5352 AgentSvr.exe 5376 BonziBDY_4.EXE 5376 BonziBDY_4.EXE 4544 MiniSearchHost.exe 3208 msedge.exe 5880 WINWORD.EXE 5880 WINWORD.EXE 5880 WINWORD.EXE 5880 WINWORD.EXE 5880 WINWORD.EXE 5880 WINWORD.EXE 5880 WINWORD.EXE 4688 WINWORD.EXE 4688 WINWORD.EXE 4688 WINWORD.EXE 4688 WINWORD.EXE 5880 WINWORD.EXE 5880 WINWORD.EXE 5880 WINWORD.EXE 5880 WINWORD.EXE 5880 WINWORD.EXE 5880 WINWORD.EXE 5880 WINWORD.EXE 5880 WINWORD.EXE 5880 WINWORD.EXE 5880 WINWORD.EXE 5880 WINWORD.EXE 5880 WINWORD.EXE 5880 WINWORD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 460 wrote to memory of 3208 460 iexplore.exe 81 PID 460 wrote to memory of 3208 460 iexplore.exe 81 PID 3208 wrote to memory of 1144 3208 msedge.exe 84 PID 3208 wrote to memory of 1144 3208 msedge.exe 84 PID 3208 wrote to memory of 3680 3208 msedge.exe 85 PID 3208 wrote to memory of 3680 3208 msedge.exe 85 PID 3208 wrote to memory of 3680 3208 msedge.exe 85 PID 3208 wrote to memory of 3680 3208 msedge.exe 85 PID 3208 wrote to memory of 3680 3208 msedge.exe 85 PID 3208 wrote to memory of 3680 3208 msedge.exe 85 PID 3208 wrote to memory of 3680 3208 msedge.exe 85 PID 3208 wrote to memory of 3680 3208 msedge.exe 85 PID 3208 wrote to memory of 3680 3208 msedge.exe 85 PID 3208 wrote to memory of 3680 3208 msedge.exe 85 PID 3208 wrote to memory of 3680 3208 msedge.exe 85 PID 3208 wrote to memory of 3680 3208 msedge.exe 85 PID 3208 wrote to memory of 3680 3208 msedge.exe 85 PID 3208 wrote to memory of 3680 3208 msedge.exe 85 PID 3208 wrote to memory of 3680 3208 msedge.exe 85 PID 3208 wrote to memory of 3680 3208 msedge.exe 85 PID 3208 wrote to memory of 3680 3208 msedge.exe 85 PID 3208 wrote to memory of 3680 3208 msedge.exe 85 PID 3208 wrote to memory of 3680 3208 msedge.exe 85 PID 3208 wrote to memory of 3680 3208 msedge.exe 85 PID 3208 wrote to memory of 3680 3208 msedge.exe 85 PID 3208 wrote to memory of 3680 3208 msedge.exe 85 PID 3208 wrote to memory of 3680 3208 msedge.exe 85 PID 3208 wrote to memory of 3680 3208 msedge.exe 85 PID 3208 wrote to memory of 3680 3208 msedge.exe 85 PID 3208 wrote to memory of 3680 3208 msedge.exe 85 PID 3208 wrote to memory of 3680 3208 msedge.exe 85 PID 3208 wrote to memory of 3680 3208 msedge.exe 85 PID 3208 wrote to memory of 3680 3208 msedge.exe 85 PID 3208 wrote to memory of 3680 3208 msedge.exe 85 PID 3208 wrote to memory of 3680 3208 msedge.exe 85 PID 3208 wrote to memory of 3680 3208 msedge.exe 85 PID 3208 wrote to memory of 3680 3208 msedge.exe 85 PID 3208 wrote to memory of 3680 3208 msedge.exe 85 PID 3208 wrote to memory of 3680 3208 msedge.exe 85 PID 3208 wrote to memory of 3680 3208 msedge.exe 85 PID 3208 wrote to memory of 3680 3208 msedge.exe 85 PID 3208 wrote to memory of 3680 3208 msedge.exe 85 PID 3208 wrote to memory of 3680 3208 msedge.exe 85 PID 3208 wrote to memory of 3680 3208 msedge.exe 85 PID 3208 wrote to memory of 3896 3208 msedge.exe 86 PID 3208 wrote to memory of 3896 3208 msedge.exe 86 PID 3208 wrote to memory of 1780 3208 msedge.exe 87 PID 3208 wrote to memory of 1780 3208 msedge.exe 87 PID 3208 wrote to memory of 1780 3208 msedge.exe 87 PID 3208 wrote to memory of 1780 3208 msedge.exe 87 PID 3208 wrote to memory of 1780 3208 msedge.exe 87 PID 3208 wrote to memory of 1780 3208 msedge.exe 87 PID 3208 wrote to memory of 1780 3208 msedge.exe 87 PID 3208 wrote to memory of 1780 3208 msedge.exe 87 PID 3208 wrote to memory of 1780 3208 msedge.exe 87 PID 3208 wrote to memory of 1780 3208 msedge.exe 87 PID 3208 wrote to memory of 1780 3208 msedge.exe 87 PID 3208 wrote to memory of 1780 3208 msedge.exe 87 PID 3208 wrote to memory of 1780 3208 msedge.exe 87 PID 3208 wrote to memory of 1780 3208 msedge.exe 87 PID 3208 wrote to memory of 1780 3208 msedge.exe 87 PID 3208 wrote to memory of 1780 3208 msedge.exe 87 PID 3208 wrote to memory of 1780 3208 msedge.exe 87 PID 3208 wrote to memory of 1780 3208 msedge.exe 87 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://bonzi.link/1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" -- "https://bonzi.link/"2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xa0,0x10c,0x7ffe2bfa3cb8,0x7ffe2bfa3cc8,0x7ffe2bfa3cd83⤵PID:1144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:23⤵PID:3680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:33⤵
- Downloads MZ/PE file
- Suspicious behavior: EnumeratesProcesses
PID:3896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:83⤵PID:1780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:13⤵PID:1004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:13⤵PID:1524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4044 /prefetch:13⤵PID:1884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:13⤵PID:1924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:13⤵PID:4628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6364 /prefetch:83⤵PID:3416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6364 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:3144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:13⤵PID:1408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:13⤵PID:2036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6564 /prefetch:13⤵PID:2632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:13⤵PID:3416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6444 /prefetch:13⤵PID:3884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7012 /prefetch:13⤵PID:4012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7024 /prefetch:83⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4792
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:13⤵PID:3460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6968 /prefetch:13⤵PID:2820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3076 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2736 /prefetch:13⤵PID:2996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2816 /prefetch:13⤵PID:3524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:13⤵PID:5212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:13⤵PID:5596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7260 /prefetch:13⤵PID:5168
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3768 /prefetch:13⤵PID:4956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6912 /prefetch:83⤵PID:5840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7356 /prefetch:13⤵PID:5188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7564 /prefetch:13⤵PID:5288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:13⤵PID:2248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7724 /prefetch:13⤵PID:4616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7668 /prefetch:13⤵PID:3884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7896 /prefetch:13⤵PID:5536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6760 /prefetch:13⤵PID:2760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2268 /prefetch:13⤵PID:3272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7488 /prefetch:13⤵PID:3064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7592 /prefetch:13⤵PID:2196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8000 /prefetch:13⤵PID:5704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:13⤵PID:3708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:13⤵PID:1584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8276 /prefetch:13⤵PID:4060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3772 /prefetch:13⤵PID:5416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:13⤵PID:4600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7772 /prefetch:13⤵PID:4108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7444 /prefetch:13⤵PID:5176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8488 /prefetch:13⤵PID:3936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7748 /prefetch:83⤵PID:2500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7464 /prefetch:13⤵PID:5140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8736 /prefetch:83⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:5228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4976 /prefetch:83⤵PID:2604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8448 /prefetch:13⤵PID:5472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8948 /prefetch:83⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:5664
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\metrofax.doc" /o ""3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5880 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122884⤵PID:3880
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\metrofax.doc" /o ""3⤵PID:1564
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\metrofax.doc" /o ""3⤵PID:3500
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\metrofax.doc" /o ""3⤵PID:1512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7296 /prefetch:13⤵PID:2828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8968 /prefetch:83⤵PID:1160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:83⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:6064
-
-
C:\Users\Admin\Downloads\CoronaVirus.exe"C:\Users\Admin\Downloads\CoronaVirus.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1580 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"4⤵PID:2552
-
C:\Windows\system32\mode.commode con cp select=12515⤵PID:18236
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Interacts with shadow copies
PID:26848
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"4⤵PID:15248
-
C:\Windows\system32\mode.commode con cp select=12515⤵PID:10792
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Interacts with shadow copies
PID:10688
-
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"4⤵PID:14984
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"4⤵PID:11180
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:13⤵
- Executes dropped EXE
- Loads dropped DLL
PID:8892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=9076 /prefetch:83⤵
- Executes dropped EXE
- Loads dropped DLL
PID:8688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7468 /prefetch:13⤵
- Executes dropped EXE
- Loads dropped DLL
PID:12964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8912 /prefetch:83⤵
- Executes dropped EXE
- Loads dropped DLL
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:8588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1900,14861508145452443790,9155763898877415246,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8928 /prefetch:83⤵
- Executes dropped EXE
- Loads dropped DLL
PID:7164
-
-
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1).exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2424 -
C:\Users\Admin\qoEwwckw\NiIIYoMM.exe"C:\Users\Admin\qoEwwckw\NiIIYoMM.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
PID:3864 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe" about:blank5⤵PID:9444
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank6⤵
- Modifies Internet Explorer settings
PID:9584 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" -- "about:blank"7⤵PID:9624
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0x100,0x12c,0x7ffe2bfa3cb8,0x7ffe2bfa3cc8,0x7ffe2bfa3cd88⤵PID:8620
-
-
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe" about:blank5⤵PID:25796
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank6⤵
- Modifies Internet Explorer settings
PID:16992 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" -- "about:blank"7⤵PID:23232
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffe2bfa3cb8,0x7ffe2bfa3cc8,0x7ffe2bfa3cd88⤵PID:23152
-
-
-
-
-
-
C:\ProgramData\OWskMkMs\ZyAgYcAk.exe"C:\ProgramData\OWskMkMs\ZyAgYcAk.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4380
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"4⤵PID:6172
-
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"5⤵
- Executes dropped EXE
PID:10616 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"6⤵
- System Location Discovery: System Language Discovery
PID:7672 -
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"7⤵
- Executes dropped EXE
PID:9200 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"8⤵PID:29060
-
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"9⤵
- Executes dropped EXE
PID:14360 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"10⤵PID:21340
-
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"11⤵
- Executes dropped EXE
PID:17360 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"12⤵PID:31408
-
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"13⤵
- Executes dropped EXE
PID:19656 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"14⤵PID:20060
-
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4812 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"16⤵PID:20532
-
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"17⤵
- Executes dropped EXE
PID:6696 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"18⤵PID:7240
-
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"19⤵
- Executes dropped EXE
PID:7916 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"20⤵PID:8208
-
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"21⤵
- Executes dropped EXE
PID:8564 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"22⤵PID:12976
-
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"23⤵
- Executes dropped EXE
PID:8236 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"24⤵PID:10560
-
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"25⤵
- Executes dropped EXE
PID:8136 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"26⤵PID:828
-
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"27⤵
- Executes dropped EXE
PID:8556 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"28⤵PID:7940
-
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"29⤵
- Executes dropped EXE
PID:7220 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"30⤵PID:6884
-
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"31⤵
- Executes dropped EXE
PID:6756 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"32⤵PID:10596
-
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"33⤵
- Executes dropped EXE
PID:16780 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"34⤵PID:11348
-
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"35⤵
- Executes dropped EXE
PID:17072 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"36⤵
- System Location Discovery: System Language Discovery
PID:9384 -
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"37⤵
- Executes dropped EXE
PID:16568 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"38⤵PID:14556
-
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"39⤵
- Executes dropped EXE
PID:9028 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"40⤵PID:11120
-
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:11016 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"42⤵PID:9136
-
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"43⤵
- Executes dropped EXE
PID:10128 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"44⤵PID:8888
-
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"45⤵
- Executes dropped EXE
PID:11128 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"46⤵PID:11832
-
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"47⤵
- Executes dropped EXE
PID:11988 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"48⤵PID:13336
-
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"49⤵
- Executes dropped EXE
PID:13504 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"50⤵PID:14016
-
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"51⤵
- Executes dropped EXE
PID:14112 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"52⤵PID:14728
-
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:14692 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"54⤵PID:15348
-
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"55⤵
- Executes dropped EXE
PID:16016 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"56⤵PID:16068
-
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"57⤵
- Executes dropped EXE
PID:17316 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"58⤵
- System Location Discovery: System Language Discovery
PID:7976 -
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"59⤵
- Executes dropped EXE
PID:17648 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"60⤵PID:18596
-
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"61⤵
- Executes dropped EXE
PID:7364 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"62⤵PID:18580
-
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"63⤵
- Executes dropped EXE
PID:23620 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"64⤵PID:19076
-
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"65⤵
- Executes dropped EXE
PID:25008 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"66⤵PID:19316
-
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"67⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:19432 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"68⤵PID:18872
-
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"69⤵
- Executes dropped EXE
PID:20064 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"70⤵PID:20112
-
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"71⤵
- Executes dropped EXE
PID:20368 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"72⤵PID:20236
-
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"73⤵
- Executes dropped EXE
PID:26508 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"74⤵PID:25016
-
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"75⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:26772 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"76⤵PID:28712
-
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"77⤵
- Executes dropped EXE
PID:29364 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"78⤵PID:19860
-
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"79⤵
- Executes dropped EXE
PID:10956 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"80⤵PID:20704
-
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"81⤵
- Executes dropped EXE
PID:20756 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"82⤵PID:28212
-
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"83⤵
- Executes dropped EXE
PID:22360 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"84⤵PID:22488
-
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"85⤵
- Executes dropped EXE
PID:11364 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"86⤵PID:11600
-
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"87⤵
- Executes dropped EXE
PID:14316 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"88⤵PID:14456
-
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"89⤵
- Executes dropped EXE
PID:14904 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"90⤵PID:13612
-
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"91⤵
- Executes dropped EXE
PID:13524 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"92⤵PID:18172
-
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"93⤵
- Executes dropped EXE
PID:21464 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"94⤵PID:17312
-
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"95⤵
- Executes dropped EXE
PID:18336 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"96⤵
- System Location Discovery: System Language Discovery
PID:21660 -
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"97⤵
- Executes dropped EXE
PID:21756 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"98⤵PID:21988
-
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"99⤵
- Executes dropped EXE
PID:22176 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"100⤵
- System Location Discovery: System Language Discovery
PID:25520 -
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"101⤵
- Executes dropped EXE
PID:28396 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"102⤵PID:28772
-
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"103⤵
- Executes dropped EXE
PID:22612 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"104⤵PID:22788
-
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"105⤵PID:25624
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"106⤵PID:23472
-
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"107⤵PID:26904
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"108⤵
- System Location Discovery: System Language Discovery
PID:27844 -
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"109⤵PID:19912
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"110⤵PID:23964
-
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"111⤵PID:24520
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"112⤵
- System Location Discovery: System Language Discovery
PID:24624 -
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"113⤵PID:25144
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"114⤵PID:25416
-
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"115⤵PID:25852
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"116⤵PID:23220
-
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"117⤵PID:25816
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"118⤵PID:25080
-
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"119⤵PID:26016
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom (1)"120⤵PID:26180
-
C:\Users\Admin\Downloads\PolyRansom (1).exe"C:\Users\Admin\Downloads\PolyRansom (1)"121⤵PID:26008
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-