wannacry | 275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartUp = "C:\\Windows\\Maria.doc .exe"	Bezilom.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Documents\desktop.ini	firefox.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	firefox.exe
File opened for modification	C:\Users\Public\desktop.ini	firefox.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\E:	HitmanPro_x64.exe
File opened (read-only)	\??\F:	HitmanPro_x64.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
405	raw.githubusercontent.com
198	raw.githubusercontent.com
199	raw.githubusercontent.com
200	raw.githubusercontent.com
201	raw.githubusercontent.com

Maps connected drives based on registry 3 TTPs 3 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	HitmanPro_x64.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	HitmanPro_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\	HitmanPro_x64.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\eventvwr.msc	mmc.exe
File created	C:\Windows\SysWOW64\ddraw32.dll	Bumerang.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000028a07-6559.dat	upx
behavioral1/memory/3524-7963-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/files/0x0007000000028a8d-7967.dat	upx
behavioral1/memory/3524-7972-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1328-7973-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/5944-7979-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/files/0x0008000000029181-10330.dat	upx
behavioral1/memory/1632-10347-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/1632-10442-0x0000000000400000-0x0000000000413000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Maria.doc .exe	Bezilom.exe
File opened for modification	C:\Windows\Maria.doc .exe	Bezilom.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 5 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\WiresharkPortable64_4.4.5.paf.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\HitmanPro_x64.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Bumerang.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Bezilom.exe:Zone.Identifier	firefox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 4 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	HitmanPro_x64.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	HitmanPro_x64.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	HitmanPro_x64.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	HitmanPro_x64.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
456	1328	WerFault.exe	138

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	HitmanPro_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bumerang.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddraw32.dll
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bezilom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WiresharkPortable64_4.4.5.paf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WiresharkPortable64.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	HitmanPro_x64.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\	HitmanPro_x64.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Storport	HitmanPro_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\	HitmanPro_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\	HitmanPro_x64.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Storport	HitmanPro_x64.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters	HitmanPro_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport\	HitmanPro_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters	HitmanPro_x64.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters	HitmanPro_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\	HitmanPro_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\	HitmanPro_x64.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters	HitmanPro_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	HitmanPro_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\	HitmanPro_x64.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	HitmanPro_x64.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	HitmanPro_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\	HitmanPro_x64.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters	HitmanPro_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\	HitmanPro_x64.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM	HitmanPro_x64.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	HitmanPro_x64.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	HitmanPro_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	HitmanPro_x64.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	HitmanPro_x64.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	HitmanPro_x64.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport	HitmanPro_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\	HitmanPro_x64.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters	HitmanPro_x64.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport	HitmanPro_x64.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	HitmanPro_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\	HitmanPro_x64.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	HitmanPro_x64.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	HitmanPro_x64.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A	HitmanPro_x64.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	HitmanPro_x64.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	HitmanPro_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\	HitmanPro_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Storport\	HitmanPro_x64.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	HitmanPro_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\	HitmanPro_x64.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport	HitmanPro_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport\	HitmanPro_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters	HitmanPro_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\	HitmanPro_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\	HitmanPro_x64.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters	HitmanPro_x64.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A	HitmanPro_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\	HitmanPro_x64.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport	HitmanPro_x64.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	HitmanPro_x64.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM	HitmanPro_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\	HitmanPro_x64.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	HitmanPro_x64.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	HitmanPro_x64.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport	HitmanPro_x64.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	HitmanPro_x64.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	HitmanPro_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\	HitmanPro_x64.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

defense_evasion spyware trojan

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	Wireshark.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	dumpcap.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dumpcap.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	dumpcap.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	dumpcap.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Wireshark.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	dumpcap.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	dumpcap.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dumpcap.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	dumpcap.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Wireshark.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	dumpcap.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dumpcap.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	dumpcap.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	dumpcap.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	dumpcap.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	dumpcap.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dumpcap.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	Wireshark.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Wireshark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	dumpcap.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	dumpcap.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dumpcap.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Wireshark.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	dumpcap.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	dumpcap.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	dumpcap.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	dumpcap.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	dumpcap.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dumpcap.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dumpcap.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	Wireshark.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dumpcap.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Kills process with taskkill 4 IoCs

defense_evasion

pid	Process
3328	taskkill.exe
2104	taskkill.exe
6040	taskkill.exe
1364	taskkill.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings	taskmgr.exe

Modifies system certificate store 2 TTPs 12 IoCs

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	HitmanPro_x64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	HitmanPro_x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	HitmanPro_x64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254832000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	HitmanPro_x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	HitmanPro_x64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	HitmanPro_x64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	HitmanPro_x64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	HitmanPro_x64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	HitmanPro_x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	HitmanPro_x64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	HitmanPro_x64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	HitmanPro_x64.exe

NTFS ADS 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\WiresharkPortable64_4.4.5.paf.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\HitmanPro_x64.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Bumerang.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Bezilom.exe:Zone.Identifier	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
556	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5824	Wireshark.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2040	WMIC.exe
2040	WMIC.exe
2040	WMIC.exe
2040	WMIC.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
4276	taskmgr.exe
5824	Wireshark.exe
4276	mmc.exe

Suspicious behavior: LoadsDriver 10 IoCs

pid	Process
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2132	WannaCry.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2916	firefox.exe
Token: SeDebugPrivilege	2916	firefox.exe
Token: SeDebugPrivilege	6040	taskkill.exe
Token: SeDebugPrivilege	1364	taskkill.exe
Token: SeDebugPrivilege	3328	taskkill.exe
Token: SeDebugPrivilege	2104	taskkill.exe
Token: SeDebugPrivilege	2916	firefox.exe
Token: SeDebugPrivilege	2916	firefox.exe
Token: SeDebugPrivilege	2916	firefox.exe
Token: SeIncreaseQuotaPrivilege	2040	WMIC.exe
Token: SeSecurityPrivilege	2040	WMIC.exe
Token: SeTakeOwnershipPrivilege	2040	WMIC.exe
Token: SeLoadDriverPrivilege	2040	WMIC.exe
Token: SeSystemProfilePrivilege	2040	WMIC.exe
Token: SeSystemtimePrivilege	2040	WMIC.exe
Token: SeProfSingleProcessPrivilege	2040	WMIC.exe
Token: SeIncBasePriorityPrivilege	2040	WMIC.exe
Token: SeCreatePagefilePrivilege	2040	WMIC.exe
Token: SeBackupPrivilege	2040	WMIC.exe
Token: SeRestorePrivilege	2040	WMIC.exe
Token: SeShutdownPrivilege	2040	WMIC.exe
Token: SeDebugPrivilege	2040	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2040	WMIC.exe
Token: SeRemoteShutdownPrivilege	2040	WMIC.exe
Token: SeUndockPrivilege	2040	WMIC.exe
Token: SeManageVolumePrivilege	2040	WMIC.exe
Token: 33	2040	WMIC.exe
Token: 34	2040	WMIC.exe
Token: 35	2040	WMIC.exe
Token: 36	2040	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2040	WMIC.exe
Token: SeSecurityPrivilege	2040	WMIC.exe
Token: SeTakeOwnershipPrivilege	2040	WMIC.exe
Token: SeLoadDriverPrivilege	2040	WMIC.exe
Token: SeSystemProfilePrivilege	2040	WMIC.exe
Token: SeSystemtimePrivilege	2040	WMIC.exe
Token: SeProfSingleProcessPrivilege	2040	WMIC.exe
Token: SeIncBasePriorityPrivilege	2040	WMIC.exe
Token: SeCreatePagefilePrivilege	2040	WMIC.exe
Token: SeBackupPrivilege	2040	WMIC.exe
Token: SeRestorePrivilege	2040	WMIC.exe
Token: SeShutdownPrivilege	2040	WMIC.exe
Token: SeDebugPrivilege	2040	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2040	WMIC.exe
Token: SeRemoteShutdownPrivilege	2040	WMIC.exe
Token: SeUndockPrivilege	2040	WMIC.exe
Token: SeManageVolumePrivilege	2040	WMIC.exe
Token: 33	2040	WMIC.exe
Token: 34	2040	WMIC.exe
Token: 35	2040	WMIC.exe
Token: 36	2040	WMIC.exe
Token: SeBackupPrivilege	5980	vssvc.exe
Token: SeRestorePrivilege	5980	vssvc.exe
Token: SeAuditPrivilege	5980	vssvc.exe
Token: SeDebugPrivilege	4276	taskmgr.exe
Token: SeSystemProfilePrivilege	4276	taskmgr.exe
Token: SeCreateGlobalPrivilege	4276	taskmgr.exe
Token: SeDebugPrivilege	2916	firefox.exe
Token: SeDebugPrivilege	2916	firefox.exe
Token: SeDebugPrivilege	2916	firefox.exe
Token: SeDebugPrivilege	2916	firefox.exe
Token: 33	4276	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4276	taskmgr.exe
Token: SeDebugPrivilege	2916	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe
4276	taskmgr.exe

Suspicious use of SetWindowsHookEx 39 IoCs

pid	Process
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2396	!WannaDecryptor!.exe
2396	!WannaDecryptor!.exe
2108	!WannaDecryptor!.exe
2108	!WannaDecryptor!.exe
2176	!WannaDecryptor!.exe
2176	!WannaDecryptor!.exe
4760	!WannaDecryptor!.exe
4760	!WannaDecryptor!.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
5632	Bezilom.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
4276	mmc.exe
4276	mmc.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe
2916	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5288 wrote to memory of 2916	5288	firefox.exe	84
PID 5288 wrote to memory of 2916	5288	firefox.exe	84
PID 5288 wrote to memory of 2916	5288	firefox.exe	84
PID 5288 wrote to memory of 2916	5288	firefox.exe	84
PID 5288 wrote to memory of 2916	5288	firefox.exe	84
PID 5288 wrote to memory of 2916	5288	firefox.exe	84
PID 5288 wrote to memory of 2916	5288	firefox.exe	84
PID 5288 wrote to memory of 2916	5288	firefox.exe	84
PID 5288 wrote to memory of 2916	5288	firefox.exe	84
PID 5288 wrote to memory of 2916	5288	firefox.exe	84
PID 5288 wrote to memory of 2916	5288	firefox.exe	84
PID 2916 wrote to memory of 1824	2916	firefox.exe	85
PID 2916 wrote to memory of 1824	2916	firefox.exe	85
PID 2916 wrote to memory of 1824	2916	firefox.exe	85
PID 2916 wrote to memory of 1824	2916	firefox.exe	85
PID 2916 wrote to memory of 1824	2916	firefox.exe	85
PID 2916 wrote to memory of 1824	2916	firefox.exe	85
PID 2916 wrote to memory of 1824	2916	firefox.exe	85
PID 2916 wrote to memory of 1824	2916	firefox.exe	85
PID 2916 wrote to memory of 1824	2916	firefox.exe	85
PID 2916 wrote to memory of 1824	2916	firefox.exe	85
PID 2916 wrote to memory of 1824	2916	firefox.exe	85
PID 2916 wrote to memory of 1824	2916	firefox.exe	85
PID 2916 wrote to memory of 1824	2916	firefox.exe	85
PID 2916 wrote to memory of 1824	2916	firefox.exe	85
PID 2916 wrote to memory of 1824	2916	firefox.exe	85
PID 2916 wrote to memory of 1824	2916	firefox.exe	85
PID 2916 wrote to memory of 1824	2916	firefox.exe	85
PID 2916 wrote to memory of 1824	2916	firefox.exe	85
PID 2916 wrote to memory of 1824	2916	firefox.exe	85
PID 2916 wrote to memory of 1824	2916	firefox.exe	85
PID 2916 wrote to memory of 1824	2916	firefox.exe	85
PID 2916 wrote to memory of 1824	2916	firefox.exe	85
PID 2916 wrote to memory of 1824	2916	firefox.exe	85
PID 2916 wrote to memory of 1824	2916	firefox.exe	85
PID 2916 wrote to memory of 1824	2916	firefox.exe	85
PID 2916 wrote to memory of 1824	2916	firefox.exe	85
PID 2916 wrote to memory of 1824	2916	firefox.exe	85
PID 2916 wrote to memory of 1824	2916	firefox.exe	85
PID 2916 wrote to memory of 1824	2916	firefox.exe	85
PID 2916 wrote to memory of 1824	2916	firefox.exe	85
PID 2916 wrote to memory of 1824	2916	firefox.exe	85
PID 2916 wrote to memory of 1824	2916	firefox.exe	85
PID 2916 wrote to memory of 1824	2916	firefox.exe	85
PID 2916 wrote to memory of 1824	2916	firefox.exe	85
PID 2916 wrote to memory of 1824	2916	firefox.exe	85
PID 2916 wrote to memory of 1824	2916	firefox.exe	85
PID 2916 wrote to memory of 1824	2916	firefox.exe	85
PID 2916 wrote to memory of 1824	2916	firefox.exe	85
PID 2916 wrote to memory of 1824	2916	firefox.exe	85
PID 2916 wrote to memory of 1824	2916	firefox.exe	85
PID 2916 wrote to memory of 1824	2916	firefox.exe	85
PID 2916 wrote to memory of 1824	2916	firefox.exe	85
PID 2916 wrote to memory of 1824	2916	firefox.exe	85
PID 2916 wrote to memory of 1824	2916	firefox.exe	85
PID 2916 wrote to memory of 1824	2916	firefox.exe	85
PID 2916 wrote to memory of 5876	2916	firefox.exe	86
PID 2916 wrote to memory of 5876	2916	firefox.exe	86
PID 2916 wrote to memory of 5876	2916	firefox.exe	86
PID 2916 wrote to memory of 5876	2916	firefox.exe	86
PID 2916 wrote to memory of 5876	2916	firefox.exe	86
PID 2916 wrote to memory of 5876	2916	firefox.exe	86
PID 2916 wrote to memory of 5876	2916	firefox.exe	86
PID 2916 wrote to memory of 5876	2916	firefox.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\EICAR.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:556

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5288
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Downloads MZ/PE file
  - Drops desktop.ini file(s)
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2012 -prefsLen 27100 -prefMapHandle 2016 -prefMapSize 270279 -ipcHandle 2088 -initialChannelId {33178509-c573-4782-8552-3e07dd7c5caa} -parentPid 2916 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2916" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
    3⤵
    PID:1824
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2448 -prefsLen 27136 -prefMapHandle 2452 -prefMapSize 270279 -ipcHandle 2460 -initialChannelId {51dd115b-4823-4ae4-a8de-cb2455f8fc73} -parentPid 2916 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2916" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
    3⤵
    PID:5876
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3832 -prefsLen 27277 -prefMapHandle 3836 -prefMapSize 270279 -jsInitHandle 3840 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3848 -initialChannelId {588af00c-0d2f-4bb9-8024-a129f3c3f8b9} -parentPid 2916 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2916" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
    3⤵
    - Checks processor information in registry
    PID:4588
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4032 -prefsLen 27277 -prefMapHandle 4036 -prefMapSize 270279 -ipcHandle 3984 -initialChannelId {3f81b3ca-2c97-4db5-989d-8330a803bb90} -parentPid 2916 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2916" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
    3⤵
    PID:5092
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3168 -prefsLen 34776 -prefMapHandle 3292 -prefMapSize 270279 -jsInitHandle 3296 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3052 -initialChannelId {a7df9d51-63a3-401d-9c8d-6775ff1fac55} -parentPid 2916 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2916" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
    3⤵
    - Checks processor information in registry
    PID:3784
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5100 -prefsLen 35013 -prefMapHandle 5104 -prefMapSize 270279 -ipcHandle 5068 -initialChannelId {93ec43e6-bad8-4a25-ae4b-ce162ddce5d3} -parentPid 2916 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2916" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
    3⤵
    - Checks processor information in registry
    PID:6044
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5212 -prefsLen 32900 -prefMapHandle 5216 -prefMapSize 270279 -jsInitHandle 5220 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5236 -initialChannelId {98a1d999-8b7b-4613-ae59-cb551b8d1066} -parentPid 2916 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2916" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
    3⤵
    - Checks processor information in registry
    PID:3460
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5248 -prefsLen 32900 -prefMapHandle 5252 -prefMapSize 270279 -jsInitHandle 5256 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5264 -initialChannelId {58447d70-3d8c-42d6-80e0-259605986aad} -parentPid 2916 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2916" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
    3⤵
    - Checks processor information in registry
    PID:2584
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5660 -prefsLen 32900 -prefMapHandle 5664 -prefMapSize 270279 -jsInitHandle 5668 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5676 -initialChannelId {4fa68e57-4bd4-4aac-ae96-1b68c2aa88a7} -parentPid 2916 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2916" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
    3⤵
    - Checks processor information in registry
    PID:856
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 22000 -prefsLen 36931 -prefMapHandle 6972 -prefMapSize 270279 -jsInitHandle 2712 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 8172 -initialChannelId {f6ecdea2-4b9b-4f6a-90e2-66fa9e2ea337} -parentPid 2916 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2916" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 10 tab
    3⤵
    - Checks processor information in registry
    PID:3996
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 15536 -prefsLen 36931 -prefMapHandle 15540 -prefMapSize 270279 -jsInitHandle 15604 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 22336 -initialChannelId {fb7872b0-ff2d-4bc1-b011-73d2fa5b7b7f} -parentPid 2916 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2916" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 11 tab
    3⤵
    - Checks processor information in registry
    PID:2812
- - C:\Users\Admin\Downloads\Bezilom.exe
    "C:\Users\Admin\Downloads\Bezilom.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5632
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 21112 -prefsLen 36971 -prefMapHandle 21100 -prefMapSize 270279 -jsInitHandle 21132 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 7516 -initialChannelId {dc591f77-2d64-4d9d-b6ad-684f9b1ac12b} -parentPid 2916 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2916" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 12 tab
    3⤵
    - Checks processor information in registry
    PID:1512
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 16036 -prefsLen 36971 -prefMapHandle 17420 -prefMapSize 270279 -jsInitHandle 15868 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 26136 -initialChannelId {75488210-8316-4b26-9935-2921c47236c0} -parentPid 2916 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2916" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 13 tab
    3⤵
    - Checks processor information in registry
    PID:4216
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 15536 -prefsLen 36971 -prefMapHandle 15540 -prefMapSize 270279 -jsInitHandle 2816 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6924 -initialChannelId {c8fb16cf-ad7b-4036-b7d1-1ea1150cb34e} -parentPid 2916 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2916" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 14 tab
    3⤵
    - Checks processor information in registry
    PID:4628
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 9580 -prefsLen 37027 -prefMapHandle 26080 -prefMapSize 270279 -jsInitHandle 21144 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 15592 -initialChannelId {b796dc0d-0240-47b4-8f75-f550d6442e41} -parentPid 2916 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2916" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 15 tab
    3⤵
    - Checks processor information in registry
    PID:5512
- - C:\Users\Admin\Downloads\WiresharkPortable64_4.4.5.paf.exe
    "C:\Users\Admin\Downloads\WiresharkPortable64_4.4.5.paf.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3228
- - C:\Users\Admin\Downloads\HitmanPro_x64.exe
    "C:\Users\Admin\Downloads\HitmanPro_x64.exe"
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    PID:2484
  - - C:\Users\Admin\AppData\Local\Temp\HitmanPro_x64.exe
      "C:\Users\Admin\AppData\Local\Temp\HitmanPro_x64.exe" /update:"C:\Users\Admin\Downloads\HitmanPro_x64.exe"
      4⤵
      Executes dropped EXE
      PID:2492
    - - C:\Users\Admin\Downloads\HitmanPro_x64.exe
        
        "C:\Users\Admin\Downloads\HitmanPro_x64.exe" /updated:"C:\Users\Admin\AppData\Local\Temp\HitmanPro_x64.exe"
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Impair Defenses: Safe Mode Boot
        Unexpected DNS network traffic destination
        Enumerates connected drives
        Maps connected drives based on registry
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        Modifies system certificate store
        
        PID:3948
- - C:\Users\Admin\Downloads\Mantas.exe
    "C:\Users\Admin\Downloads\Mantas.exe"
    3⤵
    PID:1632

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5660

C:\Users\Admin\Downloads\WannaCry.exe
"C:\Users\Admin\Downloads\WannaCry.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
PID:2132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 23891742751638.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1992
- - C:\Windows\SysWOW64\cscript.exe
    cscript //nologo c.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:644
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe f
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2396
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im MSExchange*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1364
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Microsoft.Exchange.*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6040
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlserver.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2104
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlwriter.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3328
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe c
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2108
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b !WannaDecryptor!.exe v
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1068
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe v
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2176
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      System Location Discovery: System Language Discovery
      PID:2796
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4760

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5980

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\!Please Read Me!.txt
1⤵
PID:5808

C:\Users\Admin\Downloads\Bumerang.exe
"C:\Users\Admin\Downloads\Bumerang.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3524
- C:\Windows\SysWOW64\ddraw32.dll
  C:\Windows\system32\ddraw32.dll
  2⤵
  - Executes dropped EXE
  PID:1328
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 360
    3⤵
    - Program crash
    PID:456
- C:\Windows\SysWOW64\ddraw32.dll
  C:\Windows\system32\ddraw32.dll :C:\Users\Admin\Downloads\Bumerang.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1328 -ip 1328
1⤵
PID:1184

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4276

C:\Users\Admin\Downloads\WiresharkPortable64\WiresharkPortable64.exe
"C:\Users\Admin\Downloads\WiresharkPortable64\WiresharkPortable64.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2492
- C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe
  "C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:5824
- - C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\androiddump.exe
    "C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\androiddump.exe" --extcap-interfaces --extcap-version=4.4
    3⤵
    - Executes dropped EXE
    PID:3748
- - C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\ciscodump.exe
    "C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\ciscodump.exe" --extcap-interfaces --extcap-version=4.4
    3⤵
    - Executes dropped EXE
    PID:4804
- - C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\etwdump.exe
    "C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\etwdump.exe" --extcap-interfaces --extcap-version=4.4
    3⤵
    - Executes dropped EXE
    PID:1128
- - C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\randpktdump.exe
    "C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\randpktdump.exe" --extcap-interfaces --extcap-version=4.4
    3⤵
    - Executes dropped EXE
    PID:928
- - C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\sshdump.exe
    "C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\sshdump.exe" --extcap-interfaces --extcap-version=4.4
    3⤵
    - Executes dropped EXE
    PID:5684
- - C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\udpdump.exe
    "C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\udpdump.exe" --extcap-interfaces --extcap-version=4.4
    3⤵
    - Executes dropped EXE
    PID:1016
- - C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\wifidump.exe
    "C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\wifidump.exe" --extcap-interfaces --extcap-version=4.4
    3⤵
    - Executes dropped EXE
    PID:5680
- - C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\ciscodump.exe
    "C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\ciscodump.exe" --extcap-config --extcap-interface ciscodump
    3⤵
    - Executes dropped EXE
    PID:5800
- - C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\etwdump.exe
    "C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\etwdump.exe" --extcap-config --extcap-interface etwdump
    3⤵
    - Executes dropped EXE
    PID:1320
- - C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\randpktdump.exe
    "C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\randpktdump.exe" --extcap-config --extcap-interface randpkt
    3⤵
    - Executes dropped EXE
    PID:1136
- - C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\sshdump.exe
    "C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\sshdump.exe" --extcap-config --extcap-interface sshdump.exe
    3⤵
    - Executes dropped EXE
    PID:4368
- - C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\udpdump.exe
    "C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\udpdump.exe" --extcap-config --extcap-interface udpdump
    3⤵
    - Executes dropped EXE
    PID:3688
- - C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\wifidump.exe
    "C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\wifidump.exe" --extcap-config --extcap-interface wifidump.exe
    3⤵
    - Executes dropped EXE
    PID:5228
- - C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\dumpcap.exe
    C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\dumpcap.exe --log-level MESSAGE -S -D -L --signal-pipe 5824.dummy -Z 2012
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    PID:5660
- - C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\ciscodump.exe
    "C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\ciscodump.exe" --extcap-dlts --extcap-interface ciscodump
    3⤵
    - Executes dropped EXE
    PID:1844
- - C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\etwdump.exe
    "C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\etwdump.exe" --extcap-dlts --extcap-interface etwdump
    3⤵
    - Executes dropped EXE
    PID:2020
- - C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\randpktdump.exe
    "C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\randpktdump.exe" --extcap-dlts --extcap-interface randpkt
    3⤵
    - Executes dropped EXE
    PID:392
- - C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\sshdump.exe
    "C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\sshdump.exe" --extcap-dlts --extcap-interface sshdump.exe
    3⤵
    - Executes dropped EXE
    PID:4784
- - C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\udpdump.exe
    "C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\udpdump.exe" --extcap-dlts --extcap-interface udpdump
    3⤵
    - Executes dropped EXE
    PID:3900
- - C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\wifidump.exe
    "C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\wifidump.exe" --extcap-dlts --extcap-interface wifidump.exe
    3⤵
    - Executes dropped EXE
    PID:2284
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4804
- - C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\ciscodump.exe
    "C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\ciscodump.exe" --extcap-config --extcap-interface ciscodump
    3⤵
    - Executes dropped EXE
    PID:1920
- - C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\ciscodump.exe
    "C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\ciscodump.exe" --extcap-config --extcap-interface ciscodump
    3⤵
    - Executes dropped EXE
    PID:1016
- - C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\ciscodump.exe
    "C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\ciscodump.exe" --extcap-config --extcap-interface ciscodump
    3⤵
    - Executes dropped EXE
    PID:1932
- - C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\ciscodump.exe
    "C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\ciscodump.exe" --extcap-config --extcap-interface ciscodump
    3⤵
    - Executes dropped EXE
    PID:4488
- - C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\ciscodump.exe
    "C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\ciscodump.exe" --extcap-config --extcap-interface ciscodump
    3⤵
    - Executes dropped EXE
    PID:5392
- - C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\ciscodump.exe
    "C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\ciscodump.exe" --extcap-config --extcap-interface ciscodump
    3⤵
    - Executes dropped EXE
    PID:1900
- - C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\ciscodump.exe
    "C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\ciscodump.exe" --extcap-config --extcap-interface ciscodump
    3⤵
    - Executes dropped EXE
    PID:3872
- - C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\ciscodump.exe
    "C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\ciscodump.exe" --extcap-config --extcap-interface ciscodump
    3⤵
    - Executes dropped EXE
    PID:5672
- - C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\ciscodump.exe
    "C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\ciscodump.exe" --extcap-config --extcap-interface ciscodump
    3⤵
    - Executes dropped EXE
    PID:5136
- - C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\ciscodump.exe
    "C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\ciscodump.exe" --extcap-config --extcap-interface ciscodump
    3⤵
    - Executes dropped EXE
    PID:2344
- - C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\udpdump.exe
    "C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\udpdump.exe" --extcap-config --extcap-interface udpdump
    3⤵
    - Executes dropped EXE
    PID:2928
- - C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\udpdump.exe
    "C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\udpdump.exe" --extcap-config --extcap-interface udpdump
    3⤵
    - Executes dropped EXE
    PID:3704
- - C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\udpdump.exe
    "C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\udpdump.exe" --extcap-config --extcap-interface udpdump
    3⤵
    - Executes dropped EXE
    PID:4248
- - C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\udpdump.exe
    "C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\udpdump.exe" --capture --extcap-interface udpdump --fifo \\.\pipe\wireshark_extcap_udpdump_20250323175034 --port 5555 --payload data
    3⤵
    - Executes dropped EXE
    PID:3756
- - C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\dumpcap.exe
    C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\dumpcap.exe --log-level MESSAGE -F pcapng -i wireshark_extcap2868 --ifname udpdump --ifdescr "UDP Listener remote capture" --signal-pipe 5824 -Z 2872
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    PID:5044
- - C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\randpktdump.exe
    "C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\randpktdump.exe" --extcap-config --extcap-interface randpkt
    3⤵
    - Executes dropped EXE
    PID:3352
- - C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\randpktdump.exe
    "C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\randpktdump.exe" --extcap-config --extcap-interface randpkt
    3⤵
    - Executes dropped EXE
    PID:1360
- - C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\randpktdump.exe
    "C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\randpktdump.exe" --extcap-config --extcap-interface randpkt
    3⤵
    - Executes dropped EXE
    PID:4724
- - C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\randpktdump.exe
    "C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\randpktdump.exe" --capture --extcap-interface randpkt --fifo \\.\pipe\wireshark_extcap_randpkt_20250323175059 --maxbytes 5000 --count 1000 --delay 0
    3⤵
    - Executes dropped EXE
    PID:2460
- - C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\dumpcap.exe
    C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\dumpcap.exe --log-level MESSAGE -F pcapng -i wireshark_extcap2856 --ifname randpkt --ifdescr "Random packet generator" --signal-pipe 5824 -Z 2852
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    PID:3728
- - C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\etwdump.exe
    "C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\etwdump.exe" --extcap-config --extcap-interface etwdump
    3⤵
    - Executes dropped EXE
    PID:760
- - C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\etwdump.exe
    "C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\etwdump.exe" --extcap-config --extcap-interface etwdump
    3⤵
    - Executes dropped EXE
    PID:4636
- - C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\etwdump.exe
    "C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\etwdump.exe" --extcap-config --extcap-interface etwdump
    3⤵
    - Executes dropped EXE
    PID:3020
- - C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\etwdump.exe
    "C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\extcap\etwdump.exe" --capture --extcap-interface etwdump --fifo \\.\pipe\wireshark_extcap_etwdump_20250323175413
    3⤵
    - Executes dropped EXE
    PID:5072
- - C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\dumpcap.exe
    C:\Users\Admin\Downloads\WiresharkPortable64\App\Wireshark\dumpcap.exe --log-level MESSAGE -F pcapng -i wireshark_extcap2792 --ifname etwdump --ifdescr "Event Tracing for Windows (ETW) reader" --signal-pipe 5824 -Z 2812
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    PID:2900

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
PID:2628

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s
1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4276

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3352

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:4176

C:\Users\Admin\Downloads\Fagot.a.exe
"C:\Users\Admin\Downloads\Fagot.a.exe"
1⤵
PID:5024

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:5088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery